Closed Bug 548769 Opened 14 years ago Closed 14 years ago

Seamonkey: "Could not verify this certificate for unknown reasons.", but Firefox can

Categories

(SeaMonkey :: Security, defect)

Product:
SeaMonkey
Component:
Security
Version:
SeaMonkey 2.0 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: u20230201, Unassigned)

References

(
URL
)

Details

(Whiteboard: [profile related])

Attachments

(1 file)

Screen-Shot when viewing "Telekom CA 2" Authority
37.26 KB, image/jpeg
Details 
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100206 SUSE/2.0.3-0.1.1 SeaMonkey/2.0.3
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.8) Gecko/20100206 SUSE/2.0.3-0.1.1 SeaMonkey/2.0.3

I have a problem with a certificate that Firefox 3.5.8 accepts, but Seamonkey 2.0.2 does not. When trying to find out the reason, I only got the message "Could not verify this certificate for unknown reasons." when viewing the root CA for the certificate chain.
The certificate in question is:
Subject:
CN = Deutsche Telekom Root CA 2
OU = T-TeleSec Trust Center
O = Deutsche Telekom AG
C = DE
Serial: 26
Issuer:
CN = Deutsche Telekom Root CA 2
OU = T-TeleSec Trust Center
O = Deutsche Telekom AG
C = DE
Validity: 09.07.1999 - 10.07.2019

Reproducible: Always

Steps to Reproduce:
1. Open a web site that uses a certificate derived form the mentioned Root-CA

Actual Results:  
The certificate is not accepted in Seamoinkey, but it is accepted in Firefox

Expected Results:  
If the certificate is valid, it should be accepted. If the certificate is not valid there should be an explanation that the user can understand.

Improve the message "Could not verify this certificate for unknown reasons."
Version: unspecified → SeaMonkey 2.0 Branch
(In reply to comment #0)
> 1. Open a web site that uses a certificate derived form the mentioned Root-CA

Which site, for example?
Serge: See the URL field
(In reply to comment #0)

[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.8) Gecko/20100205 SeaMonkey/2.0.3] (release)
[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.9pre) Gecko/20100301 Shiretoko/3.5.9pre] (nightly)
[Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9.1.9pre) Gecko/20100301 SeaMonkey/2.0.4pre] (nightly)

WorksForMe with new profile(s): the page loads without certificate error.
Do you still reproduce? (Could it be SUSE specific?)

(In reply to comment #2)

Thanks, I know how to use this field once it's completed...
Heh, did not know the URL was added after you commented :-P
Regarding comment #8: Yes, I have a profile "with tradition". I even did suspect that the root CAs are stored somewhere inside, and thus may not be very much up to date, maybe.
But anyway: If I upgrade to the latest (even if supplied by Novell/SuSE) seamonkey, I expect that there would be at least a notice if some of my CAs seem obsolete (or incompatible).
Finally: The error message I see doesn't help a lot, and "forget your profile and create a new one" cannot be the solution for the year 2010. Is there any way to trace the certificate validation?
Additional info: If I select "Deutsche Telekom Root CA 2" in the certificate manager under "Authorities", and press "View", I see the same error message "Could not verify this certificate for unknown reasons". I'll attach a screen shot of the windows in a moment.
Ulrich: Did you try if this also happens with an official build from http://www.seamonkey-project.org ? This root cert was added in Bug 487647 in the year 2009, so maybe they're a bit behind? The root certificates are not stored in the profile so that's not the problem.
On comment #8: I don't quite understand: If the CA certificate is present under "Certificate Manager/Authorities" (as displayed in attachment 429680 [details]) and if the cerificate is the same as the one you are seeing, the problem cannot be that the certificate wasn't imported. AFAIK, a certificate is uniquely identified by Subject, Issuer and serial number (or by fingerprint). So you are seeing the SAME certificate, and it's valid with an official build? If so the problem must be something else.
(In reply to comment #5)

> But anyway: If I upgrade to the latest (even if supplied by Novell/SuSE)

Did you try on a non-SUSE OS?
(Or maybe just a (different) SUSE on a different computer?)

> "forget your profile and create a new one"
> cannot be the solution for the year 2010.

(Atm) It's not a solution, it's a test environment!

(In reply to comment #6)

In the Certificate Manager, the root certificate is the very same as yours and is verified as "SSL Certificate Authority".

In the browser, the site certificate I get is CN="www.uni-regensburg.de" and is verified as "SSL Server Certificate".
Ah, I see, I did not really look at the screenshot. I'm still interested in if this also happens with an official SeaMonkey build.
Sorry for the lengthy delay. When running Novell's build 2.0.4 (Build identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1.9) Gecko/20100317 SUSE/2.0.4-1.1.1 SeaMonkey/2.0.4) I still see the same problem. Is there a way to debug the "unknown reasons"? This is more annoying that the problem itself (i.e. being unable to say what the problem actually is).
Another update: If I create a new user (i.e. a new profile), the problem does not appear. So how can I trace the certificate validation (comment #5)?
Comment 11 from me still applies :) can you test if this also happens with your old profile with an official SeaMonkey build (so a build from www.seamonkey-project.org)?
Well, the problem I have are: Can I add an official build without doing any harm to the original Novell build. I I'll have to remove the Novell build, and then install the Mozilla build, will the shared libraries match, and will the Mozilla build uninstall cleanly? What I absolutely don't want is having to reinstall the system.
You just extract the official build in any folder you like and run it. No installation required.
OK, this comment is written with your 2.0.4 build of seamonkey (German version). The error message is the very same (this time in German): "Dieses Zertifikat konnte aus unbekannten Gründen nicht verifiziert werden."
This is WFM.

Ulrich: can you please have a look at Certificate Manager - Authorities and edit the Deutsche Telekom Root CA 2 token. Is the checkbox before "This certificate can identify web sites" checked? If I uncheck this, I get the same error message.
Whiteboard: [CLOSEME 2011-02-01 WFM]
Whiteboard: [CLOSEME 2011-02-01 WFM] → [CLOSEME 2011-02-01 WFM] [profile related]
OK, maybe this is all because of a bad user interface: A "Root CA" does not identify any web sites! A "Root CA" ceritifies other CAs (and maybe non-CA certificates). No website is expected to be identified by the "Deutsche Telekom Root CA 2" certificate.
At least I can tell you that the (German) help text is correct (in SeaMonkey/2.0.10). I'd strongly advise to change the texts for the three check boxes.
To answer comment 18: Yes, it fixed the problem.
Also, I'm missing an automatic (visible) propagation of trust to the intermediate CAs that the root CA certifies: Obviously it is sufficient to truse the root CA. The intermediate CAs don't show any of these check marks, but obviously these are internally active, because otherwise the certificate being used wouldn't be trusted  (by the rules of trust).
Security shouldn't be that confusing!
WFM based on comment 19
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WORKSFORME
Whiteboard: [CLOSEME 2011-02-01 WFM] [profile related] → [profile related]
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: