Hi list,
in #security it was suggested i would post to this list rather
than discussing the issue in IRC.
My employer runs a website secured with an EV SSL cert issued
by Comodo and tell all our customers on the login page that
they should only enter their credentials if the address bar of
their browser is indicating an EV SSL cert (green address bar,
company name etc. with some screenshots for the average user).
For the 2nd time in many months a customer reported to us that
his firefox rendered the page but did *not* display a green
address bar and no company name was visible. Instead firefox
displayed an exclamation mark with the text
This website does not supply identity information.
when clicking on it.
The customer sent screenshots to me confirming that he indeed
got the right certificate - fingerprint and serial number matches
so i guess there is no MITM taking place.
Without restarting the firefox browser but only by pressing F5
firefox happily displayed all the EV SSL indicators while
reloading the page.
The page is hosted via Cloudflare (reverse proxy) but this
shouldn't matter since the customer really is getting the right
certificate.
At first we suspected that the connection to the OCSP server
failed but with the customers settings pasted below this should
not be possible:
security.OCSP.enabled = 1
security.OCSP.require = true
about:
version 32.0.3
Build identifier:
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0)
Gecko/20100101 Firefox/32.0
about:buildconfig
Build Machine
toyol
Build platform
target
x86_64-pc-linux-gnu
Build tools
Compiler Version Compiler flags
gcc 4.8.2 -Wall -Wpointer-arith -Wdeclaration-after-statement
-Werror=return-type -Werror=int-to-pointer-cast -Wtype-limits
-Wempty-body -Wsign-compare -Wno-unused -Wcast-align -std=gnu99
-fgnu89-inline -fno-strict-aliasing -ffunction-sections -fdata-sections
-fno-math-errno -pthread -pipe
c++ 4.8.2 -Wall -Wpointer-arith -Woverloaded-virtual
-Werror=return-type -Werror=int-to-pointer-cast -Wtype-limits
-Wempty-body -Wsign-compare -Wno-invalid-offsetof -Wcast-align
-fno-exceptions -fno-strict-aliasing -fno-rtti -ffunction-sections
-fdata-sections -fno-exceptions -fno-math-errno -std=gnu++0x -pthread
-pipe -DNDEBUG -DTRIMMED -g -Os -freorder-blocks -fomit-frame-pointer
Configure arguments
--host=x86_64-linux-gnu --prefix=/usr --libexecdir=/usr/lib/firefox
--with-l10n-base=/build/buildd/firefox-32.0.3+build1/./l10n
--srcdir=/build/buildd/firefox-32.0.3+build1/. --enable-release
--disable-install-strip --disable-updater --enable-application=browser
--enable-startup-notification --with-distribution-id=com.ubuntu
--enable-optimize --enable-tests --enable-crashreporter
--with-branding=browser/branding/official --disable-gnomevfs
--enable-gio --enable-update-channel=release --disable-debug
--disable-elf-hack --enable-gstreamer=1.0
--with-google-api-keyfile=/build/buildd/firefox-32.0.3+build1/debian/g
ii firefox 32.0.3+build1-0ubuntu0.14.04.1
ii firefox-locale-en 32.0.3+build1-0ubuntu0.14.04.1
ii libcurl3:amd64 7.35.0-1ubuntu2.1
ii libgnutls-openssl27:amd64 2.12.23-12ubuntu2.1
ii libnss-mdns:amd64 0.10-6
ii libnss3:amd64 2:3.17.1-0ubuntu0.14.04.1
ii libnss3-1d:amd64 2:3.17.1-0ubuntu0.14.04.1
ii libnss3-nssdb 2:3.17.1-0ubuntu0.14.04.1
ii rhythmbox-mozilla 3.0.2-0ubuntu2
ii totem-mozilla 3.10.1-1ubuntu4
ii unity-scope-firefoxbookmarks 0.1+13.10.20130809.1-0ubuntu1
ii xul-ext-ubufox 2.9-0ubuntu0.14.04.1
ii xul-ext-unity 3.0.0+14.04.20140416-0ubuntu1
ii xul-ext-webaccounts 0.5-0ubuntu2
ii xul-ext-websites-integration 2.3.6+13.10.20130920.1-0ubuntu1
Any ideas what might cause this
no-EV-indicators-press-F5-then-all-is-fine
behaviour?
Since the customers initial report to us he was able to reproduce the
issue two more times.
Regards
Marcel
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
