Firefox connects to site with invalid certificate chain without user confirmation or warning

VERIFIED INVALID

Status

()

--
major
VERIFIED INVALID
8 years ago
3 years ago

People

(Reporter: greenrd, Unassigned)

Tracking

Trunk
x86
Mac OS X
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

8 years ago
openssl 1.0a and openssl 1.0b, when used at the command line, say that review.source.android.com has a cert verification problem:

$ openssl s_client -connect review.source.android.com:443 
CONNECTED(00000003)
depth=2 C = US, O = Equifax, OU = Equifax Secure Certificate Authority
verify error:num=19:self signed certificate in certificate chain
verify return:0
---
Certificate chain
 0 s:/C=US/ST=California/L=Mountain View/O=Google Inc/CN=review.source.android.com
   i:/C=US/O=Google Inc/CN=Google Internet Authority
 1 s:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
 2 s:/C=US/O=Google Inc/CN=Google Internet Authority
   i:/C=US/O=Equifax/OU=Equifax Secure Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIDZjCCAs+gAwIBAgIKGEga8gADAAAQpzANBgkqhkiG9w0BAQUFADBGMQswCQYD
VQQGEwJVUzETMBEGA1UEChMKR29vZ2xlIEluYzEiMCAGA1UEAxMZR29vZ2xlIElu
dGVybmV0IEF1dGhvcml0eTAeFw0xMDAyMDkxNjA2MjlaFw0xMTAyMDkxNjE2Mjla
MHMxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1N
b3VudGFpbiBWaWV3MRMwEQYDVQQKEwpHb29nbGUgSW5jMSIwIAYDVQQDExlyZXZp
ZXcuc291cmNlLmFuZHJvaWQuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKB
gQCYg9GlcvozdQJrdYPVE+pbDWx0F5iEeGVi4xPOwdJKdXSnRcMktxx/gFolDv+Z
gQndVKkPt51ApJ56FoGM0WxLiQmmtOmZfIDWZ9nd7WZGrOdvxPAseEKrdsd13Cgi
pqxDWcs/8T3eSELlzXUU1qNv6cSK86J9BcRvMtaw8DrQQwIDAQABo4IBLDCCASgw
HQYDVR0OBBYEFF2Su734kredMwjmAlItJ9QD8UmAMB8GA1UdIwQYMBaAFL/AMOv1
QxE+Z7qekfv8atrjaxIkMFsGA1UdHwRUMFIwUKBOoEyGSmh0dHA6Ly93d3cuZ3N0
YXRpYy5jb20vR29vZ2xlSW50ZXJuZXRBdXRob3JpdHkvR29vZ2xlSW50ZXJuZXRB
dXRob3JpdHkuY3JsMGYGCCsGAQUFBwEBBFowWDBWBggrBgEFBQcwAoZKaHR0cDov
L3d3dy5nc3RhdGljLmNvbS9Hb29nbGVJbnRlcm5ldEF1dGhvcml0eS9Hb29nbGVJ
bnRlcm5ldEF1dGhvcml0eS5jcnQwIQYJKwYBBAGCNxQCBBQeEgBXAGUAYgBTAGUA
cgB2AGUAcjANBgkqhkiG9w0BAQUFAAOBgQBMtJ5KetPM2RfuptIDArz7SuLfKzIH
Dvj2nMWM0me08sdKpUz1pZOOJEshCJ3BjMMf4SZpcauQfjhdOffPlXxq4vHR5bKE
eWCXHeBdti3VrGI3L90Mh//vTNaH+4nP3pVrj5+VXnM3cmPjKbyaze70QYBOv43V
f9mk0tLMtJ7/8g==
-----END CERTIFICATE-----
subject=/C=US/ST=California/L=Mountain View/O=Google Inc/CN=review.source.android.com
issuer=/C=US/O=Google Inc/CN=Google Internet Authority
---
No client certificate CA names sent
---
SSL handshake has read 3126 bytes and written 409 bytes
---

However, Firefox connects to https://review.source.android.com/#project,open,tools/gimd,n,z without any warning or confirmation dialog.

Note that Konqueror on Linux shows a warning for this URL (although it appears to show a nonsensical explanation for why the certificate is invalid, which I've filed as a KDE bug).

Updated

8 years ago
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
Version: 3.6 Branch → Trunk
The site in question is sending the certificates in the wrong order, sending 
the intermediate CA certificate AFTER the root CA certificate, instead of 
before it.  While this does not strictly follow the SSL/TLS spec, the fact 
remains that a valid certificate chain can be constructed from the set of 
certificates supplied by the server, and Firefox does so.  Ultimately, the
issue of whether the server's cert chain is valid is whether a valid chain
can be constructed and verified from it to a trusted root.   In this case,
such a chain can be constructed and verified, so the site is AOK.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → INVALID

Updated

8 years ago
Group: core-security
Status: RESOLVED → VERIFIED

Updated

3 years ago
Duplicate of this bug: 1160936
You need to log in before you can comment on or make changes to this bug.