Reproduce: 1. Build psm.xpi with |make build_xpi| (see build instructionos) 2. Install the xpi in a fresh (open-source) Mozilla nightly build, fresh profile 3. Visit <https://services.db-privatebanking.de> Actual result: A warning dialog pops up, saying that the CA for the certificate is not recognized. View the certificate to see that it is issued by "Verisign Trust Network". Expected result: Since Verisign and Thawte seem to agree to the distribution of their certs (see <http://lxr.mozilla.org/mozilla/security/nss/lib/ckfw/builtins/certdata.txt>), all Verisign and Thawte certs are recognized. Additional Comments: Please check in all of them into the Mozilla tree ASAP (i.e. beofre N6 shipment), or tell me how to convert the certs into the certdata.txt format, so I can fix it myself. This is a blocker for me - shipping PSM without reasonable root certs is practically impossible. I do use the builtin root certs - No warning on <https://admin.he.net> (issued by Thawte.
eh, wrong summary, correcting.
Summary: Root certs lib not shipped → Check in all root certs, if possible
I got completely confused - sorry. You need the patch for bug 59162 - otherwise, *no* cert will be recognized, not even that for he.net.
Ian fixed the first part of it, reassigning to him (reassign to <relyea%netscape.com>, when (s)he is back). The site mentioned in the reproduction now works. Thanks Ian. Checked in are: - VeriSign/Thawte - TC Trustcenter - GlobalSign/BelSign Leaving open, since there are still lots of certs (all from digsigtrust and many smaller CAs) missing.
Assignee: lord → mcgreer
Component: Daemon → Libraries
Product: PSM → NSS
Version: 1.4 → 3.1
Filed bug 59614 about making the tool for creating certdata.txt publically available.
Ian, have we checked in all the root certs? Can this be done in NSS 3.2 time frame?
Target Milestone: --- → 3.2
Already in: - Verisign (thousands of times) - Thawte - TC Trustcenter - GlobalSign/BelSign - ValiCert The following ones are missing (we have OK to check in): - Deutsche Telekom (T-TeleSec) - Entrust No response so far from (available in 4.x, not yet checked into Mozilla, I mailed them, no response, legal status unclear): - DigSigTrust - Equifax - Baltimore Not contacted (available in 4.x, not yet checked into Mozilla, I didn't mail them yet, because of missing contact info): - GTE Cybertrust - E-Certify - possibly others Didn't check Netscape 6, if there are new certs we should distribute, too.
Have checked in Entrust and Deutsche Telekom. marking as future, will watch this bug as more approvals come in. I think Baltimore is under the new contract, so they can be checked in...
Target Milestone: 3.2 → Future
*** Bug 83847 has been marked as a duplicate of this bug. ***
Created attachment 39140 [details] [diff] [review] updated patch includes changes to USPS roots, and has both certdata.c and certdata.txt
Priority: P3 → P1
Whiteboard: PDT+, needs a=
a=blizzard on behalf of drivers for 0.9.2
Whiteboard: PDT+, needs a= → PDT+, needs a=, critical for 0.9.2
last set of roots checked in 6/20
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.