Firefox ESR 60.5.0 not following certificates chain presented by server
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: ghost.orchid2001, Unassigned)
Details
Attachments
(11 files)
9.77 KB,
image/png
|
Details | |
3.64 KB,
application/x-x509-ca-cert
|
Details | |
3.67 KB,
application/x-x509-ca-cert
|
Details | |
3.62 KB,
application/x-x509-ca-cert
|
Details | |
105.12 KB,
image/png
|
Details | |
106.19 KB,
image/png
|
Details | |
7.47 KB,
text/plain
|
Details | |
14.99 KB,
image/png
|
Details | |
32.13 KB,
image/png
|
Details | |
17.01 KB,
application/octet-stream
|
Details | |
9.25 KB,
image/png
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/72.0.3626.81 Safari/537.36
Steps to reproduce:
Referencing https://bugzilla.mozilla.org/show_bug.cgi?id=1473573
With Firefox ESR 60.5.0 (32 bit), we are trying to implement Import Enterprise Roots for internal CA.
We have internal RootCA, which chain to Intermediate CA1, which will issue server certificates
rootca -> ca1 -> server cert
I have attached the hierarchy as picture
From the server side, we have configured an Apache server to serve server certificate and also the intermediate certificate.
We can verify that the server certificate and intermediate certificate are served correctly from the Firefox Insecure Connection Warning
From MOZ_LOG file, we can see that the Root CA certificate is imported successfully. But Firefox failed to follow the certificate chain, so the Insecure Connection Warning is displayed.
This is my debug log step
C:\Users\Hendry.Leo>set MOZ_LOG=pipnss:4,certverifier:4
C:\Users\Hendry.Leo>set MOZ_LOG_FILE=Desktop\moz.log
C:\Users\Hendry.Leo>"c:\Program Files (x86)\Mozilla Firefox\firefox.exe"
I will attach the moz.log file
Actual results:
Firefox display Insecure Connection Warning
Expected results:
Firefox allow the connection as secure without any warning
Reporter | ||
Comment 1•5 years ago
|
||
the server https certificate
Reporter | ||
Comment 2•5 years ago
|
||
the intermediate CA certificate
Reporter | ||
Comment 3•5 years ago
|
||
The Root CA certificate, self signed, installed to Trusted Root Certificate Store
Reporter | ||
Comment 4•5 years ago
|
||
Comment on attachment 9041081 [details]
cert-intermediate.crt
The Intermediate CA certificate, installed to Intermediate Certificate Authority Store
Reporter | ||
Comment 5•5 years ago
|
||
Reporter | ||
Comment 6•5 years ago
|
||
Reporter | ||
Comment 7•5 years ago
|
||
The Error Detail
Reporter | ||
Comment 8•5 years ago
|
||
The same server with Chrome works
Reporter | ||
Comment 9•5 years ago
|
||
The error screenshot
Reporter | ||
Comment 10•5 years ago
|
||
Reporter | ||
Updated•5 years ago
|
The issuer field of your server certificate is
C = ID, ST = Sumatera Utara, O = PT. VVF INDONESIA, OU = IT Operation, CN = ca1.vvfindonesia.local, emailAddress = hendry.leo@vvfltd.com
but the subject field of your intermediate certificate is
C = ID, ST = Sumatera Utara, O = PT. VVF INDONESIA, OU = IT Operation, CN = ca1.vvfindonesia.local
which means that the intermediate is not a valid issuer for the server certificate.
Reporter | ||
Comment 12•5 years ago
|
||
Why would Chrome/IE/Windows allow this?
Any reference?
Reporter | ||
Comment 13•5 years ago
|
||
Description
•