Closed
Bug 297402
Opened 20 years ago
Closed 19 years ago
New certificate incorrectly reported as invalid
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
WORKSFORME
People
(Reporter: sebasttj, Assigned: KaiE)
Details
(Whiteboard: [kerh-noi])
Attachments
(1 file)
|
40.21 KB,
image/jpeg
|
Details |
Google's Updated Certificate (2005-06-08)
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050405 Firefox/1.0 (Ubuntu package 1.0.2) Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050405 Firefox/1.0 (Ubuntu package 1.0.2) This bug would be difficult to duplicate without control of your own webserver and CA, so I haven't done so. The other day, I checked my GMail account through their SSL-enabled site and left the page open. I have GMail configured to "remember me" so I don't have to re-log-in every time, if that makes a difference. This morning, I clicked on the "Inbox" button (which reloads your inbox *without* refreshing the page, via some Javascript magic) and I was presented with the dialog box telling me there was a problem with the certificate; in particular, it said that the CA was untrusted. I examined the certificate details, and everything appeared to be in order. The only thing that caught my eye was that the site's certificate was issued very recently (possibly before the last time I visited the site). I checked the issuing CA details, and again everything seemed fine. It was a Thawte cert, and I noted the public key and tried to find out if it was valid. The public key listed was the correct one. I had no problem visiting https://www.thawte.com, whose cert was issued by the same CA. When I went back to https://gmail.google.com, I no longer received the certificate warning dialog. My only guess is that Firefox "remembered" the certificate from the previous connection and was confused when it received a different cert. I don't know if the old cert was issued by the same CA or not. Reporting that the cert changed is fine, but the dialog didn't say that was the problem. I realize that I am running an older version of Firefox. I have dial-up on a pay-per-minute basis, so 14MB downloads are not feasible. I tried searching through the history of certificate-related bugs, but I noticed nothing similar to this one. I appologize if this is a resolved issue. Reproducible: Didn't try Steps to Reproduce: 1. Set up a CA and issue a cert to a webserver 2. Visit the webserver via Firefox, leave page open 3. Issue a new cert to the webserver (perhaps from a new CA) 4. Reload the page (possibly only via some dhtml mechanism similar to GMail's) Expected Results: Either succeed silently or present the correct warning message.
|
||
Comment 1•20 years ago
|
||
Subject: Re: Firefox warning says Gmail certificate not valid
FIX for Missing ROOT CERTIFICATE from THAWTE SGC
Download Thawte's Root certificate, install it into your browser.
(Thawte is a South African Company, a wholly owned subsidiary of
VeriSign, Inc. ("VeriSign"))
Go to:
http://www.thawte.com/roots/index.html
( --- false name & e-mail accepted! :-)
unpack the .zip to a useful place, and install 'Thawte SGC CA.cer'
Firefox menu:
Tools>options...>Advanced>Certificates>Manage Certificates
Click the 'Manage Certificates' button and choose the 'Authorities'
tab.
Import the single certificate ('Thawte SGC CA.cer') from your useful
place.
The Root certificate is then visible under Verisign (not Thawte :-)
Good luck!
|
||
Updated•20 years ago
|
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox
Version: unspecified → 1.7 Branch
|
||
Comment 2•20 years ago
|
||
The Google Gmail page works for me here. Maybe Ubuntu ships different certs? Someone would need to test with a official binary from http://www.mozilla.org ...
|
Reporter | |
Comment 3•20 years ago
|
||
(In reply to comment #2) > The Google Gmail page works for me here. Maybe Ubuntu ships different certs? > Someone would need to test with a official binary from http://www.mozilla.org ... Thank you for your help, but the problem was *not* that I didn't trust the root cert. I tried to make that fairly clear in my bug report -- if not, I apologize. I had the correct root cert installed already. The problem is that Firefox *erroneously* informed me that the new GMail cert had an untrusted root. It did this only once, under very unusual circumstances, as described in my initial report. I'll attempt to reproduce on a local webserver with my own CA, but I may not be able to do so for several days.
|
Assignee | |
Comment 4•19 years ago
|
||
What you say is obviously scary, but if it happened only once, and is not reproducible, there's not much that can be done.
|
|
Assignee | |
Updated•19 years ago
|
Whiteboard: [kerh-noi]
|
|
Assignee | |
Comment 5•19 years ago
|
||
Please reopen if you can provide a set of certs that would allow to reproduce your scenario. CC'ing Nelson just in case he is curious to look into this mysterious one-time-failure.
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•