543069 - sec_error_unknown_issuer on all https-sites since firefox 3.5.7

Status: RESOLVED WORKSFORME

(Core :: Security: PSM, defect)

Description

[webmaster]

User-Agent:       Opera/9.80 (X11; Linux i686; U; de) Presto/2.2.15 Version/10.10
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.2.0) Gecko/20100115 SUSE/3.6.0-1.2 Firefox/3.6

First occured with:
Mozilla/5.0 (X11; U; Linux i686; de; rv:1.9.1.7) Gecko/20091222 SUSE/3.5.7-2.3 Firefox/3.5.7 

I already reinstalled firefox, deleted my profile. Installed 3.6 when it came out. Nothing worked. Currently i have to use opera! Please help.

This is my last change since nobody responded here:
http://support.mozilla.com/en-US/forum/1/548946?


Reproducible: Always

Steps to Reproduce:
1. Hit Ctrl+L
2. https://www.paypal.com
3. Press Enter
Actual Results:  
Errorcode: sec_error_unknown_issuer


Expected Results:  
I can visit https sites.

I am aware that this is a local-problem on my machine.

Comment 1

[Johnathan Nightingale [:johnath]]

I suspect that if this is happening for all sites, especially ones like paypal, then someone is trying to intercept your network connections, by creating fake certificates to impersonate the real sites, and that the timing on the upgrade to Firefox 3.6 may be a coincidence.

Do you work behind some kind of proxy that might be doing this benevolently? Are you using some kind of public wireless that might have someone doing this maliciously?

If you visit paypal, can you click on the "Add an Exception" button from the error page and, within the window that pops up, click the "View" button that appears, to see what the certificate looks like? Can you maybe take a screenshot of that page and attach it here?

Comment 2

[webmaster]

Attachment: paypal-cert-screenshot (german)

Comment 3

[webmaster]

Attachment: Cert export

Comment 4

[webmaster]

I am at home behind the famous fritzbox. No proxy at all( may be one from the isp).

But all other computers( two with firefox ) and browseres work well.

Comment 5

[webmaster]

Attachment: paypal-cert-screenshot-tab2 (german)

Comment 6

[Johnathan Nightingale [:johnath]]

So the good news is that those fingerprints match what I see from paypal - so it seems more likely now that there's some kind of corruption going on, instead of an actual attack.

So, you've tried a new profile, you've tried a fresh install, those are things that could have been at fault, and leaves me sort of short on ideas at the moment - Kai, anything leaping to mind for you?

Comment 7

[webmaster]

Thank you for your effort so far. 

Is it possible that a shared lib is defect or incompatible with FF on by linux-installation ?

Comment 8

[Matthias Versen [:Matti]]

Please try to disable OSCP for a test (tools/options/advanced/encryption/validation) and please try a Mozilla.org Firefox build.

Comment 9

[Eddy Nigg (StartCom)]

Failed OCSP would have been a different error.

Comment 10

[webmaster]

Disabling OCSP didn't work. 

Using http://mozilla-mirror.naist.jp//firefox/releases/3.6/linux-i686/de/firefox-3.6.tar.bz2 did help !

I still wonder why the build from the suse-repo is not working on my system, but i am happy with the build from mozilla.org.

Comment 11

[Wolfgang Rosenauer [:wolfiR]]

I'm still interested to find the reason why the openSUSE build does not work for you. Could you please check the versions of the packages 
mozilla-xulrunner192
mozilla-nss
mozilla-nss-certs
libfreebl3

Comment 12

[webmaster]

Done.

mozilla-xulrunner192-1.9.2.0-2.1
mozilla-nss-3.12.4-6.1
package mozilla-nss-certs is not installed
libfreebl3-3.12.4-1.1

Will install missing certs an see.

Comment 13

[webmaster]

Works like a charme now.

mozilla-nss-certs-3.12.4-6.1

I thank all of you very much.

Comment 14

[Matthias Versen [:Matti]]

Thanks Wolfgang for your help !