Closed Bug 59161 Opened 24 years ago Closed 23 years ago

Check in all root certs, if possible

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED
Milestone:
Future

People

(Reporter: BenB, Assigned: bugz)

Details

(Whiteboard: PDT+, needs a=, critical for 0.9.2)

Attachments

(2 files)

patch to add remaining roots from 4.x to mozilla
(deleted), patch
Details | Diff | Splinter Review
updated patch includes changes to USPS roots, and has both certdata.c and certdata.txt
(deleted), patch
Details | Diff | Splinter Review
Reproduce: 1. Build psm.xpi with |make build_xpi| (see build instructionos) 2. Install the xpi in a fresh (open-source) Mozilla nightly build, fresh profile 3. Visit <https://services.db-privatebanking.de> Actual result: A warning dialog pops up, saying that the CA for the certificate is not recognized. View the certificate to see that it is issued by "Verisign Trust Network". Expected result: Since Verisign and Thawte seem to agree to the distribution of their certs (see <http://lxr.mozilla.org/mozilla/security/nss/lib/ckfw/builtins/certdata.txt>), all Verisign and Thawte certs are recognized. Additional Comments: Please check in all of them into the Mozilla tree ASAP (i.e. beofre N6 shipment), or tell me how to convert the certs into the certdata.txt format, so I can fix it myself. This is a blocker for me - shipping PSM without reasonable root certs is practically impossible. I do use the builtin root certs - No warning on <https://admin.he.net> (issued by Thawte.
eh, wrong summary, correcting.
Summary: Root certs lib not shipped → Check in all root certs, if possible
I got completely confused - sorry. You need the patch for bug 59162 - otherwise, *no* cert will be recognized, not even that for he.net.
Blocks: Beonex
Ian fixed the first part of it, reassigning to him (reassign to <relyea%netscape.com>, when (s)he is back). The site mentioned in the reproduction now works. Thanks Ian. Checked in are: - VeriSign/Thawte - TC Trustcenter - GlobalSign/BelSign Leaving open, since there are still lots of certs (all from digsigtrust and many smaller CAs) missing.
Assignee: lord → mcgreer
Component: Daemon → Libraries
Product: PSM → NSS
Version: 1.4 → 3.1
Filed bug 59614 about making the tool for creating certdata.txt publically available.
QA Contact: nitinp → junruh
Ian, have we checked in all the root certs? Can this be done in NSS 3.2 time frame?
Target Milestone: --- → 3.2
Already in: - Verisign (thousands of times) - Thawte - TC Trustcenter - GlobalSign/BelSign - ValiCert The following ones are missing (we have OK to check in): - Deutsche Telekom (T-TeleSec) - Entrust No response so far from (available in 4.x, not yet checked into Mozilla, I mailed them, no response, legal status unclear): - DigSigTrust - Equifax - Baltimore Not contacted (available in 4.x, not yet checked into Mozilla, I didn't mail them yet, because of missing contact info): - GTE Cybertrust - E-Certify - possibly others Didn't check Netscape 6, if there are new certs we should distribute, too.
Severity: blocker → major
Have checked in Entrust and Deutsche Telekom. marking as future, will watch this bug as more approvals come in. I think Baltimore is under the new contract, so they can be checked in...
Target Milestone: 3.2 → Future
Keywords: mozilla1.0
No longer blocks: Beonex
*** Bug 83847 has been marked as a duplicate of this bug. ***
r=javi
rs=blizzard
-> P1
Priority: P3 → P1
Whiteboard: PDT+, needs a=
a=blizzard on behalf of drivers for 0.9.2
Whiteboard: PDT+, needs a= → PDT+, needs a=, critical for 0.9.2
last set of roots checked in 6/20
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Verified.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: