Този сайт ще има ограничена функционалност, докато се извършва тече неговата поддръжка. Ако дадена статия не може реши проблема ви и искате да зададете въпрос, нашата общност е готова да ви помогне на @firefox в Twitter и /r/firefox в Reddit.

Търсене в помощните статии

Избягвайте измамите при поддръжката. Никога няма да ви помолим да се обадите или изпратите SMS на телефонен номер или да споделите лична информация. Моля, докладвайте подозрителна активност на "Докладване за злоупотреба".

Научете повече

Miss track the intermediate certificate

  • 3 отговора
  • 3 имат този проблем
  • 1 изглед
  • Последен отговор от Coconut888

more options

I'm using firefox for windows 7. My firefox now has version 41.0.1. This problem, however, was happened in older versions too.

When I visit https://www.google.com/, then drop down the menu [Tools]-->[Page Info]-->click the [Security] icon-->click the [View Certificate] button. In the Cerftificate Viewer dialog, click the [Details] tab and it will show the Certificate Hierarchy tree. The tree shows like below:

 GeoTrust Global CA <- Google Internet Authority G2 <- google.com

But when I use "openssl.exe s_client" command to test www.google.com:https, it shows below hierarchy:

 Equifax Secure Certificate Authority <- GeoTrust Global CA <- Google Internet Authority G2 <- www.google.com

Does it mean that the certificate "GeoTrust Global CA" is still a intermediate certificate which is issued by Equifax but firefox think it is a root CA ?

I checked the public key of the certificates "GeoTrust Global CA" retrieved from both firefox and openssl, and they are the same as below:


BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD99BcjGlZ+W988 bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDv gOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5f a9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs 0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9g OeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk +QIDAQAB


END PUBLIC KEY-----

Maybe this is a bug that firefox will miss the intermediate certificate when it encounter the circumstances like above.

I'm using firefox for windows 7. My firefox now has version 41.0.1. This problem, however, was happened in older versions too. When I visit https://www.google.com/, then drop down the menu [Tools]-->[Page Info]-->click the [Security] icon-->click the [View Certificate] button. In the Cerftificate Viewer dialog, click the [Details] tab and it will show the Certificate Hierarchy tree. The tree shows like below: GeoTrust Global CA <- Google Internet Authority G2 <- google.com But when I use "openssl.exe s_client" command to test www.google.com:https, it shows below hierarchy: Equifax Secure Certificate Authority <- GeoTrust Global CA <- Google Internet Authority G2 <- www.google.com Does it mean that the certificate "GeoTrust Global CA" is still a intermediate certificate which is issued by Equifax but firefox think it is a root CA ? I checked the public key of the certificates "GeoTrust Global CA" retrieved from both firefox and openssl, and they are the same as below: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD99BcjGlZ+W988 bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDv gOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5f a9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs 0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9g OeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk +QIDAQAB -----END PUBLIC KEY----- Maybe this is a bug that firefox will miss the intermediate certificate when it encounter the circumstances like above.

Избрано решение

Firefox has the GeoTrust Global CA as a trusted built-in root certificate, so there is no need to have it chained to another root certificate. You can see that in the certificate manager and if you inspect the GeoTrust Global CA in the Details pane.

OpenSSL may use a different certificate store for this certificate.

Прочетете този отговор в контекста 👍 2

Всички отговори (3)

more options

Избрано решение

Firefox has the GeoTrust Global CA as a trusted built-in root certificate, so there is no need to have it chained to another root certificate. You can see that in the certificate manager and if you inspect the GeoTrust Global CA in the Details pane.

OpenSSL may use a different certificate store for this certificate.

more options

Thank you. And I think I understand your answer, this is by design, not a bug.

Actually, when I use https://www.sslshopper.com/ to check www.google.com it also shows that GeoTrust Global CA is an intermediate certificate whose issuer is Equifax, that is same as OpenSSL did.

So, the site www.google.com provide a server certificate and 2 chained (intermediate) certificates to the user agent, but Firefox uses a effitive way to use its built-in certificate and drop the provided second intermediate certificate (chained version GeoTrust Global CA).

Am I mis-understand ? However, I have a question that how if the site provided GeoTrust Global CA certificate has a different public key than built-in one, what would Firefox do ?

more options

I found an answer from <https://bugzilla.mozilla.org/show_bug.cgi?id=933969> which matches my understanding, though it's a little strange design for me.

Thanks.