On Thu, Dec 2, 2010 at 9:23 AM, Randal L. Schwartz <[email protected]> wrote: >>>>>> "John" == John Jason Jordan <[email protected]> writes: > > John> Ever since upgrading from Fedora 13 to Fedora 14 Firefox is complaining > John> several times a day about expired and untrusted certificates. Just now > John> I had one from the website for the Department of Defense Manpower Data > John> Center: > > John> www.dmdc.osd.mil/scra/owa/home > > After the redirect to https://www.dmdc.osd.mil/appj/scra/scraHome.do I > get good certificates on OSX for Safari and Chrome (both probably using > the built-in OSX security validation), but Firefox screams about it. > > Weird... Firefox must come with its own certs. Firefox is definitely > *not* a "native app" on OSX, so no surprise that it's also broken on > OSX. :)
https://www.dmdc.osd.mil is signed by DOD CA-21, chained to DoD Root CA 2: dyoung$ openssl s_client -connect www.dmdc.osd.mil:443 | head depth=2 C = US, O = U.S. Government, OU = DoD, OU = PKI, CN = DoD Root CA 2 verify error:num=19:self signed certificate in certificate chain verify return:0 CONNECTED(00000003) --- Certificate chain 0 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/OU=OSD/CN=www.dmdc.osd.mil i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-21 1 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DOD CA-21 i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 2 s:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 i:/C=US/O=U.S. Government/OU=DoD/OU=PKI/CN=DoD Root CA 2 --- Firefox (really, NSS) does not include any DOD CA root certificates: http://mxr.mozilla.org/mozilla/source/security/nss/lib/ckfw/builtins/certdata.txt -- Dan Young _______________________________________________ PLUG mailing list [email protected] http://lists.pdxlinux.org/mailman/listinfo/plug
