Package: iceweasel; Maintainer for iceweasel is Maintainers of Mozilla-related packages <team+pkg-mozilla@tracker.debian.org>; Source for iceweasel is src:firefox-esr (PTS, buildd, popcon).
Reported by: Frank Lin PIAT <fpiat@klabs.be>
Date: Wed, 14 Jul 2010 11:30:02 UTC
Severity: normal
Tags: confirmed
Found in versions iceweasel/3.5.10-1, iceweasel/4.0-3
Reply or subscribe to this bug.
View this report as an mbox folder, status mbox, maintainer mbox
Report forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#589023; Package iceweasel.
(Wed, 14 Jul 2010 11:30:05 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Lin PIAT <fpiat@klabs.be>:
New Bug report received and forwarded. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Wed, 14 Jul 2010 11:30:05 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: iceweasel
Version: 3.5.10-1
Hello,
When I visit https://www.gandi.net, the certificate isn't trusted/recognized.
I can reproduce the problem with https://www.comodo.com
Error title: "This Connection is Untrusted"
Error code: sec_error_unknown_issuer
The certificates hierarchy goes like this (notice the loop):
www.gandi.net
`-> COMODO EV SGC CA
`-> AddTrust External CA Root
`-> UTN - DATACorp SGC
`-> AddTrust External CA Root
`-> UTN - DATACorp SGC
`-> AddTrust External CA Root
`-> (loop continues)
www.comodo.com
`-> COMODO EV SGC CA
`-> AddTrust External CA Root
`-> UTN - DATACorp SGC
`-> AddTrust External CA Root
`-> UTN - DATACorp SGC
`-> AddTrust External CA Root
`-> (loop continues)
Other web browsers (epiphany/Deb, chrome/Deb, firefox 3.6.3/Win, Safari/Win)
and openssl's CLI don't exhibit this loop behaviour.
(I have submited a webshots session... we'll see how other browsers do
on http://browsershots.org/https://www.comodo.com/ )
The certificate "AddTrust External CA Root" is supposed to be
enabled/trusted on my system:
> readlink /etc/ssl/certs/AddTrust_External_Root.pem
> /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
> # openssl x509 -noout -in /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt -subject
> subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
And it seems valid:
> debsums ca-certificates | grep "AddTrust_External_Root"
> /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt OK
openssl verify -verbose /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt
> /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt: OK
OpenSSL seems happy with it, and doesn't loop:
> openssl s_client -host www.gandi.net -port 443 -CApath /etc/ssl/certs -showcerts > showcerts_gandi.txt
> depth=4 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> verify return:1
> depth=3 /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
> verify return:1
> depth=2 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO Certification Authority
> verify return:1
> depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO EV SGC CA
> verify return:1
> depth=0 /serialNumber=423093459/1.3.6.1.4.1.311.60.2.1.3=FR/1.3.6.1.4.1.311.60.2.1.2=Paris/businessCategory=V1.0, Clause 5.(b)/C=FR/postalCode=75011/ST=Paris/L=Paris/street=15 Place de la Nation/O=Gandi SAS/OU=Comodo EV SGC SSL/CN=www.gandi.net
> verify return:1
and
> openssl s_client -host www.comodo.com -port 443 -CApath /etc/ssl/certs -showcerts > showcerts_comodo.txt
> depth=2 /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> verify return:1
> depth=1 /C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO EV SGC CA
> verify return:1
> depth=0 /serialNumber=04058690/1.3.6.1.4.1.311.60.2.1.3=GB/1.3.6.1.4.1.311.60.2.1.2=Greater Manchester/1.3.6.1.4.1.311.60.2.1.1=Manchester/businessCategory=V1.0, Clause 5.(b)/C=GB/postalCode=M5 3EQ/ST=Greater Manchester/L=Salford/street=Trafford Road
> verify return:1
Regards,
Franklin
-- Package-specific info:
-- Extensions information
Name: Clear Cache Button
Location: ${PROFILE_EXTENSIONS}/{563e4790-7e70-11da-a72b-0800200c9a66}
Status: enabled
Name: Default
Location: /usr/lib/iceweasel/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
Name: Firebug
Location: ${PROFILE_EXTENSIONS}/firebug@software.joehewitt.com
Status: enabled
Name: FirefoxNotify
Location: /usr/lib/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/firefoxnotify@abhishek.mukherjee
Package: xul-ext-notify
Status: enabled
Name: Flashblock
Location: ${PROFILE_EXTENSIONS}/{3d7eb24f-2740-49df-8937-200b1cc08f8a}
Status: enabled
Name: It's All Text!
