Closed Bug 568715 Opened 14 years ago Closed 14 years ago

https connect to www.gmx.net fails with sec_error_unknown_issuer in fresh profile until first successful secure connect to (specific) other site

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: u12623, Assigned: KaiE)

References

(
URL
)

Details

Attachments

(3 files)

nspr log of STR - search for XXX to find points shortly before loading a page
1.43 MB, application/x-gzip
Details
output of 'openssl s_client -connect www.gmx.net:443 -showcerts'
4.59 KB, text/plain
Details
pcap traces of ssl traffic for successful/failed connection attempts
3.62 KB, application/x-gzip
Details 
same issue with following builds, so platform => all:
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.3a5pre) Gecko/20100526 Minefield/3.7a5pre
Firefox 3.6.3 on XP and linux x86


Basically, connections to https://www.gmx.net/ only succeed after first successfully connecting to another secure site.

STR (clean profile):

1) load https://www.gmx.net/ -> 'Untrusted Connection' error (sec_error_unknown_issuer)
2) load https://www.verisign.com/ -> page loads normally
3) load https://www.gmx.net/ -> page loads normally

if you skip step 1 results for steps 2 and 3 are the same.

step 3 only succeeds when using certain sites for step 2. https://ebanking1.ubs.com/ is the only other such site I know of. It appears the site needs to present a certificate signed by the same [verisign] Root CA; thawte.com and instantssl.com don't work.

ebanking1.ubs.com's certificate chain is identical to www.gmx.net's, and both certificates have the same properties (both are EV, identical CRL URL etc) - yet one works and the other throws an error upon first connect.

I traced the connections and compared the traces and they seem very much identical to me - i.e. both the client/server hellos are the same each time, and the server sends the same certificate to the client.
The certificate of the server of gmx.net is not set up correctly and doesn't send the complete certificate chain. They should contact their certificate provider in order to obtain the correct CA certificates and install them at their site(s).
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: