Closed
Bug 660559
Opened 13 years ago
Closed 9 years ago
Certificate details dialog always says "Could not verify this certificate for an unknown reason"
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: mail, Unassigned)
References
Details
(Keywords: testcase)
Attachments
(4 files)
Dialog showing reason
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:5.0) Gecko/20100101 Firefox/5.0 Build Identifier: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:2.0b13pre) Gecko/20110314 Thunderbird/3.3a3 When receiving an e-mail with an invalid certificate Thunderbird gives the correct reason why the certificate is invalid when clicking on the letter symbol. However, when subsequently clicking on "View Signature Certificate" the dialog always says "Could not verify this certificate for an unknown reason". Reproducible: Always
|
||
Comment 3•13 years ago
|
||
Any errors in Tools -> Error console ? If you save the certificate can you use the NSS tools to see if they are more verbose about the issue in your cert ?
Component: Security → Security: PSM
Product: Thunderbird → Core
QA Contact: thunderbird → psm
No errors in the error console. I don't know which NSS tool I should use to verify the cert. However, I believe it does not include the issuing certificate. The certificate chain looks odd. See screenshot. I also attached the certificate.
|
|
||
Comment 8•13 years ago
|
||
So based on some analysis you are missing a root or intermediate CA :
openssl x509 -in MailSender.cert -inform PEM -text
It says:
Issuer: C=DE, O=TC TrustCenter GmbH, OU=TC TrustCenter Class 3 L1 CA, CN=TC TrustCenter Class 3 L1 CA IX
So go to http://www.trustcenter.de/en/infocenter/root_certificates.htm and install your missing certificate into the certificate store and your issue should be gone.
Thanks Kaie !!
(In reply to comment #7)
> Someone needs to implement better user feedback.
Is there a bug for that already ?Thanks Ludovic,
I figured that out myself, but the bug is about the incorrect user feedback of course. So it turns out the reason ("The certificate used to sign the message was issued by a certificate authority that you do not trust for issuing this kind of certificate") given in the first dialog is wrong.
If you try to import it into the certificate store it actually gives you the correct error (Missing intermediate/root certificate).|
|
||
Comment 10•13 years ago
|
||
As kaie said we need better user feedback. Want to help and contribute patches ?
|
Reporter | |
Comment 11•13 years ago
|
||
I had a look at the code. It is not a GUI issue. The underlying security library (nss) returns the wrong reason. The issue is somewhere in certfvy.c . However not being an experienced C programmer this code seems close to unmaintainable to me. The code seems to be quite old and the original author is probably not around anymore. Do you know who might know this code a bit better and could have a look at it?
|
||
Comment 12•11 years ago
|
||
See bug 91403
|
||
Comment 13•9 years ago
|
||
Hi, Thanks for filing the bug. (In reply to mail from comment #11) > I had a look at the code. It is not a GUI issue. The underlying security > library (nss) returns the wrong reason. The issue is somewhere in certfvy.c If this is still an issue, a bug should be filed against NSS instead. However, since mozilla::pkix is used for cert verification now, I think this bug basically becomes a duplicate of Bug 91403. If someone thinks my logic is flawed, feel free to re-open.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•