User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9b5) Gecko/2008032600 SUSE/2.9.95-18 Firefox/3.0b5 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9b5) Gecko/2008032600 SUSE/2.9.95-18 Firefox/3.0b5 If you install the CACert root certificate in Firefox3 and visit a server with a CACert SSL certificate, Firefox3 reports that the certificate has been revoked. -------- Secure Connection Failed An error occurred during a connection to milliways.cynapses.org. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate) -------- If you take a look at the certificate at the 'certificate manager' you will see that both are valid and haven't been revoked. Reproducible: Always Steps to Reproduce: 1. Go to http://www.cacert.org/index.php?id=3 and install the Class 3 PKI Key 2. Visit a server with a CACert created cerificate like mine: https://milliways.cynapses.org/ Actual Results: You will get an error: ---------------------- Secure Connection Failed An error occurred during a connection to milliways.cynapses.org. Peer's Certificate has been revoked. (Error code: sec_error_revoked_certificate) Expected Results: The content of the site without any error or user interaction.
Assignee: nobody → nobody
Component: Security → Libraries
Product: Firefox → NSS
QA Contact: firefox → libraries
Created attachment 322335 [details] CACert's OCSP response, reporting cert is revoked CACert does operate an OCSP certificate revocation server. The server certificate for the server you cited contains an extension that tells your browser to check its revocation with that OCSP server. When it does so, the OCSP server sends back a response that says the certificate has been revoked. There is no NSS bug here. The CA is authoritative and the last word on the subject. When the CA says a cert is revoked, that's it, and there is no override.
You report "If you take a look at the certificate at the 'certificate manager' you will see that both are valid and haven't been revoked." When I look with the certificate manager, I see the root cert, valid, and the class 3 intermediate CA cert (which identifies itself incorrectly as a root cert) which is valid. I do not see the server's cert, which is revoked. If you see the server's cert in your cert manager window, and it does not appear revoked, then that is (In my opinion) a cert manager issue. If that is what you see, the cert manager is failing to report that the cert is revoked, when it is revoked. That would be a separate bug from this one.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → INVALID
The class 3 "root" looks like an intermediate to me. The actual root is the class 1 cert, and your server needs to serve up the intermediates along with your own cert. Go to http://wiki.cacert.org/wiki/CacertSites and try loading those sites. You'll probably get similar errors which demonstrates you've got the wrong root.
You need to log in before you can comment on or make changes to this bug.