Valid certificate with incomplete chain shows insecure warning
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: 13hurdw, Unassigned)
References
()
Details
Attachments
(1 file)
(deleted),
image/png
|
Details |
Firefox 65.0.1 mac
To reproduce:
www.ccssforum.org uses an invalid security certificate.
The certificate is not trusted because the issuer certificate is unknown.
The server might not be sending the appropriate intermediate certificates.
An additional root certificate may need to be imported.
Error code: SEC_ERROR_UNKNOWN_ISSUER
In Chrome, the site can be visited without any warnings
SSL Labs gives the site a grade of B
Chain issues Incomplete
should this case be treated as secure ?
Comment 1•6 years ago
|
||
A connection can of course not treated as secure if the chain is incomplete.
The only option is that Firefox tries to download the intermediate certificates on it's own to complete the chain to fix the broken website.
Chrome shows the certificate only as valid because either the intermediate certificate is cached or windows downloaded the intermediate on it's own in the windows certificate store.
(In reply to Matthias Versen [:Matti] from comment #1)
Chrome shows the certificate only as valid because either the intermediate certificate is cached or windows downloaded the intermediate on it's own in the windows certificate store.
This is on mac, FYI
This will be addressed by intermediate preloading.
Description
•