Closed Bug 1584552 Opened 5 years ago Closed 5 years ago

Firefox does not takes into account certificates placed in Windows [Intermediate certification authorities] when security.enterprise_roots.enabled is true

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1473573

People

(Reporter: alexey, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/77.0.3865.90 Safari/537.36

Steps to reproduce:

I have proxy with SSL interception. It has certificate [ProxyCA] and it issues special child certificates at each request [ProxySUB]. For example, if you request google.com, it will create certificate for google.com, and client will see proxy's certificate, not real google certificate.

[ProxyCA] is issued by [IntermediateCA].
[IntermediateCA] is issuded by [RootCA].

So the chain is [RootCA] -> [IntermediateCA] -> [ProxyCA] -> [ProxySUB]

[RootCA] is added to "Trusted Root certification authorities" of my windows system.
[IntermediateCA] is added to "Intermediate certification authorities" of my windows system.
[security.enterprise_roots.enabled] is set to true
With CURL I saw that proxy return [ProxyCA] and [ProxySUB] certificates during TLS session.

I am trying to visit https site through this proxy

Actual results:

When I try to visit https site, I get an error ( SEC_ERROR_UNKNOWN_ISSUER ).
But if I add [IntermediateCA] to "Trusted Root certification authorities", everything works good.

Expected results:

When I try to visit https site, I must not get an error, even if there is intermediate certificate in certificate chain which is added to "Intermediate certification authorities" and not added to "Trusted Root certification authorities".
Firefox should take into account intermediate CAs when security.enterprise_roots.enabled is set to true.

Additional: IE11 and Chrome works as expected.

Dana, can you please take a look over this issue in order to validate it is properly triaged and all information needed is available to further advance the issue?

Component: Untriaged → Security
Flags: needinfo?(dkeeler)
Product: Firefox → Core
Version: other → unspecified

What version of Firefox are you running?

Component: Security → Security: PSM
Flags: needinfo?(dkeeler) → needinfo?(alexey)

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #3)

What version of Firefox are you running?

It is 60.9.0esr (32 bit) under Windows 7

Flags: needinfo?(alexey)

Does it work in ESR 68?

Flags: needinfo?(alexey)

Seems to be working ok in ESR 68.1.0esr(32bit).

Flags: needinfo?(alexey)

Great - thanks!

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.