Google notified Mozilla that an intermediate certificate, which chains up to a root included in Mozilla's root store, was loaded into a man-in-the-middle (MITM) traffic management device. This certificate was issued by Agence nationale de la sécurité des systèmes d'information (ANSSI), an agency of the French government and a certificate authority in Mozilla's root program. A subordinate certificate authority of ANSSI mis-issued an intermediate certificate that they installed on a network monitoring device, which enabled the device to act as a MITM proxy performing traffic management of domain names or IP addresses that the certificate holder did not own or control. The issue was not specific to Firefox but there was evidence that one of the certificates was used for MITM traffic management of domain names that the customer did not legitimately own or control. This issue was resolved by revoking trust in the intermediate used by the sub-CA to issue the certificate for the MITM device. External Reference: http://www.mozilla.org/security/announce/2013/mfsa2013-117.html Acknowledgements: Red Hat would like to thank the Mozilla project for reporting this issue.
Other References: http://www.ssi.gouv.fr/en/the-anssi/events/revocation-of-an-igc-a-branch-808.html http://googleonlinesecurity.blogspot.in/2013/12/further-improving-digital-certificate.html
Created ca-certificates tracking bugs for this issue: Affects: fedora-all [bug 1040283]
Created nss tracking bugs for this issue: Affects: fedora-all [bug 1040282]
This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2013:1861 https://rhn.redhat.com/errata/RHSA-2013-1861.html
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2013:1866 https://rhn.redhat.com/errata/RHSA-2013-1866.html
ca-certificates-2013.1.95-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
nss-3.15.3.1-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
ca-certificates-2013.1.95-1.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
ca-certificates-2013.1.95-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
nss-3.15.3.1-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
nss-3.15.3.1-1.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.