[SSL Observatory] www.torproject.org certificate chain fails to validate in Chrome on Windows
Ondrej Mikle
ondrej.mikle at nic.cz
Wed Jan 4 16:23:20 PST 2012
Hi,
I've encountered this in the tor-talk mailing list.
Try to connect to https://www.torproject.org in Chrome on Windows. Latest Chrome
(16.0.912.63 m) will give you "invalid signature" warning.
I've been looking for the reason why that happens, but it seems to be client's
bug (MS CryptoAPI). Since such case is really rare, there is a good chance I'm
overlooking something.
Some remarkable points:
1. Chrome (via CryptoAPI) will download certificate from URL specified by
Authority Information Access (instead of using the one provided by server in
handshake) and then chains to "DigiCert High Assurance EV Root CA" root cert,
which is trust anchor in Microsoft's Root Certificate Program.
2. However, the same chain Chrome sees is verified without any problem by
gnutls. By looking at the cert differences manually, I don't see why CryptoAPI
thinks there is any problem with signature (differences are in not_before,
serial, path_len in basicConstraints).
The chains seen by clients are attached (Chrome and two chains constructed by
Firefox 9.0.1).
OT: is there any way to save certificate chain in Firefox if it gives you an
uncommon error (i.e. different than "untrusted issuer")? Lately I see instances
of certs that have unknown extensions, but reload or manual s_client won't catch it.
Ondrej
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: torproject.org_chrome_chain
URL: <http://lists.eff.org/pipermail/observatory/attachments/20120105/3fc4f5e4/attachment.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: torproject.org_firefox_chain
URL: <http://lists.eff.org/pipermail/observatory/attachments/20120105/3fc4f5e4/attachment-0001.ksh>
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: torproject.org_firefox_chain_no_cross
URL: <http://lists.eff.org/pipermail/observatory/attachments/20120105/3fc4f5e4/attachment-0002.ksh>
More information about the Observatory
mailing list