Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

Tìm kiếm hỗ trợ

Tránh các lừa đảo về hỗ trợ. Chúng tôi sẽ không bao giờ yêu cầu bạn gọi hoặc nhắn tin đến số điện thoại hoặc chia sẻ thông tin cá nhân. Vui lòng báo cáo hoạt động đáng ngờ bằng cách sử dụng tùy chọn "Báo cáo lạm dụng".

Tìm hiểu thêm

Miss track the intermediate certificate

  • 3 trả lời
  • 3 gặp vấn đề này
  • 1 lượt xem
  • Trả lời mới nhất được viết bởi Coconut888

more options

I'm using firefox for windows 7. My firefox now has version 41.0.1. This problem, however, was happened in older versions too.

When I visit https://www.google.com/, then drop down the menu [Tools]-->[Page Info]-->click the [Security] icon-->click the [View Certificate] button. In the Cerftificate Viewer dialog, click the [Details] tab and it will show the Certificate Hierarchy tree. The tree shows like below:

 GeoTrust Global CA <- Google Internet Authority G2 <- google.com

But when I use "openssl.exe s_client" command to test www.google.com:https, it shows below hierarchy:

 Equifax Secure Certificate Authority <- GeoTrust Global CA <- Google Internet Authority G2 <- www.google.com

Does it mean that the certificate "GeoTrust Global CA" is still a intermediate certificate which is issued by Equifax but firefox think it is a root CA ?

I checked the public key of the certificates "GeoTrust Global CA" retrieved from both firefox and openssl, and they are the same as below:


BEGIN PUBLIC KEY-----

MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD99BcjGlZ+W988 bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDv gOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5f a9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs 0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9g OeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk +QIDAQAB


END PUBLIC KEY-----

Maybe this is a bug that firefox will miss the intermediate certificate when it encounter the circumstances like above.

I'm using firefox for windows 7. My firefox now has version 41.0.1. This problem, however, was happened in older versions too. When I visit https://www.google.com/, then drop down the menu [Tools]-->[Page Info]-->click the [Security] icon-->click the [View Certificate] button. In the Cerftificate Viewer dialog, click the [Details] tab and it will show the Certificate Hierarchy tree. The tree shows like below: GeoTrust Global CA <- Google Internet Authority G2 <- google.com But when I use "openssl.exe s_client" command to test www.google.com:https, it shows below hierarchy: Equifax Secure Certificate Authority <- GeoTrust Global CA <- Google Internet Authority G2 <- www.google.com Does it mean that the certificate "GeoTrust Global CA" is still a intermediate certificate which is issued by Equifax but firefox think it is a root CA ? I checked the public key of the certificates "GeoTrust Global CA" retrieved from both firefox and openssl, and they are the same as below: -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA2swYYzD99BcjGlZ+W988 bDjkcbd4kdS8odhM+KhDtgPpTSEHCIjaWC9mOSm9BXiLnTjoBbdqfnGk5sRgprDv gOSJKA+eJdbtg/OtppHHmMlCGDUUna2YRpIuT8rxh0PBFpVXLVDviS2Aelet8u5f a9IAjbkU+BQVNdnARqN7csiRv8lVK83Qlz6cJmTM386DGXHKTubU1XupGc1V3sjs 0l44U+VcT4wt/lAjNvxm5suOpDkZALeVAjmRCw7+OC7RHQWa9k0+bw8HHa8sHo9g OeL6NlMTOdReJivbPagUvTLrGAMoUgRx5aszPeE4uwc2hGKceeoWMPRfwCvocWvk +QIDAQAB -----END PUBLIC KEY----- Maybe this is a bug that firefox will miss the intermediate certificate when it encounter the circumstances like above.

Giải pháp được chọn

Firefox has the GeoTrust Global CA as a trusted built-in root certificate, so there is no need to have it chained to another root certificate. You can see that in the certificate manager and if you inspect the GeoTrust Global CA in the Details pane.

OpenSSL may use a different certificate store for this certificate.

Đọc câu trả lời này trong ngữ cảnh 👍 2

Tất cả các câu trả lời (3)

more options

Giải pháp được chọn

Firefox has the GeoTrust Global CA as a trusted built-in root certificate, so there is no need to have it chained to another root certificate. You can see that in the certificate manager and if you inspect the GeoTrust Global CA in the Details pane.

OpenSSL may use a different certificate store for this certificate.

more options

Thank you. And I think I understand your answer, this is by design, not a bug.

Actually, when I use https://www.sslshopper.com/ to check www.google.com it also shows that GeoTrust Global CA is an intermediate certificate whose issuer is Equifax, that is same as OpenSSL did.

So, the site www.google.com provide a server certificate and 2 chained (intermediate) certificates to the user agent, but Firefox uses a effitive way to use its built-in certificate and drop the provided second intermediate certificate (chained version GeoTrust Global CA).

Am I mis-understand ? However, I have a question that how if the site provided GeoTrust Global CA certificate has a different public key than built-in one, what would Firefox do ?

more options

I found an answer from <https://bugzilla.mozilla.org/show_bug.cgi?id=933969> which matches my understanding, though it's a little strange design for me.

Thanks.