Location: ${PROFILE_EXTENSIONS}/itsalltext@docwhat.gerf.org
Status: enabled
Name: JavaScript Debugger
Location: ${PROFILE_EXTENSIONS}/{f13b157f-b174-47e7-a34d-4815ddfdfeb8}
Status: enabled
Name: Live HTTP headers
Location: /usr/lib/iceweasel/extensions/{8f8fe09b-0bd3-4470-bc1b-8cad42b8203a}
Package: mozilla-livehttpheaders
Status: enabled
Name: Operator
Location: ${PROFILE_EXTENSIONS}/{95C9A302-8557-4052-91B7-2BB6BA33C885}
Status: user-disabled
Name: SQLite Manager
Location: ${PROFILE_EXTENSIONS}/SQLiteManager@mrinalkant.blogspot.com
Status: enabled
Name: ScrapBook
Location: ${PROFILE_EXTENSIONS}/{53A03D43-5363-4669-8190-99061B2DEBA5}
Status: user-disabled
Name: Web Developer
Location: ${PROFILE_EXTENSIONS}/{c45c406e-ab73-11d8-be73-000a95be3b12}
Status: enabled
-- Plugins information
Name: DivX® Web Player
Location: /usr/lib/mozilla/plugins/libtotem-mully-plugin.so
Package: totem-mozilla
Status: enabled
Name: Java(TM) Plug-in 1.6.0_20
Location: /usr/lib/jvm/java-6-sun-1.6.0.20/jre/lib/i386/libnpjp2.so
Package: sun-java6-bin
Status: enabled
Name: QuickTime Plug-in 7.6.6
Location: /usr/lib/mozilla/plugins/libtotem-narrowspace-plugin.so
Package: totem-mozilla
Status: enabled
Name: Shockwave Flash
Location: /usr/lib/flashplugin-nonfree/libflashplayer.so
Status: enabled
Name: VLC Multimedia Plugin (compatible Totem 2.30.2)
Location: /usr/lib/mozilla/plugins/libtotem-cone-plugin.so
Package: totem-mozilla
Status: enabled
Name: Windows Media Player Plug-in 10 (compatible; Totem)
Location: /usr/lib/mozilla/plugins/libtotem-gmp-plugin.so
Package: totem-mozilla
Status: enabled
Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled
-- Addons package information
ii iceweasel 3.5.10-1 Web browser based on Firefox
ii mozilla-liveht 0.16-1 Adds information about the HTTP headers to I
ii rhythmbox-plug 0.12.8-2 plugins for rhythmbox music player
ii sun-java6-bin 6.20-dlj-1 Sun Java(TM) Runtime Environment (JRE) 6 (ar
ii totem-mozilla 2.30.2-2+b1 Totem Mozilla plugin
ii xul-ext-notify 1.5.4-3 integrate Iceweasel download messages with d
-- System Information:
Debian Release: squeeze/sid
APT prefers testing
APT policy: (500, 'testing'), (101, 'unstable'), (10, 'experimental')
Architecture: i386 (x86_64)
Kernel: Linux 2.6.32-5-amd64 (SMP w/2 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages iceweasel depends on:
ii debianutils 3.3 Miscellaneous utilities specific t
ii fontconfig 2.8.0-2.1 generic font configuration library
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libgcc1 1:4.4.4-6 GCC support library
ii libglib2.0-0 2.24.1-1 The GLib library of C routines
ii libgtk2.0-0 2.20.1-1 The GTK+ graphical user interface
ii libnspr4-0d 4.8.4-2 NetScape Portable Runtime Library
ii libstdc++6 4.4.4-6 The GNU Standard C++ Library v3
ii procps 1:3.2.8-9 /proc file system utilities
ii xulrunner-1.9.1 1.9.1.10-1 XUL + XPCOM application runner
iceweasel recommends no packages.
Versions of packages iceweasel suggests:
ii libgssapi-krb5-2 1.8.1+dfsg-5 MIT Kerberos runtime libraries - k
pn mozplugger <none> (no description available)
pn ttf-lyx | latex-xft-fonts <none> (no description available)
pn ttf-mathematica4.1 <none> (no description available)
pn xfonts-mathml <none> (no description available)
pn xprint <none> (no description available)
Versions of packages xulrunner-1.9.1 depends on:
ii libasound2 1.0.23-1 shared library for ALSA applicatio
ii libatk1.0-0 1.30.0-1 The ATK accessibility toolkit
ii libbz2-1.0 1.0.5-4 high-quality block-sorting file co
ii libc6 2.11.2-2 Embedded GNU C Library: Shared lib
ii libcairo2 1.8.10-4 The Cairo 2D vector graphics libra
ii libdbus-1-3 1.2.24-1 simple interprocess messaging syst
ii libfontconfig1 2.8.0-2.1 generic font configuration library
ii libfreetype6 2.3.11-1 FreeType 2 font engine, shared lib
ii libgcc1 1:4.4.4-6 GCC support library
ii libglib2.0-0 2.24.1-1 The GLib library of C routines
ii libgtk2.0-0 2.20.1-1 The GTK+ graphical user interface
ii libhunspell-1.2-0 1.2.11-1 spell checker and morphological an
ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG
ii libmozjs2d 1.9.1.10-1 The Mozilla SpiderMonkey JavaScrip
ii libnspr4-0d 4.8.4-2 NetScape Portable Runtime Library
ii libnss3-1d 3.12.6-3 Network Security Service libraries
ii libpango1.0-0 1.28.1-1 Layout and rendering of internatio
ii libpng12-0 1.2.44-1 PNG library - runtime
ii libreadline6 6.1-3 GNU readline and history libraries
ii libsqlite3-0 3.6.23.1-4 SQLite 3 shared library
ii libstartup-notification 0.10-1 library for program launch feedbac
ii libstdc++6 4.4.4-6 The GNU Standard C++ Library v3
ii libx11-6 2:1.3.3-3 X11 client-side library
ii libxrender1 1:0.9.5-2 X Rendering Extension client libra
ii libxt6 1:1.0.7-1 X11 toolkit intrinsics library
ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime
-- no debconf information
[showcerts_comodo.txt (text/plain, attachment)]
[showcerts_gandi.txt (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#589023; Package iceweasel.
(Wed, 14 Jul 2010 11:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Wed, 14 Jul 2010 11:45:06 GMT) (full text, mbox, link).
Message #10 received at 589023@bugs.debian.org (full text, mbox, reply):
On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote: > Package: iceweasel > Version: 3.5.10-1 > > Hello, > > When I visit https://www.gandi.net, the certificate isn't trusted/recognized. > I can reproduce the problem with https://www.comodo.com > Error title: "This Connection is Untrusted" > Error code: sec_error_unknown_issuer Both work here. (...) > Other web browsers (epiphany/Deb, chrome/Deb, firefox 3.6.3/Win, Safari/Win) > and openssl's CLI don't exhibit this loop behaviour. > (I have submited a webshots session... we'll see how other browsers do > on http://browsershots.org/https://www.comodo.com/ ) > > The certificate "AddTrust External CA Root" is supposed to be > enabled/trusted on my system: > > readlink /etc/ssl/certs/AddTrust_External_Root.pem > > /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt > > > # openssl x509 -noout -in /usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt -subject > > subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root Unfortunately, these are not used by Iceweasel/libnss3. The interesting data point in your report, though, is that it works with chrome/deb. Chrome, like Iceweasel, uses libnss3, though unless you tested with chromium-browser, I'm unsure it uses the system library. Anyways, as it works properly here, I suspect something fishy with the certificate database in your user profile. Can you first check if that works better if you try with a new profile (you can use a new user account, or run iceweasel -P to create a new profile). If so, I invite you to check in Edit > Preferences > Advanced > Encryption > View Certificates > Authorities. Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#589023; Package iceweasel.
(Wed, 14 Jul 2010 16:21:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Lin PIAT <fpiat@klabs.be>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Wed, 14 Jul 2010 16:21:06 GMT) (full text, mbox, link).
