Bug 158065
Summary: | Lack of Unizeto certificates | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Marcin Zajaczkowski <mszpak> |
Component: | thunderbird | Assignee: | Christopher Aillon <caillon> |
Status: | CLOSED NOTABUG | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 6 | CC: | kengert, mattdm, mcepl |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-01-05 21:56:39 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Marcin Zajaczkowski
2005-05-18 10:45:05 UTC
Fedora Core 3 is now maintained by the Fedora Legacy project for security updates only. If this problem is a security issue, please reopen and reassign to the Fedora Legacy product. If it is not a security issue and hasn't been resolved in the current FC5 updates or in the FC6 test release, reopen and change the version to match. Thank you! Still true on Epiphany from Fedora Core 6 (running on RHEL5b2). However, there may be some confusion -- official list of CAs supported by Mozilla (http://hecker.org/mozilla/ca-certificate-list) shows that the CA is called Unizeto CERTUM CA (and despite the Italian-sounding name, it is a Polish company), and it is supposed to have one root cert (which we apparently have), and three sub-certs, which are verified because of the root cert. Reporter, could you please indicate a server, which is not verified by the CURRENT Firefox? This is something that probably belongs to the NSS component anyway.... I believe this bug is invalid. Marcin, it is not necessary that Thunderbird ships the additional subordinate / intermediate certificates. A server that uses a certificate from one of the subordinate CAs should be configured to send out the intermediate cert required to chain up to the root, in addition to the server cert. This is common practice. Another good example is Verisign, which also uses an intermediate CA to issue server certs, which is not shipped with Thunderbird either. You can verify this is correct: Go to the page listed in comment 2, find the CERTUM ca row, and click on any of the "CERTUM Level" links. BUT DO NOT CLICK OK. Click on the "view certificate" button. You'll get a window, that displays the verification status on the top. It will say that the cert can be verified. (You should cancel both dialogs after you looked at the information). I believe there is no bug, and I'm proposing to resolve it as INVALID. If you can show us a sample server that does not verify as expected, despite the server sending out the intermediate certs, please let us know. I reported this issue 1,5 years ago, because mail server of my university had stopped working with SSL out-of-box. This issue still occurs with "oceanic.wsisiz.edu.pl" (ssl, port 995). I checked it on a new profile in thunderbird 1.5.0.7 (fc5). If it's needed I can try with 1.5.0.9 on fc6 (on an another computer tomorrow). If you, Kai, think that it sould work, maybe there is something with that certificate? Marcin, when I connect to that server, the server sends me a single certificate. The certificate was issused by Issuer: C=PL, O=Unizeto Sp. z o.o., CN=Certum Level III You should get the Level III certificate, and add it to the configuration of that server. I do not know how you would configure that server. Please see the documentation of the server software. Look for instructions on how to configure / add an intermediate cert. As soon as that server sends out both certificates on a connection, Thunderbird will automatically trust the server. Based on the test environment I'm resolving this as NOTABUG. If you claim this is a problem with configuration of a server and in normal case Centrum CA certificate is enough then OK. Thanks for point a real problem out. I'll try to manage something with sending certs. |