Bug#563253: libnss3-1d: Fails to verify the certificate of my company email server

Alexander Kurtz kurtz.alex at googlemail.com
Fri Jan 1 15:58:00 UTC 2010 

merge 561918 563253
thanks

Hi,

I've got exactly the same problem here with Evolution 2.28 and my
Googlemail-Account. It is caused by bug #561918 [1]. You should check
my message there.

Cheers

Alexander Kurtz

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561918

Am Freitag, den 01.01.2010, 13:28 +0000 schrieb Sam Morris:
> Package: libnss3-1d
> Version: 3.12.5-1
> Severity: grave
> Justification: renders package unusable
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Since upgrading libnss3-1d to 3.12.5, I have been unable to connect to my
> company's email server. Evolution gives me this dialog:
> 
> SSL Certificate check for imap.example.com:
> 
> Issuer:            serialNumber=88888888,CN=Go Daddy Secure Certification
> Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US
> Subject:           CN=*.example.com,OU=Domain Control Validated,O=*.example.com
> Fingerprint:       ec:cf:43:7f:87:84:f0:63:ec:b4:5d:60:e5:7e:6b:23
> Signature:         BAD
> 
> No problem with iceweasel, thunderbird, etc. but they don't appear to use the
> split-out package of NSS.
> 
> I reported the same bug against gnutls, #563127. The maintainer found that
> gnutls refused to accept the certificate because it was issues by a "V1 CA".
> Sadly I'm no X.509 expert so I don't know what that really means. The
> certificate in question was issued in April 2009, so it's not exactly ancient.
> 
> Please tell me if you'd like the server address to debug this further yourself,
> or whether there are any command line utilities for NSS that I can use as the
> equivalent of gnutls-bin/'openssl s_client' to debug further. 
> 
> Because this coincides with the upgrade from 3.12.4 to 3.12.5 I am assuming
> that NSS made a similar policy change to GnuTLS, to stop trusting V1 CAs. If
> this is the kind of thing that a user of NSS can override, please let me know
> and I'll forward that information to the (evolution) upstream bug at
> <https://bugzilla.gnome.org/show_bug.cgi?id=605773>.
> 
> - -- System Information:
> Debian Release: squeeze/sid
>   APT prefers testing
>   APT policy: (430, 'testing'), (420, 'unstable'), (410, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6.32-trunk-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages libnss3-1d depends on:
> ii  dpkg                   1.15.5.4          Debian package management system
> ii  libc6                  2.10.2-2          GNU C Library: Shared libraries
> ii  libnspr4-0d            4.8.2-1           NetScape Portable Runtime Library
> ii  libsqlite3-0           3.6.21-2          SQLite 3 shared library
> ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime
> 
> libnss3-1d recommends no packages.
> 
> libnss3-1d suggests no packages.
> 
> - -- no debconf information
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iEYEARECAAYFAks9+IoACgkQshl/216gEHgbmgCg4/dEMui2RE3t+GgVJ9je7ouJ
> AB0AmgOjth0/Cy2emJ/RkhIl56IzQ0Ec
> =kMHW
> -----END PGP SIGNATURE-----
> 
> 
> 

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20100101/cf274c45/attachment-0001.pgp>

More information about the pkg-mozilla-maintainers mailing list