Bug 732144

Summary: Firefox 64bit accepts Comodo cert without intermediate certs
Product: [Fedora] Fedora Reporter: Jeff Moe (jebba) <moe>
Component: firefoxAssignee: Kai Engert (:kaie) <kengert>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 15CC: cesarb, gecko-bugs-nobody
Target Milestone: ---Keywords: Triaged
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-12-29 13:37:42 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Attachments:
Description Flags
This Connection is Untrusted
none
sec_error_unknown_issuer
none
Certificate is not trusted....
none
Could not verify this certificate...
none
They're High, Assurance Secure Server
none
directNIC pro none

Description Jeff Moe (jebba) 2011-08-19 19:16:59 EDT
Created attachment 519120 [details]
This Connection is Untrusted

Description of problem:
With great hesitation I file this (as I may be reading the situation incorrectly), but here goes:

I have a Debian Squeeze server running Apache. It comes with a number of certs installed in /etc/ssl. I got a Comodo certificate from directNIC, installed it on the server, and was able to access my https site fine on x86_64 Fedora 15 with Firefox 5 and Firefox 6. I did not install any of the intermediate certs since my first test worked, so I presumed the intermediate certs were already there by default.

Weeks later I went to another Fedora machine and it was giving "This connection is untrusted" when I hit the same site. Quite baffled I tried it on all the machines we have here. All of the i686 boxes gave the warning, none of the x86_64 gave the warning. More specifically, the error was "sec_error_unknown_issuer". I'll attach screenshots.

Version-Release number of selected component (if applicable):
firefox-6.0-1.fc15.x86_64
ca-certificates-2011.70-2.fc15.noarch

firefox-6.0-1.fc15.i686
ca-certificates-2011.70-2.fc15.noarch

firefox-5.0-2.fc15.i686
ca-certificates-2011.70-2.fc15.noarch


How reproducible:
Well...Here's one way...


Steps to Reproduce:
1. Install Debian Squeeze. ;)

2. Get a Comodo "Instant SSL Pro" certificate from directNIC.com or whomever.

3. Install the new cert for the domain in /etc/ssl/keys or wherever and set up apache to point at it. Don't install the ca-bundle.crt (with intermediate certs) that comes with the new certificate.
  

Actual results:
Works fine on x86_64, gives warning on i686.


Expected results:
It should give a "sec_error_unknown_issuer" warning on x86_64. 


Additional info:
Yikes. Comodo has been known to have problems, so this is double ungood, if I'm reading the screen correctly... Lets hope not. ;)
Comment 1 Jeff Moe (jebba) 2011-08-19 19:18:27 EDT
Created attachment 519121 [details]
sec_error_unknown_issuer
Comment 2 Jeff Moe (jebba) 2011-08-19 19:19:10 EDT
Created attachment 519122 [details]
Certificate is not trusted....
Comment 3 Jeff Moe (jebba) 2011-08-19 19:19:33 EDT
Created attachment 519123 [details]
Could not verify this certificate...
Comment 4 Jeff Moe (jebba) 2011-08-19 19:20:17 EDT
Created attachment 519124 [details]
They're High, Assurance Secure Server
Comment 5 Jeff Moe (jebba) 2011-08-19 19:20:42 EDT
Created attachment 519125 [details]
directNIC pro
Comment 6 Cesar Eduardo Barros 2011-08-30 20:20:56 EDT
Did you try with a fresh profile? Firefox caches intermediate certificates.
Comment 7 Jeff Moe (jebba) 2011-12-29 13:37:42 EST
Sorry, unable to test this. I will close this out. I thought perhaps it would set off some bells of someone who knows more, but seeing as it didn't, hopefully it is innocuous.