Re: [Mozilla Enterprise] "Certificate chain incomplete" in 45.1.0

Tue, 28 Jun 2016 22:22:29 -0700 

Hello Zach,
I agree to James. Maybee the 45.2.0 firefoxes had luckily downloaded the needed intermidiate at the time you tried to open your web page. 

Do you know which CA is missing?

Than you could check if this CA is "Builtin Object Token" or a 
downloaded "Software Security Module" (not sure about the correct 
english name) in 45.2.0.



>Nothing jumps out at me from the main or security release notes as to 
>why there should be any difference.
The CAs included in firefox (or more specific in the NSS) are changing 
in nearly every release.

But, they are not stated in the normal release notes.

You can track the changes here:
https://wiki.mozilla.org/NSS:Release_Versions

Best regards

Sebastian Metzger

--
Sebastian Metzger

Debeka Krankenversicherungsverein a. G.
Debeka Lebensversicherungsverein a. G.
Debeka Allgemeine Versicherung AG
Debeka Pensionskasse AG
Debeka Bausparkasse AG

Abteilung Benutzer- und Endgerätedienste (IS/BE)
56058 Koblenz

Telefon: (02 61) 4 98 - 31 05
Telefax: (02 61) 4 98 - 20 99

E-Mail: sebastian.metz...@debeka.de
Internet: www.debeka.de

Besuchen Sie uns auch in sozialen Netzwerken.
Unsere Adressen finden Sie hier: www.debeka.de/socialmedia

Pflichtangaben der Debeka-Unternehmen
gemäß § 35a GmbHG / § 80 AktG: www.debeka.de/pflichtangaben

Am 29.06.2016 um 04:39 schrieb James Andrewartha:

On 29/06/16 05:43, Schuetz, Zach wrote:

One of our web applications is reachable from most browsers, including
current ESR 45.2.0. However, 45.1.0 (currently deployed in a few places)
gives an SSL error, saying the security chain is incomplete. Nothing
jumps out at me from the main or security release notes as to why there
should be any difference.

Now, the obvious answer is to tweak the security (already working with
our server team) and update Firefox everywhere, but why did this happen
in the first place, and is there any way for me to know if it’s likely
to happen again?


I believe that Firefox will cache intermediate certificates, so if you
visit a correctly-configured HTTPS site that uses the same chain, visits
to a incorrectly-configured site will work.

https://bugzilla.mozilla.org/show_bug.cgi?id=733232
https://bugzilla.mozilla.org/show_bug.cgi?id=629558
https://bugzilla.mozilla.org/show_bug.cgi?id=399324
http://superuser.com/questions/351516/do-intermediate-certificates-get-cached-in-firefox



_______________________________________________
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise 
or send an email to enterprise-requ...@mozilla.org with a subject of 
"unsubscribe"






















					Reply via email to