Bug#563253: libnss3-1d: Fails to verify the certificate of my company email server
Mike Hommey
mh at glandium.org
Wed Jan 6 10:13:25 UTC 2010
On Fri, Jan 01, 2010 at 01:28:47PM +0000, Sam Morris wrote:
> Package: libnss3-1d
> Version: 3.12.5-1
> Severity: grave
> Justification: renders package unusable
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Since upgrading libnss3-1d to 3.12.5, I have been unable to connect to my
> company's email server. Evolution gives me this dialog:
>
> SSL Certificate check for imap.example.com:
>
> Issuer: serialNumber=88888888,CN=Go Daddy Secure Certification
> Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US
> Subject: CN=*.example.com,OU=Domain Control Validated,O=*.example.com
> Fingerprint: ec:cf:43:7f:87:84:f0:63:ec:b4:5d:60:e5:7e:6b:23
> Signature: BAD
>
> No problem with iceweasel, thunderbird, etc. but they don't appear to use the
> split-out package of NSS.
>
> I reported the same bug against gnutls, #563127. The maintainer found that
> gnutls refused to accept the certificate because it was issues by a "V1 CA".
> Sadly I'm no X.509 expert so I don't know what that really means. The
> certificate in question was issued in April 2009, so it's not exactly ancient.
>
> Please tell me if you'd like the server address to debug this further yourself,
> or whether there are any command line utilities for NSS that I can use as the
> equivalent of gnutls-bin/'openssl s_client' to debug further.
There is one, but you would need to build libnss3 yourself (and get the
binary in mozilla/security/nss/cmd/vfyserv). If you'd prefer me to further
investigate, please report the server address.
> Because this coincides with the upgrade from 3.12.4 to 3.12.5 I am assuming
> that NSS made a similar policy change to GnuTLS, to stop trusting V1 CAs. If
> this is the kind of thing that a user of NSS can override, please let me know
> and I'll forward that information to the (evolution) upstream bug at
> <https://bugzilla.gnome.org/show_bug.cgi?id=605773>.
There is no such change that I can see related to trusting V1 CA
certificates.
Mike
More information about the pkg-mozilla-maintainers
mailing list