On 1/24/2008 1:33 PM, Robert Relyea wrote: > Jeremy Morton wrote: >> Could anyone tell me why the SSL cert for this site isn't being >> recognized by Firefox? >> >> https://www.mortonsolicitors.com >> >> I know that most browsers don't recognize StartCom free SSL, but I >> thought Firefox did (it has StartCom in the root cert list). It says it >> can't verify the certificate for 'unknown reasons'. >> >> Best regards, >> Jeremy Morton (Jez) >> >> _______________________________________________ >> dev-tech-crypto mailing list >> dev-tech-crypto@lists.mozilla.org >> https://lists.mozilla.org/listinfo/dev-tech-crypto >> > Here's the error I get for FF 3.0: > Secure Connection Failed > > www.mortonsolicitors.com uses an invalid security certificate. > The certificate is not trusted because the issuer certificate is unknown. > (Error code: sec_error_unknown_issuer) > > * This could be a problem with the server's configuration, or it > could be someone trying to impersonate the server. > * If you have connected to this server successfully in the past, the > error may be temporary, and you can try again later. > > The most likely problem is that the server is not sending down the > 'StartCom Class 1 Primary Intermediate Server CA' in it's chain. You'll > need to load the intermediate into your server... > > bob
In other words, when a site certificate is signed by an intermediate certificate, both the site and intermediate certificates must be installed on the secure server. In too many instances this is not done. That makes it a configuration error by the site host. In turn, that makes me suspicious of how well the host administrators adhere to general security procedures. For details, see <http://www.verisign.com/support/verisign-intermediate-ca/index.html>. Part of the problem is that IE will search the Web for the missing intermediate certificate, thereby encouraging sloppy (and possibly dangerous) operations of secure servers. I might be misreading it, but bug #399045 appears to be adding a similar capability to Mozilla products. -- David E. Ross <http://www.rossde.com/> Go to Mozdev at <http://www.mozdev.org/> for quick access to extensions for Firefox, Thunderbird, SeaMonkey, and other Mozilla-related applications. You can access Mozdev much more quickly than you can Mozilla Add-Ons. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
