Closed Bug 1442907 Opened 7 years ago Closed 7 years ago

MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED on www.eurostar.com

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID
Tracking Flags:
Tracking Status
firefox60 --- affected

People

(Reporter: marco, Unassigned)

References

Details

When connecting to https://www.eurostar.com/, I'm seeing this error. https://www.eurostar.com/ Un vincolo regole aggiuntivo non è stato rispettato durante la validazione di questo certificato. HTTP Strict Transport Security: false HTTP Public Key Pinning: false Catena di certificati: -----BEGIN CERTIFICATE----- MIIE/jCCA+agAwIBAgIQVnGOFrkpeaRQxP2+NRWs0TANBgkqhkiG9w0BAQsFADBG MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEfMB0GA1UEAxMW R2VvVHJ1c3QgU0hBMjU2IFNTTCBDQTAeFw0xNTEwMjEwMDAwMDBaFw0xODA3MjYy MzU5NTlaMH4xCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcU BkxvbmRvbjEnMCUGA1UEChQeRXVyb3N0YXIgSW50ZXJuYXRpb25hbCBMaW1pdGVk MQswCQYDVQQLFAJJUzEXMBUGA1UEAxQOKi5ldXJvc3Rhci5jb20wggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDvRQ+jBDCgfO+DLMPpujReVcPHa4v+VEE CX80y5ogzpXPyPGXJ9E/bUe4PNtjlAB66EEFZPGY4hVCyusyEVbJ9f6vVs0rMvVd 2Y0Nh+2omstmqhrwWmD9pcb55/y7s3N0ww70k2baomv1B07dRa63Q/auJ12auMz2 SuvRbJqQIQPwcriw5tW2uqFGPMoPaDsEnyxpFn6eIMPhl/BTdznxGEN/fscDpF68 5V3pdMENZN1+8wflGgokFfvI0kp9+lrtwnIYHZJZbLfH/IhTry38GVnRt/fN1VI0 6QKMUSBtZ0NpatALQtnG9mRa+da4dGHce9X9Pl0hDLUWlasqvKkLAgMBAAGjggGu MIIBqjAnBgNVHREEIDAegg4qLmV1cm9zdGFyLmNvbYIMZXVyb3N0YXIuY29tMAkG A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6 Ly9nai5zeW1jYi5jb20vZ2ouY3JsMIGdBgNVHSAEgZUwgZIwgY8GBmeBDAECAjCB hDA/BggrBgEFBQcCARYzaHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNl cy9yZXBvc2l0b3J5L2xlZ2FsMEEGCCsGAQUFBwICMDUMM2h0dHBzOi8vd3d3Lmdl b3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeS9sZWdhbDAdBgNVHSUEFjAU BggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUFGeO7YNP1h6dQAQMBEah cDSyD3IwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vZ2ouc3lt Y2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ2ouc3ltY2IuY29tL2dqLmNydDAN BgkqhkiG9w0BAQsFAAOCAQEAESJVxZB5yAgw0hmEVY1JdgwEKTVKyQnOuHPAjAsF w4S14k6aCnBcsQo6u23fkLmqJmqpg9e3ITGUTVz3AzKcgaK8tzSQtPt1gX8vqr1y yJ9vikZqcUpTjVW/OX+0DhxFiDhV7tNn0PhxDYqqLQCqoMThMlmo3SziN8ldxDaH n+BD8ERx/5Cy1CeyKS/OdJa+NEZ26pbK99fa3Vu1NmbeONtizu3wViaO+M5sFKWQ jOn/+MXSgobUgnnWijUdnICELDXuBRN4r7+CBCdVHsIqcBQntRDOIJkA6UEwC9cs IVBPzbRe5P3ntz0OxrMJPDqP0x6CkTmxu5/+HOFTvJu7FA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIExzCCA6+gAwIBAgIQQYISfRLZxrMhOUMSVmQAuDANBgkqhkiG9w0BAQsFADCB mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSAtIEczMB4XDTEzMDUyMzAwMDAwMFoXDTIzMDUyMjIzNTk1OVowRjELMAkG A1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xHzAdBgNVBAMTFkdlb1Ry