Closed Bug 1524903 Opened 5 years ago Closed 5 years ago

Firefox ESR 60.5.0 not following certificates chain presented by server

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
65 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: ghost.orchid2001, Unassigned)

Details

Attachments

(11 files)

cert-chain.png
9.77 KB, image/png
Details
cert-server.crt
3.64 KB, application/x-x509-ca-cert
Details
cert-intermediate.crt
3.67 KB, application/x-x509-ca-cert
Details
cert-rootca.crt
3.62 KB, application/x-x509-ca-cert
Details
cert-TrustedRootStore.png
105.12 KB, image/png
Details
cert-IntermediateCertificateAuthorityStore.png
106.19 KB, image/png
Details
cert-server-with-intermediate.txt
7.47 KB, text/plain
Details
cert-chrome.png
14.99 KB, image/png
Details
cert-ff-esr-60.5.png
32.13 KB, image/png
Details
moz.log
17.01 KB, application/octet-stream
Details
It works after fixing the issuer
9.25 KB, image/png
Details
Attached image cert-chain.png

User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36

Steps to reproduce:

Referencing https://bugzilla.mozilla.org/show_bug.cgi?id=1473573

With Firefox ESR 60.5.0 (32 bit), we are trying to implement Import Enterprise Roots for internal CA.
We have internal RootCA, which chain to Intermediate CA1, which will issue server certificates
rootca -> ca1 -> server cert

I have attached the hierarchy as picture

From the server side, we have configured an Apache server to serve server certificate and also the intermediate certificate.
We can verify that the server certificate and intermediate certificate are served correctly from the Firefox Insecure Connection Warning

From MOZ_LOG file, we can see that the Root CA certificate is imported successfully. But Firefox failed to follow the certificate chain, so the Insecure Connection Warning is displayed.
This is my debug log step
C:\Users\Hendry.Leo>set MOZ_LOG=pipnss:4,certverifier:4
C:\Users\Hendry.Leo>set MOZ_LOG_FILE=Desktop\moz.log
C:\Users\Hendry.Leo>"c:\Program Files (x86)\Mozilla Firefox\firefox.exe"

I will attach the moz.log file

Actual results:

Firefox display Insecure Connection Warning

Expected results:

Firefox allow the connection as secure without any warning

Attached file cert-server.crt

the server https certificate

Attached file cert-intermediate.crt

the intermediate CA certificate

Attached file cert-rootca.crt

The Root CA certificate, self signed, installed to Trusted Root Certificate Store

Comment on attachment 9041081 [details]
cert-intermediate.crt

The Intermediate CA certificate, installed to Intermediate Certificate Authority Store

The Error Detail

Attached image cert-chrome.png

The same server with Chrome works

Attached image cert-ff-esr-60.5.png

The error screenshot

Attached file moz.log
Component: Untriaged → Security: PSM
Product: Firefox → Core

The issuer field of your server certificate is

C = ID, ST = Sumatera Utara, O = PT. VVF INDONESIA, OU = IT Operation, CN = ca1.vvfindonesia.local, emailAddress = hendry.leo@vvfltd.com

but the subject field of your intermediate certificate is

C = ID, ST = Sumatera Utara, O = PT. VVF INDONESIA, OU = IT Operation, CN = ca1.vvfindonesia.local

which means that the intermediate is not a valid issuer for the server certificate.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → INVALID

Why would Chrome/IE/Windows allow this?
Any reference?

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: