Funkcionalnosć toś togo sedła se pśez wótwardowańske źěła wobgranicujo, kótarež maju wašo dožywjenje pólěpšyś. Jolic nastawk waš problem njerozwězujo a cośo pšašanje stajiś, wobrośćo se na našo zgromoźeństwo pomocy, kótarež na to caka, wam na @FirefoxSupport na Twitter a /r/firefox na Reddit pomagaś.

Pomoc pśepytaś

Glědajśo se wobšudy pomocy. Njenapominajomy was nigda, telefonowy numer zawołaś, SMS pósłaś abo wósobinske informacije pśeraźiś. Pšosym dajśo suspektnu aktiwitu z pomocu nastajenja „Znjewužywanje k wěsći daś“ k wěsći.

Dalšne informacije

Miss track the intermediate certificate

  • 3 wótegrona
  • 3 maju toś ten problem
  • 1 naglěd
  • Slědne wótegrono wót Coconut888

more options

I'm using firefox for windows 7. My firefox now has version 41.0.1. This problem, however, was happened in older versions too.

When I visit https://www.google.com/, then drop down the menu [Tools]-->[Page Info]-->click the [Security] icon-->click the [View Certificate] button. In the Cerftificate Viewer dialog, click the [Details] tab and it will show the Certificate Hierarchy tree. The tree shows like below:

 GeoTrust Global CA <- Google Internet Authority G2 <- google.com

But when I use "openssl.exe s_client" command to test www.google.com:https, it shows below hierarchy:

 Equifax Secure Certificate Authority <- GeoTrust Global CA <- Google Internet Authority G2 <- www.google.com

Does it mean that the certificate "GeoTrust Global CA" is still a intermediate certificate which is issued by Equifax but firefox think it is a root CA ?

I checked the public key of the certificates "GeoTrust Global CA" retrieved from both firefox and openssl, and they are the same as below:


BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD99BcjGlZ+W988 bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDv gOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5f a9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs 0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9g OeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk +QIDAQAB


END PUBLIC KEY-----

Maybe this is a bug that firefox will miss the intermediate certificate when it encounter the circumstances like above.

I'm using firefox for windows 7. My firefox now has version 41.0.1. This problem, however, was happened in older versions too. When I visit https://www.google.com/, then drop down the menu [Tools]-->[Page Info]-->click the [Security] icon-->click the [View Certificate] button. In the Cerftificate Viewer dialog, click the [Details] tab and it will show the Certificate Hierarchy tree. The tree shows like below: GeoTrust Global CA <- Google Internet Authority G2 <- google.com But when I use "openssl.exe s_client" command to test www.google.com:https, it shows below hierarchy: Equifax Secure Certificate Authority <- GeoTrust Global CA <- Google Internet Authority G2 <- www.google.com Does it mean that the certificate "GeoTrust Global CA" is still a intermediate certificate which is issued by Equifax but firefox think it is a root CA ? I checked the public key of the certificates "GeoTrust Global CA" retrieved from both firefox and openssl, and they are the same as below: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD99BcjGlZ+W988 bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDv gOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5f a9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs 0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9g OeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk +QIDAQAB -----END PUBLIC KEY----- Maybe this is a bug that firefox will miss the intermediate certificate when it encounter the circumstances like above.

Wubrane rozwězanje

Firefox has the GeoTrust Global CA as a trusted built-in root certificate, so there is no need to have it chained to another root certificate. You can see that in the certificate manager and if you inspect the GeoTrust Global CA in the Details pane.

OpenSSL may use a different certificate store for this certificate.

Toś to wótegrono w konteksće cytaś 👍 2

Wšykne wótegrona (3)

more options

Wubrane rozwězanje

Firefox has the GeoTrust Global CA as a trusted built-in root certificate, so there is no need to have it chained to another root certificate. You can see that in the certificate manager and if you inspect the GeoTrust Global CA in the Details pane.

OpenSSL may use a different certificate store for this certificate.

more options

Thank you. And I think I understand your answer, this is by design, not a bug.

Actually, when I use https://www.sslshopper.com/ to check www.google.com it also shows that GeoTrust Global CA is an intermediate certificate whose issuer is Equifax, that is same as OpenSSL did.

So, the site www.google.com provide a server certificate and 2 chained (intermediate) certificates to the user agent, but Firefox uses a effitive way to use its built-in certificate and drop the provided second intermediate certificate (chained version GeoTrust Global CA).

Am I mis-understand ? However, I have a question that how if the site provided GeoTrust Global CA certificate has a different public key than built-in one, what would Firefox do ?

more options

I found an answer from <https://bugzilla.mozilla.org/show_bug.cgi?id=933969> which matches my understanding, though it's a little strange design for me.

Thanks.