Bug 732144 - Firefox 64bit accepts Comodo cert without intermediate certs
Summary: Firefox 64bit accepts Comodo cert without intermediate certs
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 15
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Kai Engert (:kaie) (inactive account)
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-08-19 23:16 UTC by Jeff Moe (jebba)
Modified: 2011-12-29 18:37 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2011-12-29 18:37:42 UTC


Attachments (Terms of Use)
This Connection is Untrusted (55.02 KB, image/png)
2011-08-19 23:16 UTC, Jeff Moe (jebba)
no flags Details
sec_error_unknown_issuer (64.02 KB, image/png)
2011-08-19 23:18 UTC, Jeff Moe (jebba)
no flags Details
Certificate is not trusted.... (38.34 KB, image/png)
2011-08-19 23:19 UTC, Jeff Moe (jebba)
no flags Details
Could not verify this certificate... (49.43 KB, image/png)
2011-08-19 23:19 UTC, Jeff Moe (jebba)
no flags Details
They're High, Assurance Secure Server (41.36 KB, image/png)
2011-08-19 23:20 UTC, Jeff Moe (jebba)
no flags Details
directNIC pro (49.76 KB, image/png)
2011-08-19 23:20 UTC, Jeff Moe (jebba)
no flags Details

Description Jeff Moe (jebba) 2011-08-19 23:16:59 UTC
Created attachment 519120 [details]
This Connection is Untrusted

Description of problem:
With great hesitation I file this (as I may be reading the situation incorrectly), but here goes:

I have a Debian Squeeze server running Apache. It comes with a number of certs installed in /etc/ssl. I got a Comodo certificate from directNIC, installed it on the server, and was able to access my https site fine on x86_64 Fedora 15 with Firefox 5 and Firefox 6. I did not install any of the intermediate certs since my first test worked, so I presumed the intermediate certs were already there by default.

Weeks later I went to another Fedora machine and it was giving "This connection is untrusted" when I hit the same site. Quite baffled I tried it on all the machines we have here. All of the i686 boxes gave the warning, none of the x86_64 gave the warning. More specifically, the error was "sec_error_unknown_issuer". I'll attach screenshots.

Version-Release number of selected component (if applicable):
firefox-6.0-1.fc15.x86_64
ca-certificates-2011.70-2.fc15.noarch

firefox-6.0-1.fc15.i686
ca-certificates-2011.70-2.fc15.noarch

firefox-5.0-2.fc15.i686
ca-certificates-2011.70-2.fc15.noarch


How reproducible:
Well...Here's one way...


Steps to Reproduce:
1. Install Debian Squeeze. ;)

2. Get a Comodo "Instant SSL Pro" certificate from directNIC.com or whomever.

3. Install the new cert for the domain in /etc/ssl/keys or wherever and set up apache to point at it. Don't install the ca-bundle.crt (with intermediate certs) that comes with the new certificate.
  

Actual results:
Works fine on x86_64, gives warning on i686.


Expected results:
It should give a "sec_error_unknown_issuer" warning on x86_64. 


Additional info:
Yikes. Comodo has been known to have problems, so this is double ungood, if I'm reading the screen correctly... Lets hope not. ;)

Comment 1 Jeff Moe (jebba) 2011-08-19 23:18:27 UTC
Created attachment 519121 [details]
sec_error_unknown_issuer

Comment 2 Jeff Moe (jebba) 2011-08-19 23:19:10 UTC
Created attachment 519122 [details]
Certificate is not trusted....

Comment 3 Jeff Moe (jebba) 2011-08-19 23:19:33 UTC
Created attachment 519123 [details]
Could not verify this certificate...

Comment 4 Jeff Moe (jebba) 2011-08-19 23:20:17 UTC
Created attachment 519124 [details]
They're High, Assurance Secure Server

Comment 5 Jeff Moe (jebba) 2011-08-19 23:20:42 UTC
Created attachment 519125 [details]
directNIC pro

Comment 6 Cesar Eduardo Barros 2011-08-31 00:20:56 UTC
Did you try with a fresh profile? Firefox caches intermediate certificates.

Comment 7 Jeff Moe (jebba) 2011-12-29 18:37:42 UTC
Sorry, unable to test this. I will close this out. I thought perhaps it would set off some bells of someone who knows more, but seeing as it didn't, hopefully it is innocuous.


Note You need to log in before you can comment on or make changes to this bug.