Bug#670882: libnss3-1d: Iceweasel says that various sites use an invalid security certificate
Vincent Lefevre
vincent at vinc17.net
Tue May 1 16:22:05 UTC 2012
On 2012-05-01 08:15:47 +0200, Mike Hommey wrote:
> On Tue, May 01, 2012 at 02:59:12AM +0200, Vincent Lefevre wrote:
> > The problem seems to be that the new libnss3-1d is confused by
> > intermediate certificates from cert8.db that are in the chain.
> >
> > For instance, if I remove the UTN-USERFirst-Hardware certificate
> > with
> >
> > certutil -D -d .mozilla/firefox/xwsukxd4.test6/ -n UTN-USERFirst-Hardware
> >
> > the problem disappears on <https://www.zeroforfait.fr/>.
> >
> > As an example, I've attached the two certificates. Perhaps the
> > old libnss3-1d was ignoring certificates of cert8.db below the
> > root certificate? (There isn't much in the changelog).
>
> I can't reproduce the problem with either certificates, except if I
> explicitely distrust them. But in that case, it happens on 3.13.4 as
> well as 3.13.3.
Perhaps one needs more than the above one (there are other
certificates that are in the chain).
Is there a way to do a request with certutil like Firefox does,
and get information of what is done (e.g. which certificates from
cert8.db are used)?
--
Vincent Lefèvre <vincent at vinc17.net> - Web: <http://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <http://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
More information about the pkg-mozilla-maintainers
mailing list