contact.taipei.gov.tw is not sending a complete certificate chain

RESOLVED WORKSFORME

Status

defect
P5
normal
RESOLVED WORKSFORME
3 years ago
3 months ago

People

(Reporter: kikuo, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

FF48 (tested on Window/Linux) shows "An error occurred during a connection to contact.taipei.gov.tw. Peer's certificate has an invalid signature. Error code: SEC_ERROR_BAD_SIGNATURE" on this website [1], but Edge/Chrome are fine.

It's a Taiwan government official website. I think FF should treat it valid.

[1] https://contact.taipei.gov.tw/cclm/clm/aspx/CLMG00000.aspx

Is there anyone in Taipei can help ?
Component: General → Security

Comment 1

3 years ago
Tim or :keeler, can you take a look?
Component: Security → Security: PSM
Flags: needinfo?(ttaubert)
Flags: needinfo?(dkeeler)
Product: Firefox → Core

Comment 2

3 years ago
TBH, the ssl labs reports don't look amazing - https://www.ssllabs.com/ssltest/analyze.html?d=contact.taipei.gov.tw&s=2001%3a4420%3a6006%3a36%3a0%3a0%3a0%3a30&latest and https://www.ssllabs.com/ssltest/analyze.html?d=contact.taipei.gov.tw&s=163.29.36.30 -- so without looking into it more deeply, it's totally plausible this is a configuration problem on the side of the Taiwanese government. There's also bug 1065896 where the government is applying to get their root included - it's possible that that is the cause of the problem here (though I would have expected a different error).
Long story short, the server is misconfigured because it isn't sending a complete certificate chain.

Here's what it's sending:

* an end-entity certificate with:
    subject "/C=TW/L=臺北市/O=市政府/OU=資訊局/CN=contact.taipei.gov.tw/serialNumber=0000000010021996"
    issuer  "/C=TW/O=行政院/OU=政府憑證管理中心"

* an intermediate certificate with:
    subject "/C=TW/O=行政院/OU=政府憑證管理中心"
    issuer  "/C=TW/O=Government Root Certification Authority"

There is a root CA in Mozilla's DB with the subject "/C=TW/O=Government Root Certification Authority", but its key is not the one that signed the intermediate in question. There exists another certificate with the subject/issuer "/C=TW/O=Government Root Certification Authority" : https://crt.sh/?q=5C9137B9CFA3901F01693A2BE12A964BCB3823F9 that did sign that intermediate. This other intermediate was signed by the GRCA root in the DB ( https://crt.sh/?q=F48B11BFDEABBE94542071E641DE6BBE882B40B9 ). The reason Firefox is showing the "bad signature" error is because it's unaware of this other intermediate. It attempts to verify the signature on the first intermediate with the key from the root, which fails. With no other path options available, it just returns that error.
Component: Security: PSM → Desktop
Flags: needinfo?(ttaubert)
Flags: needinfo?(dkeeler)
Product: Core → Tech Evangelism
Summary: Taiwan government's website should be browsed correctly. → contact.taipei.gov.tw is not sending a complete certificate chain
Reporter

Comment 4

3 years ago
Thanks for Gijs's & David's explanation. 
Now Bug 1065896 in Public Discussion phase 1, I think once it is fixed, this bug should be fixed too.
Just found [1] is a website which includes the Spec/SOP document for the public key replacement of TW's GRCA. 

[1] http://grca.nat.gov.tw/01-06.html
Depends on: 1065896
Priority: -- → P3
Priority: P3 → P5
Status: NEW → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → WORKSFORME
Component: Desktop → Desktop
Product: Tech Evangelism → Web Compatibility
You need to log in before you can comment on or make changes to this bug.