Open Bug 405635 Opened 18 years ago Updated 3 years ago

Using S/MIME encryption LDAP does not fetch X.509 certificates of intermediate CAs.

Categories

(MailNews Core :: LDAP Integration, defect)

Product:
MailNews Core
Component:
LDAP Integration
Version:
1.8 Branch
Platform:
x86
Linux
Type:
defect

Tracking

(Not tracked)

Status:
UNCONFIRMED

People

(Reporter: gellert, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1.8) Gecko/20071015 SUSE/2.0.0.8-1.1 Firefox/2.0.0.8 Build Identifier: version 2.0.0.6 (20070801) I imported the root certificate of some CA. When I try to send an email to someone with a certificate from this certificate hierarchy, Thunderbird fetches the correct certificate from the configured LDAP server. But it cannot verify it because it simply does not try to fetch certificates of intermediate CAs. When opening the "S/MIME -> Security Informatio" window, Thunderbird tries to validate the certificate and displays the error message: "This certificate can't be verified and will not be imported. The certificate issuer might be unknown or untrusted, the certificate might have expired or been revoked, or the certificate might not have been approved." It should be easy to implement a recursive LDAP search that searches for missing issuer certificates up to the (already imported and trusted) root certificate. Reproducible: Always Steps to Reproduce: 1. Save the root certificate ("Wurzelzertifikat") from this page and import it into Thunderbird: http://info.pca.dfn.de/uni-hamburg-ca/index.html 2. Import the first intermediate CA certificate (DFN-PCA Zertifikat) from the same page. 3. Use the following LDAP server configuration: Name: DFN-PKI Hostname: ldap.pca.dfn.de BaseDN: o=DFN-Verein,c=DE Port Number: 389 Bind DN: <empty> and make this an active LDAP server. 3. Try to send an email to "olaf.gellert" (the rest of the email will be substitued after a firts LDAP search). Actual Results: The correct certificate will be fetched but not imported (with the error message from above). Expected Results: After fetching the email recipients certificate Thunderbird should try to fetch the issuer certificate from the same LDAP server. The it would work. To test this manually, you can import the missing intermediate CAs certificate (named "CA-Zertifikat") from http://info.pca.dfn.de/uni-hamburg-ca/index.html Fetching and importing the certificate will be successful.
More like enhancement request, can you give a try using TB3 beta 2?
Component: Address Book → LDAP Integration
Product: Thunderbird → MailNews Core
QA Contact: address-book → ldap-integration
Version: unspecified → 1.8 Branch
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.