286995 - False "Invalid certificate error", when visiting site #2

Status: RESOLVED DUPLICATE of bug 204835

(Core :: Security: PSM, defect)

Description

[Kurt Mielke]

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.5) Gecko/20041107 Firefox/1.0

If I visit two pages in the same session, I get an "Invalid certificate ... has
same serial number". I think it is limited to sites with a certificate paths,
and "the middle certificate" is the same.



Reproducible: Always

Steps to Reproduce:
1. Visit https://www.seczone.dk/sqmail/src/login.php
2. Visit https://games.tips.dk/
3.

Actual Results:  
Alert: You have receieved an invalid certificate....Yor certificates contains
the same serial number as another...
If I close alle instancies of firefox, it is possible to contact the second
site, but then access to the first site is blocked.

Expected Results:  
No alert...

Tested on several platforms, all PC based hardware though.

Comment 1

[Matthias Versen [:Matti]]

-> PSM

Comment 2

[Nelson Bolyard (seldom reads bugmail)]

This is a dup of bug 204835.  See especially comment 
https://bugzilla.mozilla.org/show_bug.cgi?id=204835#c17

Each of these servers is serving a cert with 
serial number:          01:00:00:00:00:00:e5:f2:11:81:ee
whose subject name is: "OU=TDC Internet Root CA,O=TDC Internet,C=DK"
and whose issuer name is:
"CN=GlobalSign Partners CA,OU=Partners CA,O=GlobalSign nv-sa,C=BE"

Yet the certs with that description are not identical!
The encoding of the signature in one of them has been altered. 
One is the true cert, and one is an alteration.  NSS has detected
the presence of a second cert with the same issuer and serial number
as another already-seen cert, but which is not identical to it, and 
has reported it to PSM.  PSM has reported it to the user.


*** This bug has been marked as a duplicate of 204835 ***