Bug#563253: libnss3-1d: Fails to verify the certificate of my company email server
Sam Morris
sam at robots.org.uk
Fri Jan 1 13:28:47 UTC 2010
Package: libnss3-1d
Version: 3.12.5-1
Severity: grave
Justification: renders package unusable
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Since upgrading libnss3-1d to 3.12.5, I have been unable to connect to my
company's email server. Evolution gives me this dialog:
SSL Certificate check for imap.example.com:
Issuer: serialNumber=88888888,CN=Go Daddy Secure Certification
Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
Subject: CN=*.example.com,OU=Domain Control Validated,O=*.example.com
Fingerprint: ec:cf:43:7f:87:84:f0:63:ec:b4:5d:60:e5:7e:6b:23
Signature: BAD
No problem with iceweasel, thunderbird, etc. but they don't appear to use the
split-out package of NSS.
I reported the same bug against gnutls, #563127. The maintainer found that
gnutls refused to accept the certificate because it was issues by a "V1 CA".
Sadly I'm no X.509 expert so I don't know what that really means. The
certificate in question was issued in April 2009, so it's not exactly ancient.
Please tell me if you'd like the server address to debug this further yourself,
or whether there are any command line utilities for NSS that I can use as the
equivalent of gnutls-bin/'openssl s_client' to debug further.
Because this coincides with the upgrade from 3.12.4 to 3.12.5 I am assuming
that NSS made a similar policy change to GnuTLS, to stop trusting V1 CAs. If
this is the kind of thing that a user of NSS can override, please let me know
and I'll forward that information to the (evolution) upstream bug at
<https://bugzilla.gnome.org/show_bug.cgi?id=605773>.
- -- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (430, 'testing'), (420, 'unstable'), (410, 'experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 2.6.32-trunk-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages libnss3-1d depends on:
ii dpkg 1.15.5.4 Debian package management system
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libnspr4-0d 4.8.2-1 NetScape Portable Runtime Library
ii libsqlite3-0 3.6.21-2 SQLite 3 shared library
ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime
libnss3-1d recommends no packages.
libnss3-1d suggests no packages.
- -- no debconf information
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
iEYEARECAAYFAks9+IoACgkQshl/216gEHgbmgCg4/dEMui2RE3t+GgVJ9je7ouJ
AB0AmgOjth0/Cy2emJ/RkhIl56IzQ0Ec
=kMHW
-----END PGP SIGNATURE-----
More information about the pkg-mozilla-maintainers
mailing list