Opened 6 years ago

Closed 6 years ago

#14902 closed defect (invalid)

Linux TBB 4.0.3 Firefox missing CA certificates

Reported by: starlight Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Keywords:
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Been running into certificate challenges when using

tor-browser-linux64-4.0.3_en-US

Seems to be missing a few CA certs, perhaps
due to an old certdata.txt file in in the
build tree.

The example causing me to notice is

CN = VeriSign Class 3 International Server CA - G3

which is present in standard Firefox 36. On a
glance I see something like five missing
VeriSign CA certs in the certificate viewer
under the "Authorities" tab.

Child Tickets

Attachments (1)

ff35_ca_cert_window.gif (33.8 KB) - added by starlight 6 years ago.
Firefox 35 CA cert window screen-snap

Download all attachments as: .zip

Change History (6)

comment:1 in reply to:  description Changed 6 years ago by gk

Replying to starlight:

The example causing me to notice is

CN = VeriSign Class 3 International Server CA - G3

which is present in standard Firefox 36.

Hm... VeriSign Class 3 International Server CA - G3 is not listed in the Authorities tab for me. You might have imported that one yourself?

On a glance I see something like five missing
VeriSign CA certs in the certificate viewer
under the "Authorities" tab.

Well, comparing the ESR 31 based Tor Browser to Firefox 36 does not work as there might be (and are in this case) new authorities that got added to newer Firefox versions but not backported to ESR. That said we seem to miss all the Authorities labeled as "Software Security Device" which is indeed a bug.

comment:2 Changed 6 years ago by starlight

I ment FF35 (have 36 beta on one system), but it's
certainly there. See attached screen snap.

Occasionally I grab the FF CAs so am familar with
how they exist in the code. All the CAs come
from certdata.txt, which should be trivial
to take from the current FF and move into
the ESR release. Seems a good idea to do
this periodically as it would allow Tor
Browser to keep current on newer CAs,
and more critically, on CA deletions and
bannings. Currently Mozilla is eliminating
1024 bit certificates.

Changed 6 years ago by starlight

Attachment: ff35_ca_cert_window.gif added

Firefox 35 CA cert window screen-snap

comment:3 Changed 6 years ago by starlight

Oops! I forgot that "Software Security Device" is
what downloaded intermediate certificates are
labeled in the CA-cert window. The troublesome
certificate is one of these. In my defense
it not a terribly clear designation.

So probably the site that was vexing me was
failing to include the intermediate cert in
the web-server configuration--a not uncommon
(though a rather lame) mistake. The challenge
was on a news site persisted for months,
and so started getting under my skin.

However I still believe it's a good idea to track
the current Mozilla built-in certificate file in
Tor Browser. Not difficult to do and helpful to
overall security.

comment:4 Changed 6 years ago by starlight

And now that I think about it, I'll wager that
the upstream ESR release does include updates
to certdata.txt. So probably this is a
invalid bug report and I apologize for that.

Normally I try to ignore certificate warnings
on sites (like news sites) where it does not
matter much. Usually it's a problem with the
site but it's tedious to correctly analyze.
This one kept on for so long I took an
(insufficiently focused) stab at it.

comment:5 Changed 6 years ago by starlight

Resolution: invalid
Status: newclosed
Note: See TracTickets for help on using tickets.