Closed
Bug 664956
Opened 13 years ago
Closed 12 years ago
Intermediate CA conflict causes sec_error_unknown_issuer errors
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 634074
People
(Reporter: thibautbeyler, Unassigned)
Details
Attachments
(1 file)
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 Build Identifier: Mozilla/5.0 (Windows NT 5.1; rv:5.0) Gecko/20100101 Firefox/5.0 After browsing to some site in certain order, mozilla certificate database seems to be 'broken' with some CA and cause sec_error_unknown_issuer errors when browsing to https site which depends on theses CA. Tested in Firefox 4.0.1 on Windows XP SP3, Firefox 3.6.16 on Linux, Firefox 5.0.0.4182 (latest beta) on Windows XP SP3 Reproducible: Always Steps to Reproduce: 1. Start with a fresh profile ! (or delete cert8.db and key3.db in your profile) 2. Go to https://support.comodo.com/ 3. Don't close firefox 4. Go to https://abo-paris.cyclocity.fr/service/login -> You should have the error An other way the reproduce it : 1. Start with a fresh profile ! (or delete cert8.db and key3.db in your profile) 2. Go to https://support.comodo.com/ 3. Close firefox ! 4. Go to https://abo-paris.cyclocity.fr/service/login 5. Go again to https://support.comodo.com/ -> You should have the error on this site now ! Actual Results: Theses sites are just exemples, when browsing to them intermediate CA are installed in firefox and some don't seem to work well together.. the problem doesn't just broke these specific website but all of those using a certificate verified by the same CA If you look at the certificate when you have the error, you should see a very long "chain" of certificate that shouldn't be this way. Expected Results: It should work fine. If you go to theses sites seperatly there is no problem, it just depends on the intermediate CA you already got installed. Since the only way i found to reproduce the issue involve a comodo certificate i tried to reach them, but they keep saying the problem is not on their side.
Updated•13 years ago
|
Component: General → Security: PSM
Product: Firefox → Core
QA Contact: general → psm
Version: unspecified → Trunk
Comment 2•13 years ago
|
||
Confirmed the Behavior against Mozilla/5.0 (Windows NT 5.1; rv:7.0a1) Gecko/20110618 Firefox/7.0a1 ID:20110618030732.
WFM on Mozilla/5.0 (Windows NT 6.1; rv:8.0a1) Gecko/20110725 Firefox/8.0a1 The sites are loaded slower (2-3 seconds slower) than Google Chrome and no errors appear when I reproduced the steps from the description.
I think the error cannot be reproduced anymore with the steps i described because the certificate of https://support.comodo.com/ has changed (issued july 12 2011) and doesn't use anymore the intermediate root CA that causes the conflict. I will try to find another way to reproduce the bug..
Okay here is another guide to reproduce the issue with these websites : https://abo-paris.cyclocity.fr , https://secure.mutuelles.biz , https://support.comodo.com , https://www.gandi.net you can check before you try to reproduce the error that each of those websites have their certificate correctly installed and are working individually (unless your certificate database is already broken, so i suggest you to use another browser than firefox do do this) Now, let's start with a fresh profile ! (or delete cert8.db and key3.db in your profile to clean your certificate database) Then in a single session, open a tab of theses website in this order : 1 - https://www.gandi.net - it's working 2 - https://abo-paris.cyclocity.fr - still working 3 - https://secure.mutuelles.biz - broken ! 4 - https://support.comodo.com - broken again ! if you start over and use a different order it will probably not reproduce the error (altough i haven't tried every order) Now, can somebody at least change the UNCONFIRMED status ? I spent quiet a lot of time "working" on this...
Reproducible for me on Mozilla/5.0 (Windows NT 6.1; rv:9.0a1) Gecko/20110823 Firefox/9.0a1 I reentered the 3rd site and it wasn't broken anymore. In Google Chrome, the sites are not broken. Setting resolution to NEW
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 7•13 years ago
|
||
FWIW, either this never worked or it's a really old Regression as the Steps in Comment 5 fail in these Build too: Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.1.19) Gecko/20110420 Firefox/3.5.19 ID:20110420144310 Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.0.19) Gecko/2010031422 Firefox/3.0.19 ID:2010031422 Mozilla/5.0 (Windows; U; Windows NT 5.1; de-DE; rv:1.8.1.20) Gecko/20081217 Firefox/2.0.0.20 ID:2008121709
Comment 8•13 years ago
|
||
This probably require switching to libpkix. When I enabled libpkix (not currently recommended), the error does not occur.
i did a little digging.. https://www.gandi.net add these 3 Intermediate CA : - AddTrust AB / COMODO Certification Authority (http://www.tbs-certificats.com/FAQ/en/590.html) - COMODO CA Limited / COMODO Extended Validation Secure Server CA (http://www.tbs-certificats.com/FAQ/en/591.html) - Geotrust Inc. / GeoTrust SSL CA (http://www.tbs-certificats.com/FAQ/en/603.html) and https://abo-paris.cyclocity.fr add those : - Addtrust AB / TBS X509 CA SGC (http://www.tbs-certificats.com/FAQ/en/132.html) - The UserTrust Network / Addtrust External CA Root ( http://www.tbs-certificats.com/FAQ/en/83.html) - Geotrust Inc. / GeoTrust SSL CA (http://www.tbs-certificats.com/FAQ/en/603.html) (same as gandi) https://secure.mutuelles.biz needs : COMODO CA Limited / COMODO High Assurance Secure Server CA (http://www.tbs-certificats.com/FAQ/en/589.html) and https://support.comodo.com needs : COMODO CA Limited / COMODO Extended Validation Secure Server CA (http://www.tbs-certificats.com/FAQ/en/591.html) (same as gandi) Turns out that there might be a conflit between "AddTrust AB / COMODO Certification Authority" and "The UserTrust Network / Addtrust External CA Root". When the problem is reproduced, deleting either one of them will make the problem disappear, and if you start over from a clean database and just install those two intermediate CA from the crt file , same problem will occur. The most incomprehensible part is that once you fail to go to https://secure.mutuelles.biz , https://support.comodo.com/ will fail either, and both will not work permanently, but if you go first to https://support.comodo.com/ the error will never show up.
Comment 10•12 years ago
|
||
I'm still hitting this bug as of Aurora 14.0a2, buildid 20120513042005. It appeared a couple of weeks ago, nothing more than three weeks. Restarting aurora "fixes" temporarly the issue.
Comment 11•12 years ago
|
||
And I confirm the cycles that happens in the trust chain, "UTN - DATACorp SGC" / "AddTrust External CA Root".
Updated•12 years ago
|
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•