dXN0IFNIQTI1NiBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDGqQtdF6V9xs8q78Zm0UIeX4N4aJGv5qeL8B1EAQoZypzUix3hoZCjwVu011tq i/wOSR7CYin+gBU5i4EqJ7X7EqgFIgvFLPXZmN0WLztm52KiQzKsj7WFyFIGLFzA d/pn94PoXgWNyKuhFjKK0kDshjocI6mNtQDecr2FVf4GAWBdrbPgZXOlkhSelFZv k+6vqTowJUqOCYTvt9LV15tJzenAXmdxIqxQkEMgXaGjFYP9/Kc5vGtlSBJg/90j szqq9J+cN1NBokeTgTMJ5SLGyBxJoW6NzIOzms3qQ/IZ0yTLqCmuUsz0CCewhOrO J7XhNBNzklyHhirGsGg2rcsJAgMBAAGjggFcMIIBWDA7BggrBgEFBQcBAQQvMC0w KwYIKwYBBQUHMAGGH2h0dHA6Ly9wY2EtZzMtb2NzcC5nZW90cnVzdC5jb20wEgYD VR0TAQH/BAgwBgEB/wIBADBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczA7 BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9HZW9UcnVz dFBDQS1HMy5jcmwwDgYDVR0PAQH/BAQDAgEGMCoGA1UdEQQjMCGkHzAdMRswGQYD VQQDExJWZXJpU2lnbk1QS0ktMi00MTYwHQYDVR0OBBYEFBRnju2DT9YenUAEDARG oXA0sg9yMB8GA1UdIwQYMBaAFMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3 DQEBCwUAA4IBAQAQEOryENYIRuLBjz42WcgrD/5N7OP4tlYxeCXUdvII3e8/zYsc fqp//AuoI2RRs4fWCfoi+scKUejOuPYDcOAbWrmxspMREPmXBQcpbG1XJVTo+Wab Dvvbn+6Wb2XLH9hVzjH6zwL00H9QZv8veZulwt/Wz8gVg5aEmLJG1F8TqD6nNJwF ONrP1mmVqSaHdgHXslEPgWlGJhyZtoNY4ztYj9y0ccC5v0KcHAOe5Eao6rnBzfZb qTyW+3mkM3Onnni5cNxydMQyyAAbye9I0/s6m/r+eppAaRzI2ig3C9OjuX6WzCso w1Zsb+nbUrH6mvvnr7WXpiLDxaiTsQDJB7J9 -----END CERTIFICATE----- Mihai is instead seeing SEC_ERROR_UNKNOWN_ISSUES (and his Nightly says the site uses HSTS).
I get the following: https://www.eurostar.com/ Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: true HTTP Public Key Pinning: false Certificate chain: -----BEGIN CERTIFICATE----- MIIE/jCCA+agAwIBAgIQVnGOFrkpeaRQxP2+NRWs0TANBgkqhkiG9w0BAQsFADBG MQswCQYDVQQGEwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEfMB0GA1UEAxMW R2VvVHJ1c3QgU0hBMjU2IFNTTCBDQTAeFw0xNTEwMjEwMDAwMDBaFw0xODA3MjYy MzU5NTlaMH4xCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcU BkxvbmRvbjEnMCUGA1UEChQeRXVyb3N0YXIgSW50ZXJuYXRpb25hbCBMaW1pdGVk MQswCQYDVQQLFAJJUzEXMBUGA1UEAxQOKi5ldXJvc3Rhci5jb20wggEiMA0GCSqG SIb3DQEBAQUAA4IBDwAwggEKAoIBAQDDvRQ+jBDCgfO+DLMPpujReVcPHa4v+VEE CX80y5ogzpXPyPGXJ9E/bUe4PNtjlAB66EEFZPGY4hVCyusyEVbJ9f6vVs0rMvVd 2Y0Nh+2omstmqhrwWmD9pcb55/y7s3N0ww70k2baomv1B07dRa63Q/auJ12auMz2 SuvRbJqQIQPwcriw5tW2uqFGPMoPaDsEnyxpFn6eIMPhl/BTdznxGEN/fscDpF68 5V3pdMENZN1+8wflGgokFfvI0kp9+lrtwnIYHZJZbLfH/IhTry38GVnRt/fN1VI0 6QKMUSBtZ0NpatALQtnG9mRa+da4dGHce9X9Pl0hDLUWlasqvKkLAgMBAAGjggGu MIIBqjAnBgNVHREEIDAegg4qLmV1cm9zdGFyLmNvbYIMZXVyb3N0YXIuY29tMAkG A1UdEwQCMAAwDgYDVR0PAQH/BAQDAgWgMCsGA1UdHwQkMCIwIKAeoByGGmh0dHA6 Ly9nai5zeW1jYi5jb20vZ2ouY3JsMIGdBgNVHSAEgZUwgZIwgY8GBmeBDAECAjCB hDA/BggrBgEFBQcCARYzaHR0cHM6Ly93d3cuZ2VvdHJ1c3QuY29tL3Jlc291cmNl cy9yZXBvc2l0b3J5L2xlZ2FsMEEGCCsGAQUFBwICMDUMM2h0dHBzOi8vd3d3Lmdl b3RydXN0LmNvbS9yZXNvdXJjZXMvcmVwb3NpdG9yeS9sZWdhbDAdBgNVHSUEFjAU