Kaspar Brand schrieb am 09.04.2010 18:28:
On 09.04.2010 15:35, Ulrich Boche wrote:
According to Firefox, the complete chertificate chain is:
service.lbb.de
VeriSign Class 3 Secure Server CA - G2
Builtin Object Token: Verisign Class 3 Public Primary Certification
Authority - G2
The certificate I listed is only the intermediate CA certificate, but
the problem remains: the root CA certificate is missing in Thunderbird.
Not true - Thunderbird also includes "Verisign Class 3 Public Primary
Certification Authority - G2" (no matter which version you look at).
The problem with service.lbb.de is the one which Eddy surmised: an
incomplete chain. A special form of "incomplete", to be precise: it's
sending the *wrong* intermediate CA.
Tell the people from LandesBank Berlin that they should configure
service.lbb.de with the same chain as https:/www.lbb.de... or more
specifically, tell them to use the cert from
http://svrsecure-g2-aia.verisign.com/SVRSecureG2.cer as the intermediate
CA (not the one with "CN=VeriSign Class 3 Secure Server CA", which
service.lbb.de currently sends out).
Kaspar
I'm sorry I have no idea how to contact someone at Landesbank Berlin who
would know how to configure their web servers. But thank you for the
link to the proper certificate, installing it in Thunderbird at least
solved my problem.
BTW. The web servers I've worked with (on IBM System z) verify the
certificate chain in their certificate key ring at SSL initialization.
SSL ports don't come up if the chain is broken. That doesn't seem to be
the standard on some platforms, I guess.
--
Ulrich Boche
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
