Issue 61321 in chromium: Certificate problem when accessing the website "https://www.gi-wahlen.de"
chro...@googlecode.com
Owner: ----
Labels: Type-Bug Pri-2 Area-Undefined
New issue 61321 by jo.hil...@googlemail.com: Certificate problem when
accessing the website "https://www.gi-wahlen.de"
http://code.google.com/p/chromium/issues/detail?id=61321
Chrome Version : 8.0.552.23 dev
URLs (if applicable) : https://www.gi-wahlen.de
Other browsers tested:
Add OK or FAIL after other browsers where you have tested this issue:
Safari 4: FAIL
Firefox 3.x: OK
IE 7:
IE 8:
What steps will reproduce the problem?
1. Open URL www.gi-wahlen.de
2. Message: "The site's security certificate is not trusted!"
3. Reason: root ca of certificate will not be accepted
What is the expected result?
- should work. Certificate is valid, checked it with admin
What happens instead?
- certificate message: "The site's security certificate is not trusted!"
Please provide any additional information below. Attach a screenshot if
possible.
As I found out:
- the certificate of www.gi-wahlen.de is fine, I've checked it with admin
- the certificate chain is broken at root ca
- the root-ca "Thawte Premium Server CA" does not match the
certificate "Thawte Premium Server CA" in MacOSX Keychain
See attached screen dumps.
Some side note:
- Safari 4.x is also NOT accepting this URL, with same message
- Firefox 3.x is accepting this URL: AFAIU it will accept the "Thawte
Premium Root CA" as the same version is in local Firefox truststore
- The "Premium Root CA" from this URL does also NOT match the "Thawte
Premium Root CA" in MacOSX Keychain
The site "www.gi-wahlen.de" will be used for electronic elections. So,
correct certificates is essential for such a critical website.
I raised a bug to apple too: #8613563
Attachments:
Bug-Chrome-Screenshots.zip 331 KB
chro...@googlecode.com
Comment #1 on issue 61321 by jo.hil...@googlemail.com: Certificate problem
http://code.google.com/p/chromium/issues/detail?id=61321
Forgot to mention: MacOSX 10.6.4
chro...@googlecode.com
Status: WontFix
Cc: w...@chromium.org
Comment #2 on issue 61321 by rsle...@chromium.org: Certificate problem when
accessing the website "https://www.gi-wahlen.de"
http://code.google.com/p/chromium/issues/detail?id=61321
jo.hiller, thank you for this bug report. As you noted, the root cause of
this is that the Keychain Services does not have that particular version of
that root certificate listed under the System Roots of the Keychain.
However, This is not actually a bug with Chrome. Chrome uses each operating
system's native certificate store for certificate verification. Safari does
this as well, which is why you also see this error in Safari. Firefox uses
it's own, internal list of trusted certificates, which is why you do not
see this in Safari.
The reason this problem presents is because https://www.gi-wahlen.de is
currently misconfigured. As part of SSL, the server sends its certificate,
along with an optional certificate chain. The server at
https://www.gi-wahlen.de is currently configured to send the entire
certificate chain, terminating in the "Thawte Premium Server CA".
However, this server is not sending the correct "Thawte Premium Server CA",
as obtained from https://www.thawte.com/roots/index.html. On Windows and on
Linux, the libraries Chrome uses are able to recognize that, though the
server sent a certificate claiming to be "Thawte Premium Server CA", the
actual certificate chain used/verified should terminate in the "Thawte
Premium Server CA" that they have in their trusted certificate store.
On OS X, the cryptographic APIs are currently not capable of recognizing
this. As a result, they end up using the "Thawte Premium Server CA"
included by the server, see that that particular version of "Thawte Premium
Server CA" does not exist in the System Roots keychain, and as a result,
reject it as invalid.
If the server is configured to not send that certificate, which is a
perfectly valid and in fact encouraged configuration, then OS X is smart
enough to be able to "fill in" the chain with the certificate contained in
the System Roots keychain. As a result, you'll be able to connect without
any warnings.
It is likely they obtained this version of the "Thawte Premium Root CA"
from the Firefox certificate store. While this certificate is valid for
Firefox, it does not represent the certificate that Thawte has published,
and it's reasonable to expect non-Firefox clients to have trouble
connecting to the site. It's easily remedied by either omitting the root
certificate, or replacing it with the certificate that Thawte has published.
In order to resolve this, there are two options available:
1) You may import the appropriate root certificate into your trusted
keychain. You would need to import the certificate being sent by the
https://www.gi-wahlen.de. This may represent a security risk, as this is
not the version of the certificate that Thawte has published, but I believe
it should be safe. You can find more information about this process at
http://docs.info.apple.com/article.html?path=Mac/10.4/en/mh1779.html
2) Contact the administrator of www.gi-wahlen.de and ask them to adjust
their settings. If you're unsure how to explain, you should be able to
refer them to my explanation here.
chro...@googlecode.com
Labels: -Area-Undefined Area-Internals Internals-Network OS-Mac
Comment #4 on issue 61321 by w...@chromium.org: Certificate problem when
accessing the website "https://www.gi-wahlen.de"
http://code.google.com/p/chromium/issues/detail?id=61321
rsleevi: thanks for the excellent explanation. Just to clarify one point:
an SSL server is required to send the certificate chain; the only thing
optional is the root CA certificate. Any intermediate CA certificates
should be sent.
jo.hiller: I inspected the root CA certificate sent by
https://www.gi-wahlen.de.
It contains the same public key as the root CA certificate that Thawte has
published. Therefore it is safe to import this root certificate into your
trusted keychain. For root certificates, only the public keys matter.