StartCom CA certificate with different hash is cached, preventing verification of subsequent startcom-signed certificates

RESOLVED WORKSFORME

Status

()

Core
Security: PSM
RESOLVED WORKSFORME
5 years ago
5 years ago

People

(Reporter: Dan Wallis, Unassigned)

Tracking

15 Branch
x86
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(3 attachments)

(Reporter)

Description

5 years ago
User Agent: Mozilla/5.0 (X11; Linux i686; rv:15.0) Gecko/20100101 Firefox/15.0 Iceweasel/15.0
Build ID: 20120829073406

Steps to reproduce:

1. Start Firefox
2. Browse to https://isig.org.nz/ -> Error: sec_error_untrusted_issuer
3. Browse to https://startssl.com/ -> Error: sec_error_untrusted_issuer
4. Restart Firefox
5. Browse to https://startssl.com/ -> Success
6. Browse to https://isig.org.nz/ -> Error: sec_error_untrusted_issuer


Actual results:

Failure at steps 2, 3, 6.


Expected results:

Success at all steps.

See also bug 784296, bug 479508, bug 602750, bug 751960.


From what I can tell, https://isig.org.nz/ serves a CA-certificate with sha256withRSA, and Firefox has a sha1withRSA in its store (with the same public key).
(Reporter)

Comment 1

5 years ago
Created attachment 657916 [details]
StartCom CA certificate from Firefox store
(Reporter)

Comment 2

5 years ago
Created attachment 657917 [details]
Certificate chain from https://startssl.com/

openssl s_client </dev/null -CApath /etc/ssl/ -connect startssl.com:https -showcerts
(Reporter)

Comment 3

5 years ago
Created attachment 657918 [details]
Certificate chain from https://isig.org.nz/

openssl s_client </dev/null -CApath /etc/ssl/ -connect isig.org.nz:https -showcerts
Component: Untriaged → Security: PSM
Product: Firefox → Core

Comment 4

5 years ago
Visiting https://isig.org.nz/ works fine for me using FF 15.0.1. https://startssl.com/ now uses an EV cert signed by "StartCom Extended Validation Server CA" so I could not reproduce your case. https://isig.org.nz/ now serves a SHA1 certificate.

Is this still a problem for you?
(Reporter)

Comment 5

5 years ago
I no longer get the reported behaviour. I'm now able to browse to https://isig.org.nz/ without error. I'll close this bug, but please feel free to re-open if you think it merits further investigation.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.