BggrBgEFBQcDAQYIKwYBBQUHAwIwHwYDVR0jBBgwFoAUFGeO7YNP1h6dQAQMBEah cDSyD3IwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzABhhNodHRwOi8vZ2ouc3lt Y2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vZ2ouc3ltY2IuY29tL2dqLmNydDAN BgkqhkiG9w0BAQsFAAOCAQEAESJVxZB5yAgw0hmEVY1JdgwEKTVKyQnOuHPAjAsF w4S14k6aCnBcsQo6u23fkLmqJmqpg9e3ITGUTVz3AzKcgaK8tzSQtPt1gX8vqr1y yJ9vikZqcUpTjVW/OX+0DhxFiDhV7tNn0PhxDYqqLQCqoMThMlmo3SziN8ldxDaH n+BD8ERx/5Cy1CeyKS/OdJa+NEZ26pbK99fa3Vu1NmbeONtizu3wViaO+M5sFKWQ jOn/+MXSgobUgnnWijUdnICELDXuBRN4r7+CBCdVHsIqcBQntRDOIJkA6UEwC9cs IVBPzbRe5P3ntz0OxrMJPDqP0x6CkTmxu5/+HOFTvJu7FA== -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIExzCCA6+gAwIBAgIQQYISfRLZxrMhOUMSVmQAuDANBgkqhkiG9w0BAQsFADCB mDELMAkGA1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xOTA3BgNVBAsT MChjKSAyMDA4IEdlb1RydXN0IEluYy4gLSBGb3IgYXV0aG9yaXplZCB1c2Ugb25s eTE2MDQGA1UEAxMtR2VvVHJ1c3QgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhv cml0eSAtIEczMB4XDTEzMDUyMzAwMDAwMFoXDTIzMDUyMjIzNTk1OVowRjELMAkG A1UEBhMCVVMxFjAUBgNVBAoTDUdlb1RydXN0IEluYy4xHzAdBgNVBAMTFkdlb1Ry dXN0IFNIQTI1NiBTU0wgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIB AQDGqQtdF6V9xs8q78Zm0UIeX4N4aJGv5qeL8B1EAQoZypzUix3hoZCjwVu011tq i/wOSR7CYin+gBU5i4EqJ7X7EqgFIgvFLPXZmN0WLztm52KiQzKsj7WFyFIGLFzA d/pn94PoXgWNyKuhFjKK0kDshjocI6mNtQDecr2FVf4GAWBdrbPgZXOlkhSelFZv k+6vqTowJUqOCYTvt9LV15tJzenAXmdxIqxQkEMgXaGjFYP9/Kc5vGtlSBJg/90j szqq9J+cN1NBokeTgTMJ5SLGyBxJoW6NzIOzms3qQ/IZ0yTLqCmuUsz0CCewhOrO J7XhNBNzklyHhirGsGg2rcsJAgMBAAGjggFcMIIBWDA7BggrBgEFBQcBAQQvMC0w KwYIKwYBBQUHMAGGH2h0dHA6Ly9wY2EtZzMtb2NzcC5nZW90cnVzdC5jb20wEgYD VR0TAQH/BAgwBgEB/wIBADBMBgNVHSAERTBDMEEGCmCGSAGG+EUBBzYwMzAxBggr BgEFBQcCARYlaHR0cDovL3d3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwczA7 BgNVHR8ENDAyMDCgLqAshipodHRwOi8vY3JsLmdlb3RydXN0LmNvbS9HZW9UcnVz dFBDQS1HMy5jcmwwDgYDVR0PAQH/BAQDAgEGMCoGA1UdEQQjMCGkHzAdMRswGQYD VQQDExJWZXJpU2lnbk1QS0ktMi00MTYwHQYDVR0OBBYEFBRnju2DT9YenUAEDARG oXA0sg9yMB8GA1UdIwQYMBaAFMR5yo6hTgMdHNxr2zFblD4/MH8tMA0GCSqGSIb3 DQEBCwUAA4IBAQAQEOryENYIRuLBjz42WcgrD/5N7OP4tlYxeCXUdvII3e8/zYsc fqp//AuoI2RRs4fWCfoi+scKUejOuPYDcOAbWrmxspMREPmXBQcpbG1XJVTo+Wab Dvvbn+6Wb2XLH9hVzjH6zwL00H9QZv8veZulwt/Wz8gVg5aEmLJG1F8TqD6nNJwF ONrP1mmVqSaHdgHXslEPgWlGJhyZtoNY4ztYj9y0ccC5v0KcHAOe5Eao6rnBzfZb qTyW+3mkM3Onnni5cNxydMQyyAAbye9I0/s6m/r+eppAaRzI2ig3C9OjuX6WzCso w1Zsb+nbUrH6mvvnr7WXpiLDxaiTsQDJB7J9 -----END CERTIFICATE-----
Blocks: 1434300
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → INVALID
FWIW, this was due to https://blog.mozilla.org/security/2018/03/12/distrust-symantec-tls-certificates/ As of March 12, EuroStar updated to a new DigiCert certificate.
You need to log in before you can comment on or make changes to this bug.