Add e-Szigno TLS Root CA 2023 to NSS
Categories
(NSS :: CA Certificates Code, task, P2)
Tracking
(Not tracked)
People
(Reporter: bwilson, Assigned: jschanck)
References
Details
Attachments
(3 files)
Request to include Root Certificate in NSS
This bug requests inclusion in the NSS root store of the following root certificate owned by Microsec Ltd..
Root Certificate 1 of 1
Friendly Name: e-Szigno TLS Root CA 2023
Certificate Download Location: https://www.e-szigno.hu/tlsrootca2023.crt
SHA-1 Fingerprint: 6F9AD5D5DFE82CEBBE3707EE4F4F52582941D1FE
SHA-256 Fingerprint: B49141502D00663D740F2E7EC340C52800962666121A36D09CF7DD2B90384FB4
Trust Flag: Websites
Test URL: To be provided (https://eqtlsca2023-valid.e-szigno.hu currently chains to Microsec e-Szigno Root CA 2009 -- it needs to chain to e-Szigno TLS Root CA 2023)
This CA has been assessed in accordance with the Mozilla project guidelines, and the certificates approved for inclusion in bug #1873057
The next steps are as follows:
- A representative of the CA must confirm that all the data in this bug is correct, and that the correct certificates have been attached.
- A Mozilla representative creates a patch with the new certificates.
- The Mozilla representative requests that another Mozilla representative review the patch.
- The Mozilla representative adds (commits) the patch to NSS, then closes this bug as RESOLVED FIXED.
- At some time after that, various Mozilla products will move to using a version of NSS which contains the certificate. This process is mostly under the control of the release drivers for those products.
|
Reporter | |
Updated•3 months ago
|
|
|
Reporter | |
Comment 1•3 months ago
|
||
|
||
Comment 2•3 months ago
|
||
As a representative of the CA, I confirm that all the data in this bug is correct, and that the correct certificate has been attached.
We have started investigating the issue with our test site https://eqtlsca2023-valid.e-szigno.hu
The test site already contains the proper certificate chain, so the problem lies somewhere else.
|
|
||
Comment 3•3 months ago
|
||
We have completed the investigation.
The problem may have been caused by the fact that the test website https://eqtlsca2023-valid.e-szigno.hu was checked without sending the Server Name Indication (SNI) value.
Due to the large number of CAs, Microsec serves multiple TLS web addresses on a single provider-independent IP address, typically protected by certificates traceable to different roots.
These web addresses (virtual hosts) have a sequence under the given IP address. If the client does not send the SNI value when checking, the web server (Apache in the case of Microsec) responds with the TLS settings of the first virtual host specified in its configuration at the given IP address, possibly instead of the settings actually belonging to the server being queried.
As a workaround, we placed the given virtual host first in the list to ensure the success of checking the given test page without sending SNI.
This solves the current problem, but a similar problem may occur when checking other pages under the same IP address if the client does not send an SNI value.
We recommend providing the SNI value during the verification, as the lack of SNI may result in an incorrect error message with other service providers too.
|
Assignee | |
Comment 4•3 months ago
|
||
|
|
Assignee | |
Updated•3 months ago
|
|
|
Assignee | |
Comment 5•3 months ago
|
||
|
|
Reporter | |
Comment 6•3 months ago
|
||
I have accepted the revisions in Phabricator.
Pushed by jschanck@mozilla.com:
https://hg.mozilla.org/projects/nss/rev/167cae97dda4
Add e-Szigno TLS Root CA 2023 to NSS. r=bwilson
https://hg.mozilla.org/projects/nss/rev/25af0d302a73
Set nssckbi version to 2.84. r=bwilson
|
|
Reporter | |
Comment 8•3 months ago
|
||
Confirmed in Nightly - NSS 3.121 and FF 149.
Description
•