Closed Bug 1599225 Opened 4 years ago Closed 4 years ago

FF 71.0b12 fails to accept a certificate chain accepted by FF 70.1

Categories

(Core :: Security: PSM, defect)

71 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 1535662

People

(Reporter: Tyson, Unassigned)

References

()

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:71.0) Gecko/20100101 Firefox/71.0

Steps to reproduce:

Tried to open an (internal) HTTPS page.

Actual results:

Firefox 71.0b12 brought up:

  1. when run as "Firefox.app", an error message indicating "SSL_ERROR_EXPIRED_CERT_ALERT"
  2. when run as "Firefox71.0b12.app", a warning that the site was not secure. When I drilled down, the error was "Peer’s Certificate issuer is not recognized."

Expected results:

Firefox should have accepted the certificate chain, and securely opened the web page as it does in FF71.0 and FF68.0.2esr.

Another user reported this problem. I have confirmed it for myself so I could report it to Mozilla.

Under preferences, FF 71.0b12 shows the top level certificate of the offered chain (attached) as an authority. All dates appear valid to my naive eye and my computer has the correct time.

Note: this site is probably not accessible to you as it requires authentication (that I do not control).

In the latest Nightly, the error message is SSL_ERROR_UNSUPPORTED_VERSION accompanied by an explanation that the site doesn't support TLS 1.2. SSL Labs report confirms this:

Component: Untriaged → Security: PSM
Product: Firefox → Core

That server isn't sending the right intermediate certificates for Firefox to be able to find a trusted path to a root certificate (in fact, it's sending an old SHA-1 intermediate). This is being addressed by intermediate preloading, so I'll mark it as a duplicate.

Additionally, and arguably more problematically, it doesn't support TLS 1.2, as Gingerbread Man has pointed out. All browsers are disabling TLS versions earlier than 1.2 early next year, so this site will not work in any browser at that time. If you can, contact the people in charge of that server and tell them they need to update its configuration to support modern cryptography.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → DUPLICATE

Thanks Gingerbread Man & Dana. Once GM posted the correct problem (TLS 1.2), I checked with the site admins about that. The site will be replaced by a new site in a month. As it will be a new site, likely the certs will change too, but I'll confirm that.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: