Verisign cert is not valid despite it being truly valid

RESOLVED INVALID

Status

()

RESOLVED INVALID
9 years ago
9 years ago

People

(Reporter: dtumpic, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(1 attachment)

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.5) Gecko/20091105 Fedora/3.5.5-1.fc12 Firefox/3.5.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.1.5) Gecko/20091102 Firef ox/3.5.5 (.NET CLR 3.5.30729)

When visiting https://seymoursmith.com/estore with Fire Fox 3.0.10, 3.5.2, 3.5.3 using Windows (W2k & Vista) it does not validate the certificate. Doing the same (versions) on Linux and Mac works as expected and makes a proper validation. On the Windows build the "VeriSign Class 3 Extended Validation SSL SGC CA" is not present in the certificate authority. 

Reproducible: Always

Steps to Reproduce:
1.Go to https://seymoursmith.com/estore
2.
3.
Actual Results:  
This connection is Untrusted

Expected Results:  
Should show the page secure and all with no complaint like on Linux and Mac OS X

I tried to completely uninstall FF and then reinstall it again but it is still missing some of the root CA's for Verisign.
(Reporter)

Comment 1

9 years ago
Created attachment 417319 [details]
The CA list on the different OS'

The picture clearly shows that the Windows install is missing more than a few of the Verisign CA certs.
It works in FF3.5.5 with my default profile and Seamonkey trunk but it stops working in a new profile.

This looks like a server misconfiguration (doesn't send certificate chain) which would make this bug invalid.
(Reporter)

Comment 3

9 years ago
Yes this was indeed a server side misconfiguration.

The webserver needs the intermediate CA's from Verisign explicitly.

https://knowledge.verisign.com/support/ssl-certificates-support/index?page=content&id=AR657

Now everything works as expected.

This was not a problem with Firefox Windows build at all and should be closed as a non-issue unless Firefox error message can be made to look a little bit more informative... say "Certificate Chain Not Provided" in cases like these. 

Thank you for the clarification and hint.
>This was not a problem with Firefox Windows build

That is not true, it's the same issue with a windows Firefox build because Gecko is cross platform and the SSL code is the same.
You only visited once a page with the same certificate that sent the intermediate CA and Firefox cached it in your Firefox profile.
You will get the same result if you create a new profile with your windows Firefox and visit such a broken server.
- http://kb.mozillazine.org/Profile_Manager

Sorry that i wasn't more clear with the issue. I understand the SSL basics but not this part (that's the reason why I added jruderman as cc). 
You are not the first reporter with this issue and that's the reason why I know the symptoms.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.