Bug#589023: iceweasel: SSL/X509 Certificate for 'AddTrust External CA Root' not recognized as valid

Wed, 14 Jul 2010 09:21:21 -0700 

On Wed, 2010-07-14 at 13:43 +0200, Mike Hommey wrote:
> On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote:
> > 
> > When I visit https://www.gandi.net, the certificate isn't 
> > trusted/recognized.
> >   Error title: "This Connection is Untrusted"
> >   Error code: sec_error_unknown_issuer

> [..] as it works properly here, I suspect something fishy with the
> certificate database in your user profile.
> 
> Can you first check if that works better if you try with a new profile

The new profile is OK (I should have tested that rather than make wrong
assumption).

I investigated... In the OK profile, the "AddTrust External CA Root"
certificate is selfsigned, whereas the certificates are differents on
the KO profile (and they make a loop!):

/usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "AddTrust 
External CA Root"  | openssl x509 -noout -issuer -subject 
> issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
> Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
> subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
> External CA Root

/usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "UTN - 
DATACorp SGC"  | openssl x509 -noout -issuer -subject 
> issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust 
> External CA Root
> subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST 
> Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC

I wonder where I got those certificates from, and if others could be affected.

<me thinking>
If I understand how NSS work properly, it means that NSS is "learning"
certificates chains (i.e adding certificates to it's database) as it is
receiving certificates from visited websites.

This fuzzy / unpredictable behavior scares me.
</me thinking>

Anyway, I removed the "Software Security Device" entries, and it's now
working:
UTN - DATACorp SGC
 `-> AddTrust External CA Root
     `-> COMODO EV SGC CA
          `-> www.comodo.com

Regards,

Franklin




-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org

Reply via email to