Problem website: https://www.cacert.org Browser: Firefox 49.0.2 Plugin ver: 2.2.0.2.1 Settings: Without resolver, enable TLSA validation, use browser certificate chain
Hi, When trying to access the CACert website the plugin shows a validation failure. The website's certificate is issued by a sub-ca, which is itself issued by "CA Cert Signing Authority" (attached); the browser trusts both Root and subordinate CA. The TLSA record (type 2) includes this certificate however the plugin claims that TLSA validation has failed and that the certificate does not correspond to the TLSA record. I've extracted the Root certificate from my browser and confirmed that it creates an matching TLSA record by using the TLSA generator here: https://www.huque.com/bin/gen_tlsa When the root/subordinate certificates are removed from Firefox it uncovers the error "SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED", the RootCA signature uses md5RSA - normally roots don't need signature verification as they're self-signed & trusted manually, does DANE change this model; could that impact TLSA validation? (If so propagating the underlying error information into the "more info" bubble could be useful) The issue seems somehow related to the Firefox' trust settings on the certificate chain, If you trust both the Class 1 Root CA, and the Class 3 http://www.cacert.org/index.php?id=3 the error occurs, however if you only trust the Class 1 Root, and install Class3 without selecting any of the trust options the error does not occur. Hope this gives you enough info to reproduce the problem, and identify if it's a bug in the validator plugin or Firefox ( or something specific to the CACert PKI chain ) Thanks Chris
CACertSigningAuthority.crt
Description: CACertSigningAuthority.crt
_______________________________________________ dnssec-validator-users mailing list [email protected] https://lists.nic.cz/cgi-bin/mailman/listinfo/dnssec-validator-users
