1306929 – Missing CA: Symantec Class 3 Extended Validation SHA256 SSL CA

Bug 1306929 - Missing CA: Symantec Class 3 Extended Validation SHA256 SSL CA

Summary: Missing CA: Symantec Class 3 Extended Validation SHA256 SSL CA

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	ca-certificates
Sub Component:
Version:	23
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kai Engert (:kaie) (inactive account)
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-02-12 08:40 UTC by David Woodhouse
Modified:	2016-02-12 10:34 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-02-12 09:20:00 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description David Woodhouse 2016-02-12 08:40:07 UTC

Went to https://www.prepaid.citi.com/ this morning and Firefox wouldn't let me in, complaining of an invalid cert. The cert (below) seems reasonable; issued by a new "Symantec Class 3 Extended Validation SHA256 SSL CA" which isn't in our trust database.

-----BEGIN CERTIFICATE-----
MIIHIDCCBgigAwIBAgIQff1CntnqD/VnBi9JKm3kPjANBgkqhkiG9w0BAQsFADCB
ijELMAkGA1UEBhMCVVMxHTAbBgNVBAoTFFN5bWFudGVjIENvcnBvcmF0aW9uMR8w
HQYDVQQLExZTeW1hbnRlYyBUcnVzdCBOZXR3b3JrMTswOQYDVQQDEzJTeW1hbnRl
YyBDbGFzcyAzIEV4dGVuZGVkIFZhbGlkYXRpb24gU0hBMjU2IFNTTCBDQTAeFw0x
NjAyMDkwMDAwMDBaFw0xODAyMDkyMzU5NTlaMIIBFjETMBEGCysGAQQBgjc8AgED
EwJVUzEZMBcGCysGAQQBgjc8AgECDAhEZWxhd2FyZTEdMBsGA1UEDxMUUHJpdmF0
ZSBPcmdhbml6YXRpb24xEDAOBgNVBAUTBzIxNTQyNTQxCzAJBgNVBAYTAlVTMQ4w
DAYDVQQRDAUxMDA0MzERMA8GA1UECAwITmV3IFlvcmsxETAPBgNVBAcMCE5ldyBZ
b3JrMRgwFgYDVQQJDA8zOTkgUGFyayBBdmVudWUxFzAVBgNVBAoMDkNpdGlncm91
cCBJbmMuMR4wHAYDVQQLDBVDaXRpIFByZXBhaWQgU2VydmljZXMxHTAbBgNVBAMM
FHd3dy5wcmVwYWlkLmNpdGkuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
CgKCAQEAjUNY4vbnen1n4QtHEE/oSIjKMOM8mi6o3xpdJOpQ+1T084MAx2lX1+JN
ONfVE5U9UUt7VF8j/CD2+j1Al2pRPofApziOUe2dcb0f0U+dVbrVJ3Tmbl6iIN5R
HSvx0HtYHyjU4OZVbULnKOMCY2YX2VEVV9G/tXJ8F5aW1lpPBgKmhLuiegrMb52O
PIajz4XU0igdFm7KD6ZDagJfHLaJN/i9/pIYxy1Z9+QBBD1d4MLnzk6TEN1Utedu
TE9bzIn6JPjjYGHqgBVU5TBe4yZGud3tNG7JAbF273WCLhNn/pIUwcfAkkks9D07
5/QfMT0sf9OnlC7/qm3zRYs8+pg9wQIDAQABo4IC8TCCAu0wHwYDVR0RBBgwFoIU
d3d3LnByZXBhaWQuY2l0aS5jb20wCQYDVR0TBAIwADAOBgNVHQ8BAf8EBAMCBaAw
HQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMGYGA1UdIARfMF0wWwYLYIZI
AYb4RQEHFwYwTDAjBggrBgEFBQcCARYXaHR0cHM6Ly9kLnN5bWNiLmNvbS9jcHMw
JQYIKwYBBQUHAgIwGRoXaHR0cHM6Ly9kLnN5bWNiLmNvbS9ycGEwHwYDVR0jBBgw
FoAUsm3j5BQPjDxzQqZamRrTFHW2htswKwYDVR0fBCQwIjAgoB6gHIYaaHR0cDov
L3NoLnN5bWNiLmNvbS9zaC5jcmwwVwYIKwYBBQUHAQEESzBJMB8GCCsGAQUFBzAB
hhNodHRwOi8vc2guc3ltY2QuY29tMCYGCCsGAQUFBzAChhpodHRwOi8vc2guc3lt
Y2IuY29tL3NoLmNydDCCAX8GCisGAQQB1nkCBAIEggFvBIIBawFpAHYA3esdK3oN
T6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvswAAAFSxGVenQAABAMARzBFAiEAuk8k
WqyoF4Ljm20ERk8QLzfDcprvGArngkAoQ44eu1oCID3ahROz5GeA0CcEUAFCO+dm
ExFS2E4nOaoWLFevOsttAHYApLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN
3BAAAAFSxGVesAAABAMARzBFAiAunvpOpy5Ru+vu2GvBSJRLptJmi5L0lHm1Dbg1
QHKrVAIhAI9dsXHzRUPsKtOAdvBC+eCiXs5Ke5ucETHIFiW0ZVvyAHcAaPaY+B9k
gr46jO65KB1M/HFRXWeT1ETRCmesu09P+8QAAAFSxGVeygAABAMASDBGAiEAvRvX
iGzukMfgVpCYfhfG+GcSnCU2aiVd9zrPnI1K4fkCIQD2TDUMaNIAQwrNb9LYtuuL
G5946Jkxj7lG/A5xxGD//DANBgkqhkiG9w0BAQsFAAOCAQEAJriH3k5+CkPnZMZB
JITFkWf8ZaJwUgSFHhOeZbeK3syD2IRj6qA35yfSBnFm6HFcknF8rrb/DivDDS8z
Kz7H/L1mLI+KEau/IXxKy3l6ni5dHS9s48vrxdbBkWnSmSo/56oU4xlP4vgpQjKX
NStAdiPSYLYOSXh11IcY4bmpQXlLn4ceAHOkmmnzzYPLLA5Q/8X60En+779bPftg
cxYDJM7BdCJ98Ymj2u+kwRE9E85KcpXVJhP/qBtIk+U/PjVSXzLiaRxka2fXB2+K
BXdS/arw0rC0IEtkIBPRvz8OFjEKrro2qZKi3PHAwhMkprgxEhKrDfpoaCYCbY34
PVbfwQ==
-----END CERTIFICATE-----
subject=/jurisdictionC=US/jurisdictionST=Delaware/businessCategory=Private Organization/serialNumber=2154254/C=US/postalCode=10043/ST=New York/L=New York/street=399 Park Avenue/O=Citigroup Inc./OU=Citi Prepaid Services/CN=www.prepaid.citi.com
issuer=/C=US/O=Symantec Corporation/OU=Symantec Trust Network/CN=Symantec Class 3 Extended Validation SHA256 SSL CA

