Closed Bug 769513 Opened 13 years ago Closed 10 years ago

certificate chain displayed via certificate viewer different from the one server sent

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
13 Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 481656

People

(Reporter: raj.raman, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1 Build ID: 20120614114901 Steps to reproduce: I have Firefox 13.0.1. The client browser is connecting to an https server. I went to the https web site www.greater.com.au (CN). The following cert chain was being presented by the above server: www.greater.com.au ->thawte Extended Validation SSL CA (CN)->thawte Primary Root CA (CN) [an intermediate cert] I then went to Firefox's certificate viewer to view the cert chain. Ex: https://www.greater.com.au What the server (above) sent is: www.greater.com.au (CN)->thawte Extended Validation SSL CA (CN)->thawte Primary Root CA (CN) [but this is an intermediate cert] Note: IE 7 seems to have both these root certificates in the store. Actual results: What Firefox certificate viewer shows is: www.greater.com.au (CN)->thawte Extended Validation SSL CA (CN)->thawte Primary Root CA (CN) (root CA) Expected results: The intermediate certificate in the original certificate chain does not have a corresponding root CA in Firefox's certificate store. As such, it should have popped an "untrusted issuer" warning. That did not happen because: 1). A different root CA with the same common name as the issuer in the intermediate cert existed in Firefox's cert store. So, it displayed that root CA. However, the Authority Key Identifier in the original intermediate cert is different from the Subject key ID in the displayed root CA. The actual issuer of the original intermediate cert (thawte Primary Root CA) in the server sent cert chain is issued by "Thawte Premium Server CA". This root certificate needs to be added to the certifcate store. Note: Another root CA with the same common name exists, but there are two different root certificates issued by Thawte with the same common name (Serial number and Subject Key ID are different).
CA certificate inclusion bugs are only valid if they are coming from the CA itself. That means that it's only the question if the certificate chain should be assumed as broken or not. note: http://www.mozilla.org/projects/security/certs/included/#Symantec%20/%20thawte >Note that for compatibility reasons thawte has implemented a cross-signing scheme >involving this CA. In this scheme, if applications not supporting EV functionality >(e.g., Firefox 2 and earlier) encounter thawte EV certificates then they will end up >treating this CA as a subordinate CA under the existing Thawte Premium Server CA root.
Component: Untriaged → Security: PSM
Product: Firefox → Core
QA Contact: untriaged → psm
An new bug has been reported in https://bugzilla.mozilla.org/show_bug.cgi?id=933969. It is more up to date (FF 26), and I believe that it describes the real problem more exactly (Disclaimer: biased view, I'm the author of the new report)
Thanks for filing the bug. Looks like Bug 481656 already tracks this issue.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.