View Issue Details

IDProjectCategoryView StatusLast Update
0001119Main CAcert Websitecertificate issuingpublic2013-05-21 19:31
ReporterINOPIAE Assigned To 
PrioritynormalSeverityminorReproducibilityhave not tried
Status closedResolutionfixed 
Product Version2012 Q4 
Fixed in Version2013 Q1 
Summary0001119: Error importing CRL to Firefox/Thunderbird
Descriptionthere seems to be a larger problem with CRL import into to Firefox/Thunderbird.

see cacert-support@l.c.o Novemer/December 2012
subject: Error importing CRL to Firefox/Thunderbird
Additional Informationmay be a change of the signature algorithym and signature hash algorithym from md5 to something newer.
TagsNo tags attached.
Reviewed byNEOatNHNG, BenBE
Test Instructions

Relationships

related to 0000318 needs workSourcerer OpenPGP CRL 
related to 0001001 new Need a way to set up redundant OCSP responders 

Activities

Uli60

2012-12-04 10:58

updater   ~0003377

please report your OS/Browser (incl revion#) combination test results under
https://wiki.cacert.org/Software/CurrentTest/bug1119

Uli60

2012-12-04 21:53

updater   ~0003378

Last edited: 2012-12-04 21:58

View 4 revisions

* FF about:config parameter security.enable_md5_signatures ->
 a. false: crl import fails with error code:ffffe0b0
 b. true: crl import success

OpenSSL info of CRL reports: md5 rsa key

proposed fix: deliver CRLs with sha1 encryption

INOPIAE

2012-12-12 00:26

updater   ~0003397

downloaded crl from Testserver
http://cacert1.it-sls.de/cacert1-class3-revoke.crl
http://cacert1.it-sls.de/cacert1-revoke.crl
both show sha-1 as encryption methods

both crl could be imported into FF 17 =>ok

=>ok

Uli60

2012-12-12 00:48

updater   ~0003398

download CRL class1, class3
https://cacert1.it-sls.de/index.php?id=3



response says:
download from crl.cacert.org

create new user
bug1119.user1@w.d

100 AP, 50 EP
create class3 client cert with username
bug1119.user1@w.d 10DF Not Revoked 2013-01-10 23:49:04

use
https://cacert1.it-sls.de/cacert1-revoke.crl
https://cacert1.it-sls.de/cacert1-class3-revoke.crl

use link under
https://wiki.cacert.org/Software/CurrentTest
2.6 - right mouse click, download/save as
openssl crl -in cacert1-revoke.crl -inform DER -text|less

Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
=> ok

openssl crl -in cacert1-class3-revoke.crl -inform DER -text|less
Certificate Revocation List (CRL):
        Version 2 (0x1)
        Signature Algorithm: sha1WithRSAEncryption
=> ok

check/set FF about:config
security.enable_md5_signatures -> False

starting (auto download)
https://cacert1.it-sls.de/cacert1-revoke.crl
https://cacert1.it-sls.de/cacert1-class3-revoke.crl
runs w/o errors
  (asks: enable auto update?)
=> ok

=> all ok now

bjantzen

2012-12-12 08:36

reporter   ~0003403

I confirm the findings of INOPIAE and Uli60:

Importing
http://cacert1.it-sls.de/cacert1-class3-revoke.crl
and
http://cacert1.it-sls.de/cacert1-revoke.crl
works perfectly in Firefox 17.0.1 and Thunderbird 17.0 (Linux OpenSuse 12.1 64bit).

This also works when the config parameter security.enable_md5_signatures is set to false (its default), i.e. when importing the CAcert CRLs from the production server fails.