Comment 1 David Woodhouse 2016-02-12 08:51:23 UTC

Interestingly, this new CA doesn't seem to be listed at
https://www.symantec.com/page.jsp?id=roots or in the ZIP file downloadable there.

But if it's a fake site, it's still fairly convincing... and besides, all it does (for me) is redirect to www.rfr.citiprepaid.com which *does* have a trusted cert.

Comment 2 Kai Engert (:kaie) (inactive account) 2016-02-12 09:20:00 UTC

(In reply to David Woodhouse from comment #0)
> Went to https://www.prepaid.citi.com/ this morning and Firefox wouldn't let
> me in, complaining of an invalid cert. The cert (below) seems reasonable;
> issued by a new "Symantec Class 3 Extended Validation SHA256 SSL CA" which
> isn't in our trust database.

Not a bug.

That cert is an "intermediate CA", which the server is required to send in the TLS handshake. If it didn't, the server was configured incorrectly.

We don't add intermediate CAs to the trust store.

Right now the server I tested appears to work correctly, but I'm guessing, that site could use a load balancer and use multiple servers, and one of them might be configured incorrectly.

Blame the company. And it's unfortunate that the site apparently has requested to not be tested by ssllabs.com, see https://www.ssllabs.com/ssltest/analyze.html?d=www.prepaid.citi.com (which says "The owner of this site requested that we do not test it".


Certificate:
    Data:
        Serial Number:09:b7:49:fd:7f:0b:49:16:ca:05:56:56:cf:f6:d9:82
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=VeriSign Universal Root Certification Authority,OU="(c) 2008 VeriSign, Inc. - For authorized use only",OU=VeriSign Trust Network,O="VeriSign, Inc.",C=US"
        Validity:
            Not Before: Tue Apr 09 00:00:00 2013
            Not After : Sat Apr 08 23:59:59 2023
        Subject: "CN=Symantec Class 3 Extended Validation SHA256 SSL CA,OU=Symantec Trust Network,O=Symantec Corporation,C=US"
    Fingerprint (SHA-256): 1F:9B:31:F8:20:92:9E:BF:A0:31:17:EC:2B:77:BA:6B:0F:B6:EC:C9:E0:27:68:2A:55:93:78:DA:31:1C:54:EF
    Fingerprint (SHA1): CD:F4:28:A8:90:D3:74:8C:5D:28:ED:1F:4C:69:49:9A:3E:16:F1:33

Comment 3 David Woodhouse 2016-02-12 10:27:22 UTC

Thanks. The IP address I get is 199.67.137.151, which is indeed sending only the leaf-node cert and nothing more. I had assumed that the issuer was a new SHA256 root. Please could you let me have the missing intermediate CA (or the IP address you got it from) so that I can chase this up with Citi? Thanks.

Comment 4 Kai Engert (:kaie) (inactive account) 2016-02-12 10:34:20 UTC

Right now I get the same IP and also see the missing chain.

Note You need to log in before you can comment on or make changes to this bug.