Message #15 received at 589023@bugs.debian.org (full text, mbox, reply):
On Wed, 2010-07-14 at 13:43 +0200, Mike Hommey wrote:
> On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote:
> >
> > When I visit https://www.gandi.net, the certificate isn't trusted/recognized.
> > Error title: "This Connection is Untrusted"
> > Error code: sec_error_unknown_issuer
> [..] as it works properly here, I suspect something fishy with the
> certificate database in your user profile.
>
> Can you first check if that works better if you try with a new profile
The new profile is OK (I should have tested that rather than make wrong
assumption).
I investigated... In the OK profile, the "AddTrust External CA Root"
certificate is selfsigned, whereas the certificates are differents on
the KO profile (and they make a loop!):
/usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "AddTrust External CA Root" | openssl x509 -noout -issuer -subject
> issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
> subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
/usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "UTN - DATACorp SGC" | openssl x509 -noout -issuer -subject
> issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root
> subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC
I wonder where I got those certificates from, and if others could be affected.
<me thinking>
If I understand how NSS work properly, it means that NSS is "learning"
certificates chains (i.e adding certificates to it's database) as it is
receiving certificates from visited websites.
This fuzzy / unpredictable behavior scares me.
</me thinking>
Anyway, I removed the "Software Security Device" entries, and it's now
working:
UTN - DATACorp SGC
`-> AddTrust External CA Root
`-> COMODO EV SGC CA
`-> www.comodo.com
Regards,
Franklin
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#589023; Package iceweasel.
(Wed, 14 Jul 2010 16:51:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Wed, 14 Jul 2010 16:51:03 GMT) (full text, mbox, link).
Message #20 received at 589023@bugs.debian.org (full text, mbox, reply):
On Wed, Jul 14, 2010 at 06:17:30PM +0200, Frank Lin PIAT wrote: > On Wed, 2010-07-14 at 13:43 +0200, Mike Hommey wrote: > > On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote: > > > > > > When I visit https://www.gandi.net, the certificate isn't trusted/recognized. > > > Error title: "This Connection is Untrusted" > > > Error code: sec_error_unknown_issuer > > > [..] as it works properly here, I suspect something fishy with the > > certificate database in your user profile. > > > > Can you first check if that works better if you try with a new profile > > The new profile is OK (I should have tested that rather than make wrong > assumption). > > I investigated... In the OK profile, the "AddTrust External CA Root" > certificate is selfsigned, whereas the certificates are differents on > the KO profile (and they make a loop!): > > /usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "AddTrust External CA Root" | openssl x509 -noout -issuer -subject > > issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC > > subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root > > /usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "UTN - DATACorp SGC" | openssl x509 -noout -issuer -subject > > issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root > > subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC > > I wonder where I got those certificates from, and if others could be affected. > > <me thinking> > If I understand how NSS work properly, it means that NSS is "learning" > certificates chains (i.e adding certificates to it's database) as it is > receiving certificates from visited websites. > > This fuzzy / unpredictable behavior scares me. > </me thinking> AFAIK, it doesn't. The "AddTrust External CA Root" certificate is provided by the "builtin object token", so it shouldn't have been broken in the first place. Are you sure you never imported a broken certificate? > Anyway, I removed the "Software Security Device" entries, and it's now > working: > UTN - DATACorp SGC > `-> AddTrust External CA Root > `-> COMODO EV SGC CA > `-> www.comodo.com Do you have a backup of your firefox profile directory? If you don't have any private key stored in it, would you mind providing the *.db files from there? Cheers, Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#589023; Package iceweasel.
(Wed, 14 Jul 2010 20:45:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Frank Lin PIAT <fpiat@klabs.be>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Wed, 14 Jul 2010 20:45:03 GMT) (full text, mbox, link).
