Open
Bug 721288
Opened 12 years ago
Updated 2 years ago
CERT_PKIXVerifyCert chains one self-signed certificate of a root CA to another self-signed certificate of the same root CA
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
NEW
People
(Reporter: wtc, Unassigned)
References
Details
Attachments
(3 files)
This problem was first reported in Chromium bug 108514: http://code.google.com/p/chromium/issues/detail?id=108514 If NSS has two self-signed certificates of the same root CA, CERT_PKIXVerifyCert may chain one of them to the other. I suspect this is because libpkix's certificate chain building code does not stop when it has reached a self-signed root certificate. The classic NSS certificate verification code checks cert->isRoot when building certificate chains. For example, see http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/pki/certificate.c&rev=1.68&mark=510-516#508 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certhigh/certvfy.c&rev=1.75&mark=1841-1846#1834 http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/certhigh/certvfy.c&rev=1.75&mark=667-674#667 https://images.etrade.wallst.com/ is a website that exhibits this problem. In the SSL handshake the server sends an old self-signed certificate of the root CA. CERT_PKIXVerifyCert chains that root certificate to the root certificate in the built-in root certificates module. I will attach the three certificates sent by the server next.
Reporter | ||
Comment 1•12 years ago
|
||
Reporter | ||
Comment 2•12 years ago
|
||
Reporter | ||
Comment 3•12 years ago
|
||
Comment 4•12 years ago
|
||
This sounds very similar to bug 489714. See especially bug 489714 comment 3 and below.
Updated•12 years ago
|
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•