Closed Bug 434295 Opened 16 years ago Closed 16 years ago

Firefox with CACert root certificate installed reports peer certificates as revoked.

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: mail, Unassigned)

Details

Attachments

(1 file)

CACert's OCSP response, reporting cert is revoked
6.48 KB, text/plain
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9b5) Gecko/2008032600 SUSE/2.9.95-18 Firefox/3.0b5
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9b5) Gecko/2008032600 SUSE/2.9.95-18 Firefox/3.0b5

If you install the CACert root certificate in Firefox3 and visit a server with a CACert SSL certificate, Firefox3 reports that the certificate has been revoked.

--------
Secure Connection Failed

An error occurred during a connection to milliways.cynapses.org.
Peer's Certificate has been revoked.

(Error code: sec_error_revoked_certificate)
--------

If you take a look at the certificate at the 'certificate manager' you will see that both are valid and haven't been revoked.

Reproducible: Always

Steps to Reproduce:
1. Go to http://www.cacert.org/index.php?id=3 and install the Class 3 PKI Key
2. Visit a server with a CACert created cerificate like mine: https://milliways.cynapses.org/

Actual Results:  
You will get an error:
----------------------

Secure Connection Failed

An error occurred during a connection to milliways.cynapses.org.
Peer's Certificate has been revoked.

(Error code: sec_error_revoked_certificate)

Expected Results:  
The content of the site without any error or user interaction.
Assignee: nobody → nobody
Component: Security → Libraries
Product: Firefox → NSS
QA Contact: firefox → libraries
CACert does operate an OCSP certificate revocation server. 
The server certificate for the server you cited contains an extension
that tells your browser to check its revocation with that OCSP server.
When it does so, the OCSP server sends back a response that says the 
certificate has been revoked. 

There is no NSS bug here.  The CA is authoritative and the last word on
the subject.  When the CA says a cert is revoked, that's it, and there is
no override.
You report 
"If you take a look at the certificate at the 'certificate manager' you 
will see that both are valid and haven't been revoked."

When I look with the certificate manager, I see the root cert, valid, 
and the class 3 intermediate CA cert (which identifies itself incorrectly 
as a root cert) which is valid.  I do not see the server's cert, which is 
revoked.  

If you see the server's cert in your cert manager window, and it does not 
appear revoked, then that is (In my opinion) a cert manager issue.  If that
is what you see, the cert manager is failing to report that the cert is 
revoked, when it is revoked.  That would be a separate bug from this one.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → INVALID
The class 3 "root" looks like an intermediate to me. The actual root is the class 1 cert, and your server needs to serve up the intermediates along with your own cert.

Go to http://wiki.cacert.org/wiki/CacertSites and try loading those sites. You'll probably get similar errors which demonstrates you've got the wrong root.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: