View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0001119 | Main CAcert Website | certificate issuing | public | 2012-12-02 16:37 | 2013-05-21 19:31 |
| Reporter | INOPIAE | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | have not tried |
| Status | closed | Resolution | fixed | ||
| Product Version | 2012 Q4 | ||||
| Fixed in Version | 2013 Q1 | ||||
| Summary | 0001119: Error importing CRL to Firefox/Thunderbird | ||||
| Description | there seems to be a larger problem with CRL import into to Firefox/Thunderbird. see cacert-support@l.c.o Novemer/December 2012 subject: Error importing CRL to Firefox/Thunderbird | ||||
| Additional Information | may be a change of the signature algorithym and signature hash algorithym from md5 to something newer. | ||||
| Tags | No tags attached. | ||||
| Reviewed by | NEOatNHNG, BenBE | ||||
| Test Instructions | |||||
|
|
please report your OS/Browser (incl revion#) combination test results under https://wiki.cacert.org/Software/CurrentTest/bug1119 |
|
|
* FF about:config parameter security.enable_md5_signatures -> a. false: crl import fails with error code:ffffe0b0 b. true: crl import success OpenSSL info of CRL reports: md5 rsa key proposed fix: deliver CRLs with sha1 encryption |
|
|
downloaded crl from Testserver http://cacert1.it-sls.de/cacert1-class3-revoke.crl http://cacert1.it-sls.de/cacert1-revoke.crl both show sha-1 as encryption methods both crl could be imported into FF 17 =>ok =>ok |
|
|
download CRL class1, class3 https://cacert1.it-sls.de/index.php?id=3 response says: download from crl.cacert.org create new user bug1119.user1@w.d 100 AP, 50 EP create class3 client cert with username bug1119.user1@w.d 10DF Not Revoked 2013-01-10 23:49:04 use https://cacert1.it-sls.de/cacert1-revoke.crl https://cacert1.it-sls.de/cacert1-class3-revoke.crl use link under https://wiki.cacert.org/Software/CurrentTest 2.6 - right mouse click, download/save as openssl crl -in cacert1-revoke.crl -inform DER -text|less Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption => ok openssl crl -in cacert1-class3-revoke.crl -inform DER -text|less Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption => ok check/set FF about:config security.enable_md5_signatures -> False starting (auto download) https://cacert1.it-sls.de/cacert1-revoke.crl https://cacert1.it-sls.de/cacert1-class3-revoke.crl runs w/o errors (asks: enable auto update?) => ok => all ok now |
|
|
I confirm the findings of INOPIAE and Uli60: Importing http://cacert1.it-sls.de/cacert1-class3-revoke.crl and http://cacert1.it-sls.de/cacert1-revoke.crl works perfectly in Firefox 17.0.1 and Thunderbird 17.0 (Linux OpenSuse 12.1 64bit). This also works when the config parameter security.enable_md5_signatures is set to false (its default), i.e. when importing the CAcert CRLs from the production server fails. One remark: Firefox and Thunderbird seem to index saved CRLs by what is specified as "Organizational Unit" (OU) in the issuer field of the CRL. On the test server this is "OU=http://cacert1.it-sls.de" for both class-1 and class-3 CRL, so at least the autoupdate settings are confused between the two CRLs. On the production system, it is "OU=http://www.cacert.org" for class 1 and "OU=http://www.CAcert.org" for class 3 (with different capitalization), so here the Mozilla programs distinguish between the different CRLs. Although this might be regarded as a bug or weakness in the Mozilla products, I suggest to stick to different OU entries for the two CAcert CRLs in order to avoid problems. |
|
|
Roger L reported via mail: http://cacert1.it-sls.de/cacert1-revoke.crl seems to work for me in Firefox 17.0.1 on 64 bit Windows 7 Professional, which had previously failed unless the enable_md5_signatures setting was changed. |
|
|
downloaded crl from Testserver http://cacert1.it-sls.de/cacert1-class3-revoke.crl [^] http://cacert1.it-sls.de/cacert1-revoke.crl [^] both crl could be imported into FF 17 =>ok |
|
|
From Benedikt in the cacert-support@l.c.o.: I tried the import Firefox 17 and Thunderbird 16. It works smoothly. Now I wait for the first automatic update on 23rd December. I give feedback thereafter. Regards, Benedikt |
|
|
please do second review and move to production |
|
|
The patch has been installed on the production server (signer!) during a visit to the hosting centre on February 7, 2013. See also https://lists.cacert.org/wws/arc/cacert-systemlog/2013-02/msg00001.html The current version of the SSL configuration files on the signer can be found in SVN as http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/ |
| Date Modified | Username | Field | Change |
|---|---|---|---|
| 2012-12-02 16:37 | INOPIAE | New Issue | |
| 2012-12-02 16:37 | INOPIAE | Assigned To | => NEOatNHNG |
| 2012-12-02 16:38 | INOPIAE | Relationship added | related to 0000318 |
| 2012-12-02 16:38 | INOPIAE | Relationship added | related to 0001001 |
| 2012-12-04 10:58 | Uli60 | Note Added: 0003377 | |
| 2012-12-04 21:53 | Uli60 | Note Added: 0003378 | |
| 2012-12-04 21:54 | Uli60 | Assigned To | NEOatNHNG => |
| 2012-12-04 21:54 | Uli60 | Status | new => confirmed |
| 2012-12-04 21:54 | Uli60 | Note Edited: 0003378 | |
| 2012-12-04 21:58 | Uli60 | Note Edited: 0003378 | |
| 2012-12-04 21:58 | Uli60 | Note Edited: 0003378 | |
| 2012-12-12 00:26 | INOPIAE | Note Added: 0003397 | |
| 2012-12-12 00:48 | Uli60 | Note Added: 0003398 | |
| 2012-12-12 08:36 | bjantzen | Note Added: 0003403 | |
| 2012-12-12 09:27 | INOPIAE | Assigned To | => NEOatNHNG |
| 2012-12-12 09:27 | INOPIAE | Status | confirmed => needs review & testing |
| 2012-12-14 11:01 | INOPIAE | Note Added: 0003431 | |
| 2012-12-14 21:57 | Werner Dworak | Note Added: 0003433 | |
| 2012-12-16 14:18 | INOPIAE | Note Added: 0003445 | |
| 2012-12-19 00:54 | INOPIAE | Note Added: 0003472 | |
| 2012-12-19 00:54 | INOPIAE | Status | needs review & testing => needs review |
| 2013-01-06 21:11 | BenBE | Reviewed by | => NEOatNHNG, BenBE |
| 2013-01-15 21:32 | NEOatNHNG | Status | needs review => ready to deploy |
| 2013-01-15 22:32 | BenBE | Product Version | => 2012 Q4 |
| 2013-01-15 22:32 | BenBE | Fixed in Version | => 2013 Q1 |
| 2013-02-08 16:04 | wytze | Note Added: 0003743 | |
| 2013-02-08 16:04 | wytze | Status | ready to deploy => solved? |
| 2013-02-08 16:04 | wytze | Resolution | open => fixed |
| 2013-05-21 19:31 | INOPIAE | Status | solved? => closed |
| 2013-05-21 19:31 | INOPIAE | Assigned To | NEOatNHNG => |
