0.9/daily build does not have root CA certificates.



Core Graveyard
Security: UI
17 years ago
2 years ago


(Reporter: Sam Varshavchik, Assigned: blizzard)


1.0 Branch

Firefox Tracking Flags

(Not tracked)



(3 attachments)



17 years ago
Both 0.9 and latest daily build on Linux/i386/RH7-RPMs appear to have lost all
the root certificates.  Loading any https site results in mozilla complaining
that it doesn't recognize the root certificate authority, and psm's root ca
dialog is completely blank.

Additionally, the 'unknown root ca' dialog is too small, and about 60% of it is
cut off.  Resizing the dialog (Gnome/Gtk/Sawfish) fails to refresh the exposed
portion of the dialog.  Since the Ok/Cancel buttons are not being exposed,
there's no way to close the dialog, and it must be cancelled.

End result: effectively https is completely disabled.  No root certificates, no
way to get mozilla to accept an unvalidated certificate.

Comment 1

17 years ago
Created attachment 33486 [details]
PSM: all the root CAs are gone.

Comment 2

17 years ago
Created attachment 33488 [details]
https://sourceforge.net - unknown root CA dialog, then the dialog does not refresh when it is being resized, resulting in this visual garbage.

Comment 3

17 years ago
I should also mention that mozilla here is configured to go through a proxy for
both http and https.

See also bug 75615 and its dependecies
Assignee: mstoltz → ddrinan
Component: Security: General → Client Library
Ever confirmed: true
Product: Browser → PSM
QA Contact: ckritzer → junruh
Version: other → 2.0

Comment 5

17 years ago
I don't see a lack of CA's in the list. Try setting up a new profile.
type ./mozilla -ProfileManager or ./mozilla -help
Last Resolved: 17 years ago
Resolution: --- → WORKSFORME

Comment 6

17 years ago
Creating new profile makes no difference whatsoever.  Still must use 041017 in
order to use https.  Tried both with/without proxy, no difference.  

Comment 7

17 years ago
I am seing a very similar thing. I am using Mozilla 0.9 RH 6x RPMs on RedHat 6.2
+ all updates.

- For every new secure site I visit, I get the "Unknown CA" dialog.
- After I accept the certificate, the "closed lock" icon would say "Signed by
Verisign, Inc" or similar.
- If I remove cert7.db, it is created empty
- Clicking the "closed lock" icon or going to Tasks -> Privacy and Security ->
PSM does not do anything
- The "Security" tag of the "Page info" dialog is always blank.
Resolution: WORKSFORME → ---

Comment 8

17 years ago
Copying ~/.netscape/cert7.db created by N4 into the Mozilla profile directory
hides the problem. IMHO, this means that Mozilla 0.9 does not have a problem
with using the correct CA when they are present in cert7.db, but it is uncapable
of adding proper CAs itself.
Severity: normal → major
Keywords: 4xp

Comment 9

17 years ago
Mozilla doesn't add the default root CA certs explicitly into cert7.db (unlike
Netscape), it pulls them directly from PSM.  Running 2001041017 build (last
build I reliably used where SSL over a Socks5 proxy works): cert7.db is empty,
mozilla validates root certs correctly, using the default root CA list compiled
into PSM.  Looks like .9/dailies are not reading the default cert list from psm.
Copying the default root certs from NS4's cert7.db is a workaround.


17 years ago
Target Milestone: --- → 2.0

Comment 10

17 years ago
Is this related to bug #59161 ?

Comment 11

17 years ago
Verified problem still exists as if 2001052819.

Additionally, if the SSL certificate is manually accepted, "Certificate Details"
lists "Unknown Issuer" for the certificate authority.

Comment 12

17 years ago
Created attachment 36412 [details]
Security Details dialog in 2001052819 for https://sourceforge.net

Comment 13

17 years ago
BTW, if the "copy cert7.db from N4" workaround is used, the Security Details has
all the information.

Comment 14

17 years ago
-> p1
Priority: -- → P1

Comment 15

17 years ago
This is actually an RPM spec file bug.  I fixed this just this morning.  I'm
re-spinning builds now.
Assignee: ddrinan → blizzard

Comment 16

17 years ago
This is fixed starting with the 0.9.1-pre2 rpms and will be in the next daily rpm.
Last Resolved: 17 years ago17 years ago
Resolution: --- → FIXED

Comment 17

17 years ago
Verifying - with mozilla pre0.9.1-2_rh7 RPMs I now see "Builtin Roots Module" in
Device Manager and I no longer have "unknown root CA" problem.

Comment 18

17 years ago
*** Bug 81429 has been marked as a duplicate of this bug. ***


13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core


10 years ago
Version: psm2.0 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.