Closed Bug 543417 Opened 15 years ago Closed 15 years ago

https site still marked as trusted even if its CA cert is marked as untrusted

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86_64
Windows 7
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: alpha.mm, Assigned: KaiE)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 I changed CA certificate trust settings for a CA cert (not root cert). Yet it seems nothing happens when I browse sites that use this cert. Reproducible: Always Steps to Reproduce: 1.Go to mail.163.com 2.Enter any random characters in the two textbox on the right, which are e-addr and pwd. 3.Tick the checkbox on the right whose text contains "SSL". 4.Click the login button whose color is somewhat pink. 5.Now your certs should contain CNNIC SSL. 6.Tools -> Options -> Advanced -> View certificates. 7.Under "Entrust.net" branch, there should be a "CNNIC SSL" cert. 8.Edit it, cancel the three ticks in trust setting. Then OK, OK. 9.Now goto https://www.enum.cn/en/ . You'll find this site is still marked as TRUSTED though it is verified by CNNIC SSL. Actual Results: Firefox gives me NO warnings when I'm trying to browse a site which is verified by a CA cert that I don't trust. Expected Results: The browser should give me SOME warnings when I'm tring to browse a site which is verified by a CA cert that I don't trust.
I suspect this might be down to the fact that CNNIC has both an Entrust subsidiary root and its own top level root - you may need to disable trust in both places. In the meantime though, moving to Core::PSM
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
Much thanks, Johnathan. I've found another cert with common name "Entrust.net Secure Server Certification Authority" and serial number "37:4A:D2:43" that haven't been set to "untrusted". After banned it, the site can be blocked. So there are altogether 3 certs to set: 1. CNNIC ROOT 2. CNNIC SSL 3. Entrust.net Secure Server Certification Authority (37:4A:D2:43) Again, thank you for your reply:) (In reply to comment #1) > I suspect this might be down to the fact that CNNIC has both an Entrust > subsidiary root and its own top level root - you may need to disable trust in > both places. In the meantime though, moving to Core::PSM
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → FIXED
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.