Message #25 received at 589023@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
On Wed, 2010-07-14 at 18:49 +0200, Mike Hommey wrote: > On Wed, Jul 14, 2010 at 06:17:30PM +0200, Frank Lin PIAT wrote: > > On Wed, 2010-07-14 at 13:43 +0200, Mike Hommey wrote: > > > On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote: > > > > > > > > When I visit https://www.gandi.net, the certificate isn't trusted/recognized. > > > > Error title: "This Connection is Untrusted" > > > > Error code: sec_error_unknown_issuer > > > > > [..] as it works properly here, I suspect something fishy with the > > > certificate database in your user profile. > > > > > > Can you first check if that works better if you try with a new profile > > > > The new profile is OK (I should have tested that rather than make wrong > > assumption). > > > > I investigated... In the OK profile, the "AddTrust External CA Root" > > certificate is selfsigned, whereas the certificates are differents on > > the KO profile (and they make a loop!): > > > > /usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "AddTrust External CA Root" | openssl x509 -noout -issuer -subject > > > issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC > > > subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root > > > > /usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "UTN - DATACorp SGC" | openssl x509 -noout -issuer -subject > > > issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root > > > subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC > > > > I wonder where I got those certificates from, and if others could be affected. > > > > <me thinking> > > If I understand how NSS work properly, it means that NSS is "learning" > > certificates chains (i.e adding certificates to it's database) as it is > > receiving certificates from visited websites. > > > > This fuzzy / unpredictable behavior scares me. > > </me thinking> > > AFAIK, it doesn't. > > The "AddTrust External CA Root" certificate is provided by the "builtin > object token", so it shouldn't have been broken in the first place. Are > you sure you never imported a broken certificate? I have no clue how that certificate ended up on my laptop. I am extremely reluctant to add CA certificate to my laptop, I doubt I ever did that (and when I see the amount of "Software Security Device", I am pretty sure I didn't import them all myself :-/ ) The "AddTrust External CA Root" certificate I removed is the one under "The USERTRUST Network", which type was "Software Security Device": CN = AddTrust External CA Root OU = AddTrust External TTP Network O = AddTrust AB C = SE I did *not* remove the certificate "AddTrust External CA Root" filed under "AddTrust AB", which type was "Builtin Object Token" already. I have attached both certificates (.pem and .txt) > > Anyway, I removed the "Software Security Device" entries, and it's now > > working: > > UTN - DATACorp SGC > > `-> AddTrust External CA Root > > `-> COMODO EV SGC CA > > `-> www.comodo.com > > Do you have a backup of your firefox profile directory? If you don't > have any private key stored in it, would you mind providing the *.db > files from there? I am sending it the .db files privately Franklin
[AddTrustExternalCARoot~AddTrust AB.pem (application/x-x509-ca-cert, attachment)]
[AddTrustExternalCARoot~AddTrust AB.pem.txt (text/plain, attachment)]
[AddTrustExternalCARoot~The USERTRUST Network.pem (application/x-x509-ca-cert, attachment)]
[AddTrustExternalCARoot~The USERTRUST Network.pem.txt (text/plain, attachment)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#589023; Package iceweasel.
(Thu, 15 Jul 2010 08:03:11 GMT) (full text, mbox, link).
Acknowledgement sent
to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Thu, 15 Jul 2010 08:03:11 GMT) (full text, mbox, link).
Message #30 received at 589023@bugs.debian.org (full text, mbox, reply):
