Opened 3 years ago

Last modified 15 months ago

#18218 new defect

The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)

Reported by: bugzilla Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability-website
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

FF 44 works fine.
Example: https://www.findip-address.com

Child Tickets

Change History (6)

comment:1 Changed 3 years ago by cypherpunks

Works for me, current TBB on Linux.

comment:2 in reply to:  description Changed 3 years ago by bugzilla

Interesting. TBB 6.0a1 on Win7.

comment:3 Changed 3 years ago by cypherpunks

Also running TBB on Linux but it does not work for me.

According to https://www.ssllabs.com/ssltest/analyze.html?d=findip-address.com it has an incomplete chain.

There's also https://bugzilla.mozilla.org/show_bug.cgi?id=629558 with some information on why it could and could not work.

comment:4 Changed 3 years ago by cypherpunks

It was working on a TBB installation, where disk storage is not disabled. On TBB with disk storage disabled, the certificate is invalid.

They seem to serve a certificate with an incomplete chain.

Apparently, intermediate certificates are stored by Firefox in cert8.db. Presumably, some previous web site included the intermediate certificate and it got stored in cert8.db and thus things are working for this installation. If I delete the cert8.db, the RapidSSL certificate fails.

Last edited 3 years ago by cypherpunks (previous) (diff)

comment:5 Changed 3 years ago by bugzilla

Keywords: tbb-usability-website added
Summary: RapidSSL SHA256 CA - G3 (Error code: sec_error_unknown_issuer)The certificate is not trusted because the issuer certificate is unknown. (Error code: sec_error_unknown_issuer)

So on one end we are accepting broken SSL certificates WITHOUT EVEN PROMPTING OR WARNING THE USER and on the other end we are making it hard or almost impossible for users to access sites with "invalid SSL certificates"

from Bug 629558, which is known since 2011, and everything was resolved as fixed...

comment:6 Changed 15 months ago by cypherpunks

Because of the bug in Firefox, Tor Browser can fall into undesirable state, preventing browsing of certain sites, e.g. https://observatory.mozilla.org/analyze/msdn.microsoft.com states that

HTTP Strict Transport Security (HSTS) header cannot be set, as site contains an invalid certificate chain

but when it is set anyway, Tor Browser shows

Your connection is not secure
The owner of msdn.microsoft.com has configured their website improperly. To protect your information from being stolen, Tor Browser has not connected to this website.
This site uses HTTP Strict Transport Security (HSTS) to specify that Tor Browser may only connect to it securely. As a result, it is not possible to add an exception for this certificate.

Note: See TracTickets for help on using tickets.