All users were logged out of Bugzilla on October 13th, 2018

https site still marked as trusted even if its CA cert is marked as untrusted

RESOLVED WORKSFORME

Status

()

RESOLVED WORKSFORME
9 years ago
9 years ago

People

(Reporter: alpha.mm, Assigned: kaie)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

9 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6

I changed CA certificate trust settings for a CA cert (not root cert). Yet it seems nothing happens when I browse sites that use this cert.

Reproducible: Always

Steps to Reproduce:
1.Go to mail.163.com
2.Enter any random characters in the two textbox on the right, which are e-addr and pwd.
3.Tick the checkbox on the right whose text contains "SSL".
4.Click the login button whose color is somewhat pink.
5.Now your certs should contain CNNIC SSL.
6.Tools -> Options -> Advanced -> View certificates.
7.Under "Entrust.net" branch, there should be a "CNNIC SSL" cert.
8.Edit it, cancel the three ticks in trust setting. Then OK, OK.
9.Now goto https://www.enum.cn/en/ . You'll find this site is still marked as TRUSTED though it is verified by CNNIC SSL.
Actual Results:  
Firefox gives me NO warnings when I'm trying to browse a site which is verified by a CA cert that I don't trust.

Expected Results:  
The browser should give me SOME warnings when I'm tring to browse a site which is verified by a CA cert that I don't trust.
I suspect this might be down to the fact that CNNIC has both an Entrust subsidiary root and its own top level root - you may need to disable trust in both places. In the meantime though, moving to Core::PSM
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
(Reporter)

Comment 2

9 years ago
Much thanks, Johnathan.
I've found another cert with common name "Entrust.net Secure Server Certification Authority" and serial number "37:4A:D2:43" that haven't been set to "untrusted". After banned it, the site can be blocked.

So there are altogether 3 certs to set:
1. CNNIC ROOT
2. CNNIC SSL
3. Entrust.net Secure Server Certification Authority (37:4A:D2:43)

Again, thank you for your reply:)

(In reply to comment #1)
> I suspect this might be down to the fact that CNNIC has both an Entrust
> subsidiary root and its own top level root - you may need to disable trust in
> both places. In the meantime though, moving to Core::PSM
Status: UNCONFIRMED → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → FIXED
Resolution: FIXED → WORKSFORME
You need to log in before you can comment on or make changes to this bug.