Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 732144 - Firefox 64bit accepts Comodo cert without intermediate certs
Firefox 64bit accepts Comodo cert without intermediate certs
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
x86_64 Linux
unspecified Severity high
: ---
: ---
Assigned To: Kai Engert (:kaie) (inactive account)
Fedora Extras Quality Assurance
: Triaged
Depends On:
  Show dependency treegraph
Reported: 2011-08-19 19:16 EDT by Jeff Moe (jebba)
Modified: 2011-12-29 13:37 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-12-29 13:37:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
This Connection is Untrusted (55.02 KB, image/png)
2011-08-19 19:16 EDT, Jeff Moe (jebba)
no flags Details
sec_error_unknown_issuer (64.02 KB, image/png)
2011-08-19 19:18 EDT, Jeff Moe (jebba)
no flags Details
Certificate is not trusted.... (38.34 KB, image/png)
2011-08-19 19:19 EDT, Jeff Moe (jebba)
no flags Details
Could not verify this certificate... (49.43 KB, image/png)
2011-08-19 19:19 EDT, Jeff Moe (jebba)
no flags Details
They're High, Assurance Secure Server (41.36 KB, image/png)
2011-08-19 19:20 EDT, Jeff Moe (jebba)
no flags Details
directNIC pro (49.76 KB, image/png)
2011-08-19 19:20 EDT, Jeff Moe (jebba)
no flags Details

  None (edit)
Description Jeff Moe (jebba) 2011-08-19 19:16:59 EDT
Created attachment 519120 [details]
This Connection is Untrusted

Description of problem:
With great hesitation I file this (as I may be reading the situation incorrectly), but here goes:

I have a Debian Squeeze server running Apache. It comes with a number of certs installed in /etc/ssl. I got a Comodo certificate from directNIC, installed it on the server, and was able to access my https site fine on x86_64 Fedora 15 with Firefox 5 and Firefox 6. I did not install any of the intermediate certs since my first test worked, so I presumed the intermediate certs were already there by default.

Weeks later I went to another Fedora machine and it was giving "This connection is untrusted" when I hit the same site. Quite baffled I tried it on all the machines we have here. All of the i686 boxes gave the warning, none of the x86_64 gave the warning. More specifically, the error was "sec_error_unknown_issuer". I'll attach screenshots.

Version-Release number of selected component (if applicable):



How reproducible:
Well...Here's one way...

Steps to Reproduce:
1. Install Debian Squeeze. ;)

2. Get a Comodo "Instant SSL Pro" certificate from directNIC.com or whomever.

3. Install the new cert for the domain in /etc/ssl/keys or wherever and set up apache to point at it. Don't install the ca-bundle.crt (with intermediate certs) that comes with the new certificate.

Actual results:
Works fine on x86_64, gives warning on i686.

Expected results:
It should give a "sec_error_unknown_issuer" warning on x86_64. 

Additional info:
Yikes. Comodo has been known to have problems, so this is double ungood, if I'm reading the screen correctly... Lets hope not. ;)
Comment 1 Jeff Moe (jebba) 2011-08-19 19:18:27 EDT
Created attachment 519121 [details]
Comment 2 Jeff Moe (jebba) 2011-08-19 19:19:10 EDT
Created attachment 519122 [details]
Certificate is not trusted....
Comment 3 Jeff Moe (jebba) 2011-08-19 19:19:33 EDT
Created attachment 519123 [details]
Could not verify this certificate...
Comment 4 Jeff Moe (jebba) 2011-08-19 19:20:17 EDT
Created attachment 519124 [details]
They're High, Assurance Secure Server
Comment 5 Jeff Moe (jebba) 2011-08-19 19:20:42 EDT
Created attachment 519125 [details]
directNIC pro
Comment 6 Cesar Eduardo Barros 2011-08-30 20:20:56 EDT
Did you try with a fresh profile? Firefox caches intermediate certificates.
Comment 7 Jeff Moe (jebba) 2011-12-29 13:37:42 EST
Sorry, unable to test this. I will close this out. I thought perhaps it would set off some bells of someone who knows more, but seeing as it didn't, hopefully it is innocuous.

Note You need to log in before you can comment on or make changes to this bug.