http://defect.opensolaris.org/bz/attachment.cgi?id=1178 is pretty, but unfortunately even knowing what to look for, it doesn't really help much. steps: 1. open certificate database 2. scroll to VeriSign, Inc. 3. delete Sun Microsystems Inc SSL CA 4. visit https://pkg.sun.com expected results: security warning page that specifically highlights: * this server provided a certificate without a certificate chain. This could be because someone is trying to impersonate the server, or it could be because it was misconfigured. actual results: (varies by version) http://defect.opensolaris.org/bz/attachment.cgi?id=1178 --- In either case it isn't trustworthy, however if it's a misconfiguration, then browsing to a related trusted site could cause the site to be fixed. I don't know how to explain that, and I'm fine with the help text including a link for a faq item. It shouldn't be hard to specifically detect this case and provide a distinct error note for it.
Even if it's only visible in the technical details section of the error pages (at least, for firefox) this sounds like a good thing for debugging. We'd need to be able to tell the difference between "served an incomplete chain" and "served a chain to an untrusted root", but really, it would probably help a significant percentage of these cases to just distinguish the case of "served no chain, just the end entity cert, which doesn't chain to a trusted root, but isn't self-signed" -- that's the common case for people who just set up their servers wrong. I think it's less common to serve a chain which is only missing link N-1 or something. Would you agree?
Status: UNCONFIRMED → NEW
Ever confirmed: true
According to the information I have, about one sixth of all legitimate certificates which involves intermediate CAs are lacking the complete chain. On the other hand, libpkix has the functionality to fetch the missing certs and is a matter of enabling in the future releases (and a matter of policy) to all of my knowledge. I'm certain Nelson can provide more information.
The displayed error message plainly says "the issuer certificate is unknown". This is a cert that chains to an issuer CA for which we have no cert. There are other error messages for other problems, such as lack of trust. The error messages are already distinct.
i'm looking for nss/psm to provide a distinction between a certificate and a certificate with a provided chain. we already special case Self Signed
Created attachment 354575 [details] [diff] [review] proposal note that atm xpcom's nsArray contract is broken (it needs to be fixed regardless as the code is reachable today.
Assignee: kaie → timeless
Status: NEW → ASSIGNED
Attachment #354575 - Flags: review?
Comment on attachment 354575 [details] [diff] [review] proposal I like it. r=kaie Even though the detailed error message is nowaday hidden behind the more generic text, it can still be found in "technical details" and is helpful. I tested the patch with https://kuix.de:9445/
Attachment #354575 - Flags: review?(kaie) → review+
Status: ASSIGNED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9.3a1
You need to log in before you can comment on or make changes to this bug.