David E. Ross wrote, On 2008-11-05 16:10: > I'm having a problem with a credit union's Web site (which prompted my > other message "IP Address Question" in mozilla.support.seamonkey). > > Sometimes when I access the site's home page -- which is https -- > everything is okay; a secure session is established. Sometimes, > however, it appears that the required intermediate certificates have not > been installed on the server. These situations are seen in SeaMonkey's > Certificate Viewer under the Details tab. If a secure session is > established, I can see the chain of certificates from the site > certificate, through two intermediate certificates, up to the root that > is in SeaMonkey's certificate database on my PC. If I get the Website > Certified by an Unknown Authority error popup, there is no such chain; > only the site's certificate appears in Details.
I suspect that those two server certificates that you see are not the same certificate. The server cert you see with the full chain may not be the same as the server cert you see with no chain. When you visit a site with a valid chain with one or more intermediate CA certificates, your browser actually stores copies of those intermediate certificates in its cert DB on disk, so that if it later comes to another web site that is serving an incomplete chain, it can attempt to fill in the missing parts of the chain with known valid intermediate CA certs. (IE does this too, but it stores the certs in its own separate cert store.) So, the fact that you sometimes see a full chain should mean that those intermediate CA certs are now stored in your cert DB. The fact that you sometimes see a server cert with an incomplete chain says that your browser was unable to find any cert that passes the tests to be the issuer cert for that server cert. Your browser couldn't find the missing CA cert, not even from among the valid CA certs it has previously stored in your cert DB. Now, there are only two ways that can be: a) the two server certs are not the same, and the one for which the chain appears to be incomplete was NOT issued by the same issuer as the one for which the chain appears to be complete. Your browser cannot complete the chain for the second server cert, because it does not possess the missing CA cert for that server cert. OR b) your cert DB is seriously corrupted, so that the browser is unable to find the issuer cert(s) that it previously put into the cert DB. It cannot complete the cert chain because it cannot access those stored certs. There are some simple tests you can do to figure this out. 1. The next time you visit that site, go to the details tab of your Certificate Viewer and note down the details about that cert. Note the subject name, issuer name, serial number, starting and ending validity dates, the first and last few bytes of the certificate's public key (in hex), and the first and last few bytes of the cert's signature (in hex). If the cert viewer gives you a chance to save the cert to a disk file, do that. Do that for the server cert with the complete chain, AND do it for the cert with the incomplete chain. (Save the certs to separate files, of course.) If the two certs are different, then something's afoot. Maybe they've got a "farm" of servers, and one of the servers in that farm is misconfigured. Or maybe you're occasionally connecting to an attacker's site. It's VERY unlikely that a single server sends you one cert at some times and another cert at other times, or that it sends a complete cert chain at some times and an incomplete cert chain at others. If the two certs are the same cert in every detail, then it probably is the case that one server in the company's "farm" is misconfigured, and it only sends out the server cert but not the complete chain. In that case, you can be relatively sure that the server is merely misconfigured and it's not an attack. But in that case, you've probably also got a corrupt cert8.db file, because with a healthy cert DB, your browser should be able to fill in the missing CA certs from the contents of the cert DB. This brings me to the second test you can do. 2. Try it with a fresh clean profile with no extensions. Maybe you will find that you NEVER see the problem with a clean profile and no extensions. If you find that to be the case, then I'd guess that you're using a troublesome extension. If you are using any extensions that try to change or add any behavior related to certificates or cryptography, then I recommend that you definitely try the fresh clean profile. Finally, here is a third approach: 3. When your browser is not running, rename your cert DB file to something else, such as OLDcert8.db, or cert8.db-, then restart your browser. Your browser will create a new empty cert8.db which will not be corrupt, and as you visit https sites with valid cert chains, it will begin to fill that new DB with those intermediate CA certs. If your problem was indeed that the cert DB was corrupt, then this step will cure the symptom for you. Of course, you may have some of your own personal certs in that old cert DB and you won't want to lose them. But you've previously backed them up by "exporting" them into PKCS#12 files, right? If so, you can just restore them by "importing" them into your new cert DB. If you haven't previously backed them up, then it would be a good idea to try to do that while your old cert8.db is still in place with the name cert8.db. Perhaps your DB is good enough, not too corrupt, and you will still be able to export your cert(s) from it. If you do find that your old cert DB was corrupt, I can provide you with a program that will look at it and perform some diagnosis on it, which might be informative in a post-mortem way. > Is there a way to make an entry in Certificate Manager for the site > certificate when I establish a good secure session? Yes, but that's probably not your best option, for several reasons. a) if the server that is sending you the incomplete cert chain is sending you a different cert, then having a copy of the right cert tucked away isn't going to help you any. Having a copy of the right cert tucked away with some trust flags will only help you if the cert from the server with the incomplete chain matches the cert you've got stored. b) If the problem is due to an extension, then you may have troubles anyway, even if you do store a copy of the good server cert. In that case, you probably really want to get your browser restored to a state in which it behaves correctly with respect to certs. c) If your cert DB is corrupt, then you definitely want to fix that with a new cert DB. Storing yet another cert in an already corrupt cert DB isn't going to help much. > How can I download a site certificate from that site to import into > SeaMonkey's certificate database on my PC? It's a job. You must export the good cert to a file, then import it again and mark it trusted. But I don't recommend this course of action. > Follow-up set to mozilla.support.seamonkey. Yeah. Ditto. :) _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
