Bug#563253: libnss3-1d: Fails to verify the certificate of my company email server

Sam Morris sam at robots.org.uk
Wed Jan 6 13:52:12 UTC 2010


On Wed, 2010-01-06 at 13:53 +0100, Mike Hommey wrote:
> On Wed, Jan 06, 2010 at 12:31:34PM +0000, Sam Morris wrote:
> > > Before I go all the way to install evolution, could you check if there
> > > is a secmod.db file in your evolution folder or somewhere else it would
> > > be using ? (you can try to check in a strace output, possibly). Same
> > > question for key3.db and cert8.db.
> > 
> > These files do indeed exist, in ~/.evolution. If you just wanted to
> > check where evolution stores its certificate information, you can skip
> > the next paragraph. :) 
> > 
> > I needed to get access to my email for work, so I accepted evolution's
> > certificate warning. This seems to add a _permanent_ exemption for the
> > certificate, and evolution does not seem to have any UI for manipulating
> > exemptions, leaving me unable to reproduce the problem on this computer
> > any more. In order to try and remove the exemption, I deleted the
> > cert8.db, key3.db and secomd.db files in ~/.evolution. Evolution happily
> > recreated them, but they are empty; so now evolution doesn't know about
> > _any_ certificate authorities at all. So I can't reproduce the bug on
> > this computer any more (or connect to any SSL-using server without
> > having to manually verify the certificate, argh)... the bug will still
> > exist on my system at home, so if you want these files then I can pull
> > them off there later this evening.
> 
> That would be useful, thanks. You can also try giving the database to
> vfyserv (not sure if it needs to be the directory path, or if it needs
> to include the secmod.db leaf), which should theorically make vfyserv do
> the same thing as evolution.

I just had the idea of creating a new user, setting up my evolution
accounts, and trying vfyserv:

        test at durandal:~$ /tmp/nss/nss-3.12.5/mozilla/security/nss/cmd/vfyserv/Linux2.6_x86_64_glibc_PTH_64_OPT.OBJ/vfyserv -p 443 -d ~/.evolution/ imap.example.com 
        Connecting to host imap.example.com (addr 217.160.200.53) on port 443
        PROBLEM WITH THE CERT CHAIN:
        CERT 3. info at valicert.com [Certificate Authority]:
          ERROR -8172: Peer's certificate issuer has been marked as not trusted by the user.
            E=info at valicert.com,CN=http://www.valicert.com/,OU=ValiCert Class 2 Policy Validation Authority,O="ValiCert, Inc.",L=ValiCert Validation Network
        Error in function PR_Write: -8172
         - Peer's certificate issuer has been marked as not trusted by the user.

This also happens with my personal mail server (crypt.ethx.net) that
works fine at home. This is looking more and more like a bug in
evolution rather than NSS, except that if I downgrade to NSS 3.12.4
everything works again. Anyway, I will perform the same new-user test on
my home machine with both versions of NSS and report back.

-- 
Sam Morris <sam at robots.org.uk>





More information about the pkg-mozilla-maintainers mailing list