Closed Bug 928719 Opened 6 years ago Closed 6 years ago

intel certificate authority not trusted

Categories

(Core :: Security, defect)

24 Branch
x86_64
Windows 7
defect
Not set

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: olivier.vit, Unassigned)

References

()

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 (Beta/Release)
Build ID: 20130910160258

Steps to reproduce:

Firefox warns with sec_error_unknown_issuer when going to https://communities.intel.com/thread/38676 while Google Chrome says the certificate is OK

Actually, test on http://www.digicert.com/help/ says the same as Firefox:
--------------
Certificate Name matches communities.intel.com

Subject	 communities.intel.com
Valid from 18/Nov/2011 to 02/Nov/2014
Issuer	Intel External Basic Issuing CA 3A
SSL Certificate is not trusted

The certificate is not signed by a trusted authority (checking against Mozilla's root store). If you bought the certificate from a trusted authority, you probably just need to install one or more Intermediate certificates. Contact your certificate provider for assistance doing this for your server platform.
--------------

But the HTTP header isn't so much reassuring :
--------------
DNS resolves 'communities.intel.com' to 208.111.155.237
HTTP Server Header: EdgePrismSSL
--------------

PrismSSL !?!


Actual results:

no access to this site that seems reliable


Expected results:

recognize the SSL issuing authority
I don't see this error but CSP placeholder is visible when browsing this webpage.

Can you test with a clean profile, please.
https://support.mozilla.org/en-US/kb/profile-manager-create-and-remove-firefox-profiles
Blocks: CSP
Component: Untriaged → Security
Flags: needinfo?(olivier.vit)
Product: Firefox → Core
(In reply to Loic from comment #1)
> I don't see this error but CSP placeholder is visible when browsing this
> webpage.
Sorry but I don't understand how you don't see this error nor what a CSP is 

I have tested with profilemanager and a temporary profile with FF24 release, same error, with SeaMonkey Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0 SeaMonkey/2.21 , same error, see attachment

I have tested with Aurora 26.0a2 (2013-10-20) and indeed the certificate is recognized: the error doesn't occur.
Flags: needinfo?(olivier.vit)
The certificate doesn't provide enough chain information for us to validate it, as far as I can tell.  Camilo?  Is this an error or is Firefox working as intended?

Also, this is not related to Content Security Policy (CSP).
No longer blocks: CSP
Flags: needinfo?(cviecco)
Firefox is working as intented, this is a server misconfiguration. The server is not supplying the the full list of certificate chains: (report at: https://www.ssllabs.com/ssltest/analyze.html?d=communities.intel.com  
and standard  http://tools.ietf.org/html/rfc5246#section-7.4.2 ) 

Chrome uses the windows certificate store in Windows and thus my assumption for the divergent behavior on windows is that someone installed the extra certificates in the machine of the reporter. I tested with Chrome on Linux (
30.0.1599.101) and had the same behavior as firefox (unstrusted issuer). I would say this is an invalid bug.
Flags: needinfo?(cviecco)
(In reply to Camilo Viecco (:cviecco) from comment #5)
> Firefox is working as intented, this is a server misconfiguration. The
> server is not supplying the the full list of certificate chains: (report at:
> https://www.ssllabs.com/ssltest/analyze.html?d=communities.intel.com  

The report says "Trusted" anyway 
> and standard  http://tools.ietf.org/html/rfc5246#section-7.4.2 ) 
> 
> Chrome uses the windows certificate store in Windows and thus my assumption
> for the divergent behavior on windows is that someone installed the extra
> certificates in the machine of the reporter. I tested with Chrome on Linux (
> 30.0.1599.101) and had the same behavior as firefox (unstrusted issuer). I
> would say this is an invalid bug.

What about Aurora saying it's valid ?
Chrome 31 on Linux connects to https://communities.intel.com/ without any problem.
And this appears to be because Chrome supports the Authority Information Access extension and Firefox doesn't.
I don't know what did change in the meantime but now it works in SeaMonkey / Firefox and even Aurora

test on http://www.digicert.com/help/ is now OK also
Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.