If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

https connect to www.gmx.net fails with sec_error_unknown_issuer in fresh profile until first successful secure connect to (specific) other site

RESOLVED INVALID

Status

()

Core
Security: PSM
RESOLVED INVALID
7 years ago
7 years ago

People

(Reporter: u12623, Assigned: kaie)

Tracking

Trunk
x86
All
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Attachments

(3 attachments)

(Reporter)

Description

7 years ago
Created attachment 447885 [details]
nspr log of STR - search for XXX to find points shortly before loading a page

same issue with following builds, so platform => all:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a5pre) Gecko/20100526 Minefield/3.7a5pre
Firefox 3.6.3 on XP and linux x86


Basically, connections to https://www.gmx.net/ only succeed after first successfully connecting to another secure site.

STR (clean profile):

1) load https://www.gmx.net/ -> 'Untrusted Connection' error (sec_error_unknown_issuer)
2) load https://www.verisign.com/ -> page loads normally
3) load https://www.gmx.net/ -> page loads normally

if you skip step 1 results for steps 2 and 3 are the same.

step 3 only succeeds when using certain sites for step 2. https://ebanking1.ubs.com/ is the only other such site I know of. It appears the site needs to present a certificate signed by the same [verisign] Root CA; thawte.com and instantssl.com don't work.

ebanking1.ubs.com's certificate chain is identical to www.gmx.net's, and both certificates have the same properties (both are EV, identical CRL URL etc) - yet one works and the other throws an error upon first connect.

I traced the connections and compared the traces and they seem very much identical to me - i.e. both the client/server hellos are the same each time, and the server sends the same certificate to the client.
(Reporter)

Comment 1

7 years ago
Created attachment 447887 [details]
output of 'openssl s_client -connect www.gmx.net:443 -showcerts'

Comment 2

7 years ago
The certificate of the server of gmx.net is not set up correctly and doesn't send the complete certificate chain. They should contact their certificate provider in order to obtain the correct CA certificates and install them at their site(s).
Status: NEW → RESOLVED
Last Resolved: 7 years ago
Resolution: --- → INVALID
(Reporter)

Comment 3

7 years ago
Created attachment 447889 [details]
pcap traces of ssl traffic for successful/failed connection attempts
You need to log in before you can comment on or make changes to this bug.