Closed
Bug 1441194
Opened 8 years ago
Closed 8 years ago
Can't connect secure sites, all intermediary certificate authorities in the software token were unmarked as trusted for website identity
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
WORKSFORME
| Tracking | Status | |
|---|---|---|
| firefox60 | --- | affected |
People
(Reporter: mayhemer, Unassigned)
References
Details
This has happened recently (few days ago) on Nightly, on two different profiles I use. When I manually mark the certificates as trusted for website identification, I can connect w/o errors but EV status is not displayed (connection treated only as DV).
One example URL: https://acs.sia.eu/
|
Reporter | |
Comment 1•8 years ago
|
||
Another example URL: https://secure.gopay.com/
|
|
||
Comment 3•8 years ago
|
||
Is this just due to the symantec roots distrust process ( https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/FLHRT79e3XE/discussion ) or is there another bug here?
Flags: needinfo?(honzab.moz)
|
|
Reporter | |
Comment 4•8 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo) from comment #3)
> Is this just due to the symantec roots distrust process (
> https://groups.google.com/forum/#!topic/mozilla.dev.security.policy/
> FLHRT79e3XE/discussion ) or is there another bug here?
probably.
anyway, trying with a fresh profile and up to date nightly I'm getting the following:
- https://acs.sia.eu/: SEC_ERROR_UNKNOWN_ISSUER with ability to add an exception. the cert chain is:
- CN=VeriSign Class 3 Public Primary Certification Authority - G5 (built-in, trusted)
- CN=Symantec Class 3 EV SSL CA - G3 [valid not before 31 October 2013] (not in the database at all)
- this is all likely EXPECTED
- https://secure.gopay.com/: no error + EV status, but there is one discrepancy that is not clear to me whether it's a bug or what ; the cert chain is:
- CN=DigiCert High Assurance EV Root CA (built-in, trusted)
- CN=GeoTrust EV RSA CA 2018 (in the software token,
UNEXPECTED: NOT TRUSTED to ident web sites nor emails
UNEXPECTED: listed under DigiCert company in the authorities list
Flags: needinfo?(honzab.moz)
|
|
||
Comment 5•8 years ago
|
||
Intermediates inherit trust from their issuers - they aren't trusted themselves. I think what you're seeing is the expected behavior.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
|
|
Reporter | |
Comment 6•8 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo) from comment #5)
> Intermediates inherit trust from their issuers - they aren't trusted
> themselves. I think what you're seeing is the expected behavior.
Yesterday I had to manually add an exception for https://acs.sia.eu/ to make a 3d-secured card payment. Is that expected?
Flags: needinfo?(dkeeler)
|
|
||
Comment 7•8 years ago
|
||
Yes - looks like another site affected by the symantec roots distrust. You can get around this for now by setting "security.pki.distrust_ca_policy" to 0.
Flags: needinfo?(dkeeler)
You need to log in
before you can comment on or make changes to this bug.
Description
•