On Wed, Jul 14, 2010 at 10:43:02PM +0200, Frank Lin PIAT wrote: > On Wed, 2010-07-14 at 18:49 +0200, Mike Hommey wrote: > > On Wed, Jul 14, 2010 at 06:17:30PM +0200, Frank Lin PIAT wrote: > > > On Wed, 2010-07-14 at 13:43 +0200, Mike Hommey wrote: > > > > On Wed, Jul 14, 2010 at 01:27:12PM +0200, Frank Lin PIAT wrote: > > > > > > > > > > When I visit https://www.gandi.net, the certificate isn't trusted/recognized. > > > > > Error title: "This Connection is Untrusted" > > > > > Error code: sec_error_unknown_issuer > > > > > > > [..] as it works properly here, I suspect something fishy with the > > > > certificate database in your user profile. > > > > > > > > Can you first check if that works better if you try with a new profile > > > > > > The new profile is OK (I should have tested that rather than make wrong > > > assumption). > > > > > > I investigated... In the OK profile, the "AddTrust External CA Root" > > > certificate is selfsigned, whereas the certificates are differents on > > > the KO profile (and they make a loop!): > > > > > > /usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "AddTrust External CA Root" | openssl x509 -noout -issuer -subject > > > > issuer= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC > > > > subject= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root > > > > > > /usr/bin/certutil -L -d /home/fpiat/.mozilla/firefox/*.default/ -a -n "UTN - DATACorp SGC" | openssl x509 -noout -issuer -subject > > > > issuer= /C=SE/O=AddTrust AB/OU=AddTrust External TTP Network/CN=AddTrust External CA Root > > > > subject= /C=US/ST=UT/L=Salt Lake City/O=The USERTRUST Network/OU=http://www.usertrust.com/CN=UTN - DATACorp SGC > > > > > > I wonder where I got those certificates from, and if others could be affected. > > > > > > <me thinking> > > > If I understand how NSS work properly, it means that NSS is "learning" > > > certificates chains (i.e adding certificates to it's database) as it is > > > receiving certificates from visited websites. > > > > > > This fuzzy / unpredictable behavior scares me. > > > </me thinking> > > > > AFAIK, it doesn't. > > > > The "AddTrust External CA Root" certificate is provided by the "builtin > > object token", so it shouldn't have been broken in the first place. Are > > you sure you never imported a broken certificate? > > I have no clue how that certificate ended up on my laptop. I am > extremely reluctant to add CA certificate to my laptop, I doubt I ever > did that (and when I see the amount of "Software Security Device", I am > pretty sure I didn't import them all myself :-/ ) > > The "AddTrust External CA Root" certificate I removed is the one under > "The USERTRUST Network", which type was "Software Security Device": > CN = AddTrust External CA Root > OU = AddTrust External TTP Network > O = AddTrust AB > C = SE Basically, anything that is type "Software Security Device" is something that was added to the database. It looks like iceweasel does that for intermediate certificates, like, I believe, most if not all browsers. Now, there are 3 questions that should be answered: - where does your additional (broken) AddTrust External CA Root cert come from? - why is broken? - why does iceweasel/nss doesn't allows such broken situations, especially when there is another AddTrust External CA Root cert? The first is primordial, I think, because it would help understand how you got this certificate in the first place. The second might be related to the UTN - DATACorp SGC cert. In the builtin token, it is issued by AddTrust External CA Root, which introduces the loop. But there are chances that the UTN - DATACorp SGC key it was actually issued from had a different certificate associated with it by the time, not issued by AddTrust External CA Root. For the latter, I don't know what to think. It's apparently not going to be a security issue. Only a nuisance in that certificates issued by the half broken CA will be shown as invalid. I'll think a bit more about it and probably file a bug upstream. Mike
Information forwarded
to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#589023; Package iceweasel.
(Sat, 23 Apr 2011 06:33:07 GMT) (full text, mbox, link).
Acknowledgement sent
to Vincent Bernat <bernat@debian.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>.
(Sat, 23 Apr 2011 06:33:07 GMT) (full text, mbox, link).
Message #35 received at 589023@bugs.debian.org (full text, mbox, reply):