One remark:
Firefox and Thunderbird seem to index saved CRLs by what is specified as "Organizational Unit" (OU) in the issuer field of the CRL. On the test server this is "OU=http://cacert1.it-sls.de" for both class-1 and class-3 CRL, so at least the autoupdate settings are confused between the two CRLs. On the production system, it is "OU=http://www.cacert.org" for class 1 and "OU=http://www.CAcert.org" for class 3 (with different capitalization), so here the Mozilla programs distinguish between the different CRLs. Although this might be regarded as a bug or weakness in the Mozilla products, I suggest to stick to different OU entries for the two CAcert CRLs in order to avoid problems.

INOPIAE

2012-12-14 11:01

updater   ~0003431

Roger L reported via mail:
http://cacert1.it-sls.de/cacert1-revoke.crl seems to work for me
in Firefox 17.0.1 on 64 bit Windows 7 Professional, which had previously
failed unless the enable_md5_signatures setting was changed.

Werner Dworak

2012-12-14 21:57

updater   ~0003433

downloaded crl from Testserver
http://cacert1.it-sls.de/cacert1-class3-revoke.crl [^]
http://cacert1.it-sls.de/cacert1-revoke.crl [^]

both crl could be imported into FF 17 =>ok

INOPIAE

2012-12-16 14:18

updater   ~0003445

From Benedikt in the cacert-support@l.c.o.:
I tried the import Firefox 17 and Thunderbird 16. It works smoothly. Now I wait for the first automatic update on 23rd December. I give feedback thereafter.

Regards,
Benedikt

INOPIAE

2012-12-19 00:54

updater   ~0003472

please do second review and move to production

wytze

2013-02-08 16:04

developer   ~0003743

The patch has been installed on the production server (signer!) during a visit to the hosting centre on February 7, 2013. See also https://lists.cacert.org/wws/arc/cacert-systemlog/2013-02/msg00001.html
The current version of the SSL configuration files on the signer can be found in SVN as http://svn.cacert.org/CAcert/SystemAdministration/signer/ssl/

Issue History

Date Modified Username Field Change
2012-12-02 16:37 INOPIAE New Issue
2012-12-02 16:37 INOPIAE Assigned To => NEOatNHNG
2012-12-02 16:38 INOPIAE Relationship added related to 0000318
2012-12-02 16:38 INOPIAE Relationship added related to 0001001
2012-12-04 10:58 Uli60 Note Added: 0003377
2012-12-04 21:53 Uli60 Note Added: 0003378
2012-12-04 21:54 Uli60 Assigned To NEOatNHNG =>
2012-12-04 21:54 Uli60 Status new => confirmed
2012-12-04 21:54 Uli60 Note Edited: 0003378 View Revisions
2012-12-04 21:58 Uli60 Note Edited: 0003378 View Revisions
2012-12-04 21:58 Uli60 Note Edited: 0003378 View Revisions
2012-12-12 00:26 INOPIAE Note Added: 0003397
2012-12-12 00:48 Uli60 Note Added: 0003398
2012-12-12 08:36 bjantzen Note Added: 0003403
2012-12-12 09:27 INOPIAE Assigned To => NEOatNHNG
2012-12-12 09:27 INOPIAE Status confirmed => needs review & testing
2012-12-14 11:01 INOPIAE Note Added: 0003431
2012-12-14 21:57 Werner Dworak Note Added: 0003433
2012-12-16 14:18 INOPIAE Note Added: 0003445
2012-12-19 00:54 INOPIAE Note Added: 0003472
2012-12-19 00:54 INOPIAE Status needs review & testing => needs review
2013-01-06 21:11 BenBE Reviewed by => NEOatNHNG, BenBE
2013-01-15 21:32 NEOatNHNG Status needs review => ready to deploy
2013-01-15 22:32 BenBE Product Version => 2012 Q4
2013-01-15 22:32 BenBE Fixed in Version => 2013 Q1
2013-02-08 16:04 wytze Note Added: 0003743
2013-02-08 16:04 wytze Status ready to deploy => solved?
2013-02-08 16:04 wytze Resolution open => fixed
2013-05-21 19:31 INOPIAE Status solved? => closed
2013-05-21 19:31 INOPIAE Assigned To NEOatNHNG =>