FF 71.0b12 fails to accept a certificate chain accepted by FF 70.1
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: Tyson, Unassigned)
References
()
Details
Attachments
(1 file)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0
Steps to reproduce:
Tried to open an (internal) HTTPS page.
Actual results:
Firefox 71.0b12 brought up:
- when run as "Firefox.app", an error message indicating "SSL_ERROR_EXPIRED_CERT_ALERT"
- when run as "Firefox71.0b12.app", a warning that the site was not secure. When I drilled down, the error was "Peer’s Certificate issuer is not recognized."
Expected results:
Firefox should have accepted the certificate chain, and securely opened the web page as it does in FF71.0 and FF68.0.2esr.
Another user reported this problem. I have confirmed it for myself so I could report it to Mozilla.
Under preferences, FF 71.0b12 shows the top level certificate of the offered chain (attached) as an authority. All dates appear valid to my naive eye and my computer has the correct time.
Note: this site is probably not accessible to you as it requires authentication (that I do not control).
Comment 1•4 years ago
|
||
In the latest Nightly, the error message is SSL_ERROR_UNSUPPORTED_VERSION
accompanied by an explanation that the site doesn't support TLS 1.2. SSL Labs report confirms this:
That server isn't sending the right intermediate certificates for Firefox to be able to find a trusted path to a root certificate (in fact, it's sending an old SHA-1 intermediate). This is being addressed by intermediate preloading, so I'll mark it as a duplicate.
Additionally, and arguably more problematically, it doesn't support TLS 1.2, as Gingerbread Man has pointed out. All browsers are disabling TLS versions earlier than 1.2 early next year, so this site will not work in any browser at that time. If you can, contact the people in charge of that server and tell them they need to update its configuration to support modern cryptography.
Reporter | ||
Comment 3•4 years ago
|
||
Thanks Gingerbread Man & Dana. Once GM posted the correct problem (TLS 1.2), I checked with the site admins about that. The site will be replaced by a new site in a month. As it will be a new site, likely the certs will change too, but I'll confirm that.
Description
•