| Summary: | Missing CA: Symantec Class 3 Extended Validation SHA256 SSL CA | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | David Woodhouse <dwmw2> |
| Component: | ca-certificates | Assignee: | Kai Engert (:kaie) (inactive account) <kengert> |
| Status: | CLOSED NOTABUG | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | 23 | CC: | jorton, kengert, pwouters, tmraz |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2016-02-12 09:20:00 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
|
Description
David Woodhouse
2016-02-12 08:40:07 UTC
Interestingly, this new CA doesn't seem to be listed at https://www.symantec.com/page.jsp?id=roots or in the ZIP file downloadable there. But if it's a fake site, it's still fairly convincing... and besides, all it does (for me) is redirect to www.rfr.citiprepaid.com which *does* have a trusted cert. (In reply to David Woodhouse from comment #0) > Went to https://www.prepaid.citi.com/ this morning and Firefox wouldn't let > me in, complaining of an invalid cert. The cert (below) seems reasonable; > issued by a new "Symantec Class 3 Extended Validation SHA256 SSL CA" which > isn't in our trust database. Not a bug. That cert is an "intermediate CA", which the server is required to send in the TLS handshake. If it didn't, the server was configured incorrectly. We don't add intermediate CAs to the trust store. Right now the server I tested appears to work correctly, but I'm guessing, that site could use a load balancer and use multiple servers, and one of them might be configured incorrectly. Blame the company. And it's unfortunate that the site apparently has requested to not be tested by ssllabs.com, see https://www.ssllabs.com/ssltest/analyze.html?d=www.prepaid.citi.com (which says "The owner of this site requested that we do not test it". Certificate: Data: Serial Number:09:b7:49:fd:7f:0b:49:16:ca:05:56:56:cf:f6:d9:82 Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US" Validity: Not Before: Tue Apr 09 00:00:00 2013 Not After : Sat Apr 08 23:59:59 2023 Subject: "CN=Symantec Class 3 Extended Validation SHA256 SSL CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US" Fingerprint (SHA-256): 1F:9B:31:F8:20:92:9E:BF:A0:31:17:EC:2B:77:BA:6B:0F:B6:EC:C9:E0:27:68:2A:55:93:78:DA:31:1C:54:EF Fingerprint (SHA1): CD:F4:28:A8:90:D3:74:8C:5D:28:ED:1F:4C:69:49:9A:3E:16:F1:33 Thanks. The IP address I get is 199.67.137.151, which is indeed sending only the leaf-node cert and nothing more. I had assumed that the issuer was a new SHA256 root. Please could you let me have the missing intermediate CA (or the IP address you got it from) so that I can chase this up with Citi? Thanks. Right now I get the same IP and also see the missing chain. |