Bug#670882: libnss3-1d: Iceweasel says that various sites use an invalid security certificate
Mike Hommey
mh at glandium.org
Tue May 1 06:15:47 UTC 2012
On Tue, May 01, 2012 at 02:59:12AM +0200, Vincent Lefevre wrote:
> On 2012-04-30 11:49:11 +0200, Mike Hommey wrote:
> > On Mon, Apr 30, 2012 at 11:38:02AM +0200, Vincent Lefevre wrote:
> > > On 2012-04-30 11:27:42 +0200, Mike Hommey wrote:
> > > > On Mon, Apr 30, 2012 at 10:58:50AM +0200, Vincent Lefevre wrote:
> > > > > I've done some tests, and the problem still occurs with my usual
> > > > > profile. And it occurs with a new profile if I copy the old cert8.db
> > > > > file.
> > > >
> > > > That would seem to indicate something weird in your cert8.db...
> > >
> > > Not necessarily weird. No such problems with the previous libnss3-1d
> > > version. Could libnss3-1d log messages about this cert8.db file?
> >
> > Your best bet might be to check some of the tools in libnss3-tools (like
> > certutil) and check what's peculiar to your cert8.db (checking against a
> > fresh one)
>
> The problem seems to be that the new libnss3-1d is confused by
> intermediate certificates from cert8.db that are in the chain.
>
> For instance, if I remove the UTN-USERFirst-Hardware certificate
> with
>
> certutil -D -d .mozilla/firefox/xwsukxd4.test6/ -n UTN-USERFirst-Hardware
>
> the problem disappears on <https://www.zeroforfait.fr/>.
>
> As an example, I've attached the two certificates. Perhaps the
> old libnss3-1d was ignoring certificates of cert8.db below the
> root certificate? (There isn't much in the changelog).
I can't reproduce the problem with either certificates, except if I
explicitely distrust them. But in that case, it happens on 3.13.4 as
well as 3.13.3.
Mike
More information about the pkg-mozilla-maintainers
mailing list