Closed Bug 465238 Opened 16 years ago Closed 8 years ago

OCSP (validated by default at install) does not work properly

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: guillaume.romagny, Unassigned)

References

(Blocks 1 open bug)

Details

Attachments

(1 file)

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.2; fr; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.4) Gecko/2008102920 Firefox/3.0.4

Background idea : CAcert is creating a new set of root / subroots to comply with Mozilla rules. And we are testing them. Currently the CAcert OCSP systems are only working for the certs issued by current CAcert roots. So when OCSP is activated, the subroots and user certs SHOULD be not validated. But we have a test case, that validates the subroot + user cert anyway !

Reproducible: Always

Steps to Reproduce:
 * test 1 :

- Take a clean install of firefox (OCSP is validated by default).

- Start Firefox

- load the "id.p12" pkcs12 file with [end-user cert + subroot + root] certs (id.p12 has password "cacert"), 
- go to the keystore to check the 3 boxes (email, website, codesigning) for the root certificate, 
- go to the root+subroot+user certs details : they get validated.

conclusion => the OCSP requests are not sent to the OCSP server (no trace seen with wireshark) => the subroot and user cert are validated, despite the OCSP validation is activated by default. 

 * test 2 :

- Take a clean install of firefox (OCSP is validated by default).

- Start Firefox

- Load some root certificates and validate the 3 check boxes 
example go to 
http://www.cacert.org/certs/root.crt
http://www.cacert.org/certs/class3.crt

- load the "id.p12" pkcs12 file with [end-user cert + subroot + root] certs (id.p12 has password "cacert"), 
- go to the keystore to check the 3 boxes (email, website, codesigning) for the root certificate, 
- go to the root+subroot+user certs details : the root is validated but not the subroot and end user cert

conclusion => the OCSP requests are *sent* to the server (traces can be seen with wireshark) => the subroot and user cert are NOT validated, this is the expected behaviour. 


Actual Results:  
subroot + user cert VALID for the test case (OCSP do not query the server)

Expected Results:  
subroot + user cert INVALID (OCSP queries the server)


I don't know why loading some root certs triggers the OCSP validation

Is the pkcs12 loading of user cert+subroot+root is broken OR just the clean Firefox install does check the OCSP validation BUT don't do it at all.
Depends on: 384081
Version: unspecified → 3.0 Branch
password for id.p12 is "cacert"
Just in case, the parent project for the new root creation
http://wiki.cacert.org/wiki/Roots/TestNewRootCerts
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
Version: 3.0 Branch → unspecified
Hello,

This bug would have been tracked more easily is the validation message would be more explicit than "Could not verify this certificate for an unknown reason" bug 91403
Depends on: unknownreason
Summary: OCSP (validated by default at install) does not working properly → OCSP (validated by default at install) does not work properly
Mass change owner of unconfirmed "Core:Security UI/PSM/SMime" bugs to nobody.
Search for kaie-20100607-unconfirmed-nobody
Assignee: kaie → nobody
Blocks: 157555
Certificate verification and OCSP checking has changed significantly since this bug was filed. If this is still an issue, feel free to re-open.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: