Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Trang web này sẽ có chức năng hạn chế trong khi chúng tôi trải qua bảo trì để cải thiện trải nghiệm của bạn. Nếu một bài viết không giải quyết được vấn đề của bạn và bạn muốn đặt câu hỏi, chúng tôi có cộng đồng hỗ trợ của chúng tôi đang chờ để giúp bạn tại @FirefoxSupport trên Twitter và /r/firefox trên Reddit.

Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Tìm hiểu thêm

Why does Firefox allow ssl connections to a server, the certificate of which was issued by an intermediate certificate ...

  • 6 trả lời
  • 1 gặp vấn đề này
  • 31 lượt xem
  • Trả lời mới nhất được viết bởi cor-el

more options

Why does https://admin.booking.com work in firefox but not in openssl:

  1. openssl s_client -connect admin.booking.com:443 -showcerts

CONNECTED(00000003) depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain

0 s:/1.3.6.1.4.1.311.60.2.1.3=NL/businessCategory=Private Organization/O=Booking.com B.V./serialNumber=31047344/C=NL/ST=Noord-Holland/L=Amsterdam/OU=IT Production/CN=admin.booking.com
  i:/C=US/O=thawte, Inc./CN=thawte EV SSL CA - G2
1 s:/C=US/O=thawte, Inc./CN=thawte EV SSL CA - G2
  i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA
  i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com

This of course fails validation because the issuer certificate "Thawte Premium Server CA" is not present locally.

BUT it is NOT PRESENT in Firefox either - yet firefox accepts the intermediate "thawte EV SSL CA - G2" ! Even if I remove it manually it will be back next time I reload the page. WHY is this? I feel this is not secure!

Why does https://admin.booking.com work in firefox but not in openssl: # openssl s_client -connect admin.booking.com:443 -showcerts CONNECTED(00000003) depth=2 C = US, O = "thawte, Inc.", OU = Certification Services Division, OU = "(c) 2006 thawte, Inc. - For authorized use only", CN = thawte Primary Root CA verify error:num=20:unable to get local issuer certificate verify return:0 --- Certificate chain 0 s:/1.3.6.1.4.1.311.60.2.1.3=NL/businessCategory=Private Organization/O=Booking.com B.V./serialNumber=31047344/C=NL/ST=Noord-Holland/L=Amsterdam/OU=IT Production/CN=admin.booking.com i:/C=US/O=thawte, Inc./CN=thawte EV SSL CA - G2 1 s:/C=US/O=thawte, Inc./CN=thawte EV SSL CA - G2 i:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA 2 s:/C=US/O=thawte, Inc./OU=Certification Services Division/OU=(c) 2006 thawte, Inc. - For authorized use only/CN=thawte Primary Root CA i:/C=ZA/ST=Western Cape/L=Cape Town/O=Thawte Consulting cc/OU=Certification Services Division/CN=Thawte Premium Server CA/emailAddress=premium-server@thawte.com This of course fails validation because the issuer certificate "Thawte Premium Server CA" is not present locally. BUT it is NOT PRESENT in Firefox either - yet firefox accepts the intermediate "thawte EV SSL CA - G2" ! Even if I remove it manually it will be back next time I reload the page. WHY is this? I feel this is not secure!

Tất cả các câu trả lời (6)

more options

hello antimo, when a server provides a full path from its cert to an intermediary certificate which is turn trusted by an built-in root CA, then the connection will be trusted - this is the whole purpose of intermediate certificates & most issued certificates work this way today!

https://www.ssllabs.com/ssltest/analyze.html?d=admin.booking.com

more options

Thanks for the fast response.

The question here is why does Firefox trust the second intermediate certificate (thawte Primary Root CA) when it clearly does not have the necessary built-in root CA (Thawte Premium Server CA).? Firefox even states that "thawte Primary Root CA" could not be verified!

more options

hi antimo, i'm not sure if i understand the question correctly - but "Thawte Primary Root CA" isn't an intermediary cert but a built-in root certificate.

more options

Ok more details: the cert "Thawte Primary Root CA" provided by admin.booking.com during hand-shake has SHA1 Fingerprint 1F:A4:90:D1:D4:95:79:42:CD:23:54:5F:6E:82:3D:00:00:79:6E:A2 while the built-in token "Thawte Primary Root CA" has 91:C6:D6:EE:3E:8A:C8:63:84:E5:48:C2:99:29:5C:75:6C:81:7B:81

So they are different certificates. I thought they had to match?


http://pastebin.com/29Kb2EKb is the certificate chain provided by admin.booking.com

more options

HM - I think I got it both certificates have the same X509v3 Subject Key Identifier - Thats why...

So the extra certificate with issuer 'Thawte Premium Server CA' trips up openssl

Thank you for your time

more options

Note that Firefox automatically stores intermediate certificates that servers send in the Certificate Manager for future usage. If a server doesn't send a full certificate chain then you won't get an untrusted error when Firefox has stored missing intermediate certificates from visiting a server in the past that has send it, but you do get an untrusted error if this intermediate certificate isn't stored yet.