FS#28860 - [chromium] missing Comodo's Essential SSL's CA since last update
Attached to Project:
Arch Linux
Opened by bassu (bassu) - Sunday, 11 March 2012, 06:48 GMT
Last edited by Jan de Groot (JGC) - Monday, 16 April 2012, 12:09 GMT
Opened by bassu (bassu) - Sunday, 11 March 2012, 06:48 GMT
Last edited by Jan de Groot (JGC) - Monday, 16 April 2012, 12:09 GMT
|
Details
Description:
Chromium missing Comodo's CN "Essential SSL" since update to chromium-17.0.963.79-1-x86_64. Additional info: * chromium-17.0.963.79-1-x86_64 * nss 3.13.3-1 Could possibly originate from the nss; but the certutil and Chromium's SSL Manager report the said CA missing Steps to reproduce: Go to Chromium > Preferences > Under the hood > Manager certificates > Authorities > "Essential SSL" doesn't exist there; while Firefox has it. |
This task depends upon
Closed by Jan de Groot (JGC)
Monday, 16 April 2012, 12:09 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 3.13.4-1.
Monday, 16 April 2012, 12:09 GMT
Reason for closing: Fixed
Additional comments about closing: Fixed in 3.13.4-1.
Reassigning to the nss package maintainers.
As for the missing EssentialSSL CA: This is not a CA, but an intermediate certificate. Browsers shouldn't include that, but instead, servers should provide it when sending the certificates.
It baffles me that Chromium works with nss 3.13.1 though. :\
Perhaps there's something up with the upstream of NSS but anyhow I've contacted Comodo and let's see what do they have to say!
> As you can see in the Arch package details, the libnss is directly being
> compiled from the upstreams of Mozilla.
>
> Arch didn't mark it as a bug.
>
>
> As soon as you'll upgrade to nss 3.13, you're doomed.
>
We're unable to replicate this on Ubuntu 12.04 beta 1 (libnss 3.13.1); fresh install. It seems you have a local issue of which we're not able to provide support for.
>
> Your response is kind of unresponsive!!
>
>
> (At least you should investigate why the latest nss marks EssentialSSL as
> untrusted)!
Unfortunately that's outside the scope of this service.
we have 3.13.3
"We were able to get ArchLinux in a VM and we're able to reproduce this using NSS 3.13.3-1 as reported in the Arch ticket [ https://bugs.archlinux.org/task/28860 ], we were also able to reproduce using Fedora 16, which recently (Saturday)[ http://lists.fedoraproject.org/pipermail/package-announce/2012-March/075636.html ] upgraded to 3.13.3-1 and it too exhibited the same problem.
As a result of this testing, we escalated to our Senior R & D team for further investigation. As a result of their investigation, we will be filing bug with Mozilla in the coming days. It seems there is a bug upstream that will need to be patched by Mozilla as the problem exists in multiple distros and even affects Windows & Linux using 'NSS_ENABLE_PKIX_VERIFY=1' set inside the environment, starting with Firefox 11, which is using NSS 3.13.3 as well. This is not something that is on by default, but will be within the next 3-6 months --Comodo Support"
This seems to have been fixed in 3.13.4
(https://bugzilla.mozilla.org/show_bug.cgi?id=737802)
Let's see if we can fix our nss package.
Shall we consider this bug solved once nss 3.13.4 gets into [extra]?
[1] https://www.dominos.co.uk/customer/addDetails.aspx
Thanks.