Package: iceweasel Version: 4.0-3 Followup-For: Bug #589023 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi! A quick note to say that I had the exact same problem here: unable to access https://www.gandi.net because of the loop and solved by deleting the certificate "The USERTRUST Network" -> "Addtrust External CA Root" (which was from "Software Security Device"). - -- Package-specific info: - -- Plugins information Name: IcedTea NPR Web Browser Plugin (using IcedTea6 1.8.7 (6b18-1.8.7-2)) Location: /usr/lib/jvm/java-6-openjdk/jre/lib/amd64/IcedTeaPlugin.so Package: icedtea6-plugin Status: enabled Name: Shockwave Flash Location: /usr/lib/flashplugin-nonfree/libflashplayer.so Status: enabled - -- Addons package information ii icedtea6-plugi 6b18-1.8.7-2 web browser plugin based on OpenJDK and Iced - -- System Information: Debian Release: wheezy/sid APT prefers unstable APT policy: (500, 'unstable'), (101, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 2.6.38-2-amd64 (SMP w/2 CPU cores) Locale: LANG=fr_FR.utf8, LC_CTYPE=fr_FR.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages iceweasel depends on: ii debianutils 3.4.4 Miscellaneous utilities specific t ii fontconfig 2.8.0-2.2 generic font configuration library ii libc6 2.11.2-13 Embedded GNU C Library: Shared lib ii libglib2.0-0 2.28.6-1 The GLib library of C routines ii libgtk2.0-0 2.24.4-3 The GTK+ graphical user interface ii libnspr4-0d 4.8.7-2 NetScape Portable Runtime Library ii libstdc++6 4.6.0-4 The GNU Standard C++ Library v3 ii procps 1:3.2.8-10 /proc file system utilities ii xulrunner-2.0 2.0-3 XUL + XPCOM application runner iceweasel recommends no packages. Versions of packages iceweasel suggests: ii libgssapi-krb5-2 1.9+dfsg-1+b1 MIT Kerberos runtime libraries - k pn mozplugger <none> (no description available) ii ttf-lyx 2.0.0~rc3-2 TrueType versions of some TeX font pn ttf-mathematica4.1 <none> (no description available) ii xfonts-mathml 4 Type1 Symbol font for MathML pn xprint <none> (no description available) Versions of packages xulrunner-2.0 depends on: ii libasound2 1.0.23-3 shared library for ALSA applicatio ii libatk1.0-0 2.0.0-1 The ATK accessibility toolkit ii libbz2-1.0 1.0.5-6 high-quality block-sorting file co ii libc6 2.11.2-13 Embedded GNU C Library: Shared lib ii libcairo2 1.10.2-6 The Cairo 2D vector graphics libra ii libdbus-1-3 1.4.8-2 simple interprocess messaging syst ii libevent-1.4-2 1.4.13-stable-1 An asynchronous event notification ii libfontconfig1 2.8.0-2.2 generic font configuration library ii libfreetype6 2.4.4-1 FreeType 2 font engine, shared lib ii libgcc1 1:4.6.0-4 GCC support library ii libglib2.0-0 2.28.6-1 The GLib library of C routines ii libgtk2.0-0 2.24.4-3 The GTK+ graphical user interface ii libhunspell-1.2- 1.2.14-4 spell checker and morphological an ii libjpeg62 6b1-1 The Independent JPEG Group's JPEG ii libmozjs4d 2.0-3 The Mozilla SpiderMonkey JavaScrip ii libnspr4-0d 4.8.7-2 NetScape Portable Runtime Library ii libnss3-1d 3.12.9.with.ckbi.1.82-1 Network Security Service libraries ii libpango1.0-0 1.28.3-6 Layout and rendering of internatio ii libpixman-1-0 0.21.6-2 pixel-manipulation library for X a ii libreadline6 6.1-3 GNU readline and history libraries ii libsqlite3-0 3.7.5-1 SQLite 3 shared library ii libstartup-notif 0.10-1 library for program launch feedbac ii libstdc++6 4.6.0-4 The GNU Standard C++ Library v3 ii libvpx0 0.9.6-1 VP8 video codec (shared library) ii libx11-6 2:1.4.3-1 X11 client-side library ii libxext6 2:1.2.0-2 X11 miscellaneous extension librar ii libxrender1 1:0.9.6-1 X Rendering Extension client libra ii libxt6 1:1.1.1-1 X11 toolkit intrinsics library ii zlib1g 1:1.2.3.4.dfsg-3 compression library - runtime Versions of packages xulrunner-2.0 suggests: ii libcanberra0 0.24-1 a simple abstract interface for pl ii libdbus-glib-1-2 0.92-1 simple interprocess messaging syst ii libgconf2-4 2.28.1-6 GNOME configuration database syste ii libgnomeui-0 2.24.3-1 The GNOME libraries (User Interfac ii libgnomevfs2-0 1:2.24.4-1 GNOME Virtual File System (runtime ii libnotify1 [libnotify1-gtk2.1 0.5.0-2 sends desktop notifications to a n - -- no debconf information -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iEYEARECAAYFAk2yb8AACgkQKFvXofIqeU5adACfbAED2cq0njmSnvZoFZNDxLmM 7toAn3xfkMu8pZZ9bxlQql3QbB2E4yBD =IsRh -----END PGP SIGNATURE-----
Added tag(s) confirmed.
Request was from Mike Hommey <glandium@debian.org>
to control@bugs.debian.org.
(Sat, 06 Aug 2011 09:22:23 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.