768515 - SSL Certificate Chain Verification False Negative

Status: RESOLVED INCOMPLETE

(Core :: Security: PSM, defect)

Description

[Patrick Strateman]

An https server providing the complete certificate chain in which the trust anchor is an intermediary results in the chain being rejected as invalid.

An example of this behavior is the StartCom certificate authority.

The trust anchor loaded in firefox is "CN=StartCom Certification Authority"

However the actual root of the chain is "CN=StartCom Certification Authority G2"

If the full certificate chain including "CN=StartCom Certification Authority G2" is provided by the https server the chain will be rejected.

Having the https server provide only the site specific certificate and "CN=StartCom Class 2 Primary Intermediate Server CA" results in success.

/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Class 2 Primary Intermediate Server CA
/C=IL/O=StartCom Ltd./OU=Secure Digital Certificate Signing/CN=StartCom Certification Authority
/C=IL/O=StartCom Ltd./CN=StartCom Certification Authority G2

I can setup a demonstration server if necessary.

Comment 1

[Matthias Versen [:Matti]]

Eddy: Can you take a look ?

Comment 2

[u279076]

(In reply to Patrick Strateman from comment #0)
> I can setup a demonstration server if necessary.

If you can, that would be great, thanks.

Comment 3

[Kanchan Kumari QA]

Hello Partic, Is this still an issue for you? If yes, can you please get back to requested info in comment 2. Thanks!

Comment 4

[Kanchan Kumari QA]

Resolved-Incomplete due to time since last communication/update by reporter.
Please feel free to reopen if the error occurs in a current Firefox version.