Bug#563253: libnss3-1d: Fails to verify the certificate of my company email server

Sam Morris sam at robots.org.uk
Fri Jan 1 13:28:47 UTC 2010 

Package: libnss3-1d
Version: 3.12.5-1
Severity: grave
Justification: renders package unusable

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Since upgrading libnss3-1d to 3.12.5, I have been unable to connect to my
company's email server. Evolution gives me this dialog:

SSL Certificate check for imap.example.com:

Issuer:            serialNumber=88888888,CN=Go Daddy Secure Certification
Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
Subject:           CN=*.example.com,OU=Domain Control Validated,O=*.example.com
Fingerprint:       ec:cf:43:7f:87:84:f0:63:ec:b4:5d:60:e5:7e:6b:23
Signature:         BAD

No problem with iceweasel, thunderbird, etc. but they don't appear to use the
split-out package of NSS.

I reported the same bug against gnutls, #563127. The maintainer found that
gnutls refused to accept the certificate because it was issues by a "V1 CA".
Sadly I'm no X.509 expert so I don't know what that really means. The
certificate in question was issued in April 2009, so it's not exactly ancient.

Please tell me if you'd like the server address to debug this further yourself,
or whether there are any command line utilities for NSS that I can use as the
equivalent of gnutls-bin/'openssl s_client' to debug further. 

Because this coincides with the upgrade from 3.12.4 to 3.12.5 I am assuming
that NSS made a similar policy change to GnuTLS, to stop trusting V1 CAs. If
this is the kind of thing that a user of NSS can override, please let me know
and I'll forward that information to the (evolution) upstream bug at
<https://bugzilla.gnome.org/show_bug.cgi?id=605773>.

- -- System Information:
Debian Release: squeeze/sid
  APT prefers testing
  APT policy: (430, 'testing'), (420, 'unstable'), (410, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.32-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libnss3-1d depends on:
ii  dpkg                   1.15.5.4          Debian package management system
ii  libc6                  2.10.2-2          GNU C Library: Shared libraries
ii  libnspr4-0d            4.8.2-1           NetScape Portable Runtime Library
ii  libsqlite3-0           3.6.21-2          SQLite 3 shared library
ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime

libnss3-1d recommends no packages.

libnss3-1d suggests no packages.

- -- no debconf information

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAks9+IoACgkQshl/216gEHgbmgCg4/dEMui2RE3t+GgVJ9je7ouJ
AB0AmgOjth0/Cy2emJ/RkhIl56IzQ0Ec
=kMHW
-----END PGP SIGNATURE-----

More information about the pkg-mozilla-maintainers mailing list