Re: interesting issue found yesterday

Hello Tim,

On Wed, 14 Mar 2007 15:01:23 +0100, Timothy Hahn <hahnt@us.ibm.com> wrote:

> On page load - Firefox popped up a message telling me it didn't like the
> company's Server certificate!!!  So I investigated.  The indication was
> that the cert was signed by an unknown signer.  So I looked at the signer
> information.  It said "Verisign Class 3 ..." from "Verisign. Inc.".
>
> So I looked at my set of known CA signer certificates ... I have 3 (count
> 'em 3) Verisign Class 3 CA signer certificates known to my Firefox
> install.
>
> So how could it be that I don't have the "right one"?  (actually, I know
> how it could be - Verisign created a new one, and I didn't know I was
> supposed to go out and get it ... or I have a Firefox install that hadn't
> had the right CA signer's update applied).
>
> Everything looks right ... even to my eyes which ought to know better ...
> what could possibly be the issue?

You may have encountered a website that is missing the Intermediate CA  
certificate from Versign. AFAIK, Verisign class 3 certs are usually  
organized subscriber->intermediate->root .

What happens in some cases is that IE will download the intermediate if it  
is missing and there is a URL (the AIA attribute) in the site certificate,  
which means it will not complain. AFAIK Mozilla (and Opera) does not do  
this, which means that we are not able to complete the chain, and pop up a  
certificate warning

This is a configuration issue on the server.


-- 
Sincerely,
Yngve N. Pettersen

********************************************************************
Senior Developer		             Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Wednesday, 14 March 2007 14:47:19 UTC