Re: [Mozilla Enterprise] "Certificate chain incomplete" in 45.1.0

[Sebastian Metzger]

Hello Zach,

I agree to James. Maybee the 45.2.0 firefoxes had luckily downloaded the 
needed intermidiate at the time you tried to open your web page.


Do you know which CA is missing?
Than you could check if this CA is "Builtin Object Token" or a 
downloaded "Software Security Module" (not sure about the correct 
english name) in 45.2.0.


>Nothing jumps out at me from the main or security release notes as to 
>why there should be any difference.
The CAs included in firefox (or more specific in the NSS) are changing 
in nearly every release.

But, they are not stated in the normal release notes.

You can track the changes here:
https://wiki.mozilla.org/NSS:Release_Versions

Best regards

Sebastian Metzger

--
Sebastian Metzger

Debeka Krankenversicherungsverein a. G.
Debeka Lebensversicherungsverein a. G.
Debeka Allgemeine Versicherung AG
Debeka Pensionskasse AG
Debeka Bausparkasse AG

Abteilung Benutzer- und Endgerätedienste (IS/BE)
56058 Koblenz

Telefon: (02 61) 4 98 - 31 05
Telefax: (02 61) 4 98 - 20 99

E-Mail: sebastian.metz...@debeka.de
Internet: www.debeka.de

Besuchen Sie uns auch in sozialen Netzwerken.
Unsere Adressen finden Sie hier: www.debeka.de/socialmedia

Pflichtangaben der Debeka-Unternehmen
gemäß § 35a GmbHG / § 80 AktG: www.debeka.de/pflichtangaben

Am 29.06.2016 um 04:39 schrieb James Andrewartha:

On 29/06/16 05:43, Schuetz, Zach wrote:

One of our web applications is reachable from most browsers, including
current ESR 45.2.0. However, 45.1.0 (currently deployed in a few places)
gives an SSL error, saying the security chain is incomplete. Nothing
jumps out at me from the main or security release notes as to why there
should be any difference.

Now, the obvious answer is to tweak the security (already working with
our server team) and update Firefox everywhere, but why did this happen
in the first place, and is there any way for me to know if it’s likely
to happen again?


I believe that Firefox will cache intermediate certificates, so if you
visit a correctly-configured HTTPS site that uses the same chain, visits
to a incorrectly-configured site will work.

https://bugzilla.mozilla.org/show_bug.cgi?id=733232
https://bugzilla.mozilla.org/show_bug.cgi?id=629558
https://bugzilla.mozilla.org/show_bug.cgi?id=399324
http://superuser.com/questions/351516/do-intermediate-certificates-get-cached-in-firefox



___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit https://mail.mozilla.org/listinfo/enterprise 
or send an email to enterprise-requ...@mozilla.org with a subject of 
"unsubscribe"

Re: [Mozilla Enterprise] "Certificate chain incomplete" in 45.1.0

[James Andrewartha]

On 29/06/16 05:43, Schuetz, Zach wrote:
> One of our web applications is reachable from most browsers, including
> current ESR 45.2.0. However, 45.1.0 (currently deployed in a few places)
> gives an SSL error, saying the security chain is incomplete. Nothing
> jumps out at me from the main or security release notes as to why there
> should be any difference.
>  
> Now, the obvious answer is to tweak the security (already working with
> our server team) and update Firefox everywhere, but why did this happen
> in the first place, and is there any way for me to know if it’s likely
> to happen again?

I believe that Firefox will cache intermediate certificates, so if you
visit a correctly-configured HTTPS site that uses the same chain, visits
to a incorrectly-configured site will work.

https://bugzilla.mozilla.org/show_bug.cgi?id=733232
https://bugzilla.mozilla.org/show_bug.cgi?id=629558
https://bugzilla.mozilla.org/show_bug.cgi?id=399324
http://superuser.com/questions/351516/do-intermediate-certificates-get-cached-in-firefox

-- 
James Andrewartha
Network & Projects Engineer
Christ Church Grammar School
Claremont, Western Australia
Ph. (08) 9442 1757
Mob. 0424 160 877
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

[Mozilla Enterprise] "Certificate chain incomplete" in 45.1.0

[Schuetz, Zach]

Hi folks,

One of our web applications is reachable from most browsers, including current 
ESR 45.2.0. However, 45.1.0 (currently deployed in a few places) gives an SSL 
error, saying the security chain is incomplete. Nothing jumps out at me from 
the main or security release notes as to why there should be any difference.

Now, the obvious answer is to tweak the security (already working with our 
server team) and update Firefox everywhere, but why did this happen in the 
first place, and is there any way for me to know if it's likely to happen again?

~Zach Schuetz
Middlebury College ITS
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"