Bug 158065

Summary: Lack of Unizeto certificates
Product: [Fedora] Fedora Reporter: Marcin Zajaczkowski <mszpak>
Component: thunderbirdAssignee: Christopher Aillon <caillon>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: medium    
Version: 6CC: kengert, mattdm, mcepl
Target Milestone: ---   
Target Release: ---   
Hardware: i386   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-01-05 21:56:39 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Marcin Zajaczkowski 2005-05-18 10:45:05 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050513 Fedora/1.0.4-1.3.1 Firefox/1.0.4

Description of problem:
Unable to verified certs made by Unizeto. In Windows wersion (and earlier for Fedora) there are several Unizeto certs. In this version is only one - Centrum CA.
Probably not only Unizeto certs are missing. 

Version-Release number of selected component (if applicable):
thunderbird-1.0.2-1.3.3

How reproducible:
Always

Steps to Reproduce:
1. Edit->Preferences->Advanced->Manage Certificates->Authorities
2. Find Unizeto So. z o.o.


Actual Results:  There is only one cert.

Expected Results:  Should be more.

Additional info:

I can provide sample server with that certificate which display info it's not verified (after upgrade to this version).
Comment 1 Matthew Miller 2006-07-10 23:29:00 UTC 
Fedora Core 3 is now maintained by the Fedora Legacy project for security
updates only. If this problem is a security issue, please reopen and
reassign to the Fedora Legacy product. If it is not a security issue and
hasn't been resolved in the current FC5 updates or in the FC6 test
release, reopen and change the version to match.

Thank you!
Comment 2 Matěj Cepl 2007-01-05 14:52:42 UTC 
Still true on Epiphany from Fedora Core 6 (running on RHEL5b2). However, there
may be some confusion -- official list of CAs supported by Mozilla
(http://hecker.org/mozilla/ca-certificate-list) shows that the CA is called
Unizeto CERTUM CA (and despite the Italian-sounding name, it is a Polish
company), and it is supposed to have one root cert (which we apparently have),
and three sub-certs, which are verified because of the root cert.

Reporter, could you please indicate a server, which is not verified by the
CURRENT Firefox?
Comment 3 Christopher Aillon 2007-01-05 20:43:15 UTC 
This is something that probably belongs to the NSS component anyway....
Comment 4 Kai Engert (:kaie) (inactive account) 2007-01-05 20:56:24 UTC 
I believe this bug is invalid.

Marcin, it is not necessary that Thunderbird ships the additional subordinate /
intermediate certificates.

A server that uses a certificate from one of the subordinate CAs should be
configured to send out the intermediate cert required to chain up to the root,
in addition to the server cert. This is common practice. Another good example is
Verisign, which also uses an intermediate CA to issue server certs, which is not
shipped with Thunderbird either.

You can verify this is correct: Go to the page listed in comment 2, find the
CERTUM ca row, and click on any of the "CERTUM Level" links. BUT DO NOT CLICK
OK. Click on the "view certificate" button. You'll get a window, that displays
the verification status on the top. It will say that the cert can be verified.
(You should cancel both dialogs after you looked at the information).

I believe there is no bug, and I'm proposing to resolve it as INVALID.

If you can show us a sample server that does not verify as expected, despite the
server sending out the intermediate certs, please let us know.
Comment 5 Marcin Zajaczkowski 2007-01-05 21:46:43 UTC 
I reported this issue 1,5 years ago, because mail server of my university had
stopped working with SSL out-of-box.
This issue still occurs with "oceanic.wsisiz.edu.pl" (ssl, port 995). I checked
it on a new profile in thunderbird 1.5.0.7 (fc5). If it's needed I can try with
1.5.0.9 on fc6 (on an another computer tomorrow).

If you, Kai, think that it sould work, maybe there is something with that
certificate?
Comment 6 Kai Engert (:kaie) (inactive account) 2007-01-05 21:56:39 UTC 
Marcin, when I connect to that server, the server sends me a single certificate.

The certificate was issused by
        Issuer: C=PL, O=Unizeto Sp. z o.o., CN=Certum Level III

You should get the Level III certificate, and add it to the configuration of
that server.

I do not know how you would configure that server. Please see the documentation
of the server software. Look for instructions on how to configure / add an
intermediate cert.

As soon as that server sends out both certificates on a connection, Thunderbird
will automatically trust the server.

Based on the test environment I'm resolving this as NOTABUG.
Comment 7 Marcin Zajaczkowski 2007-01-05 22:08:59 UTC 
If you claim this is a problem with configuration of a server and in normal case
Centrum CA certificate is enough then OK.

Thanks for point a real problem out. I'll try to manage something with sending
certs.