Bug#563253: libnss3-1d: Fails to verify the certificate of my company email server
Alexander Kurtz
kurtz.alex at googlemail.com
Fri Jan 1 15:58:00 UTC 2010
merge 561918 563253
thanks
Hi,
I've got exactly the same problem here with Evolution 2.28 and my
Googlemail-Account. It is caused by bug #561918 [1]. You should check
my message there.
Cheers
Alexander Kurtz
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561918
Am Freitag, den 01.01.2010, 13:28 +0000 schrieb Sam Morris:
> Package: libnss3-1d
> Version: 3.12.5-1
> Severity: grave
> Justification: renders package unusable
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Since upgrading libnss3-1d to 3.12.5, I have been unable to connect to my
> company's email server. Evolution gives me this dialog:
>
> SSL Certificate check for imap.example.com:
>
> Issuer: serialNumber=88888888,CN=Go Daddy Secure Certification
> Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US
> Subject: CN=*.example.com,OU=Domain Control Validated,O=*.example.com
> Fingerprint: ec:cf:43:7f:87:84:f0:63:ec:b4:5d:60:e5:7e:6b:23
> Signature: BAD
>
> No problem with iceweasel, thunderbird, etc. but they don't appear to use the
> split-out package of NSS.
>
> I reported the same bug against gnutls, #563127. The maintainer found that
> gnutls refused to accept the certificate because it was issues by a "V1 CA".
> Sadly I'm no X.509 expert so I don't know what that really means. The
> certificate in question was issued in April 2009, so it's not exactly ancient.
>
> Please tell me if you'd like the server address to debug this further yourself,
> or whether there are any command line utilities for NSS that I can use as the
> equivalent of gnutls-bin/'openssl s_client' to debug further.
>
> Because this coincides with the upgrade from 3.12.4 to 3.12.5 I am assuming
> that NSS made a similar policy change to GnuTLS, to stop trusting V1 CAs. If
> this is the kind of thing that a user of NSS can override, please let me know
> and I'll forward that information to the (evolution) upstream bug at
> <https://bugzilla.gnome.org/show_bug.cgi?id=605773>.
>
> - -- System Information:
> Debian Release: squeeze/sid
> APT prefers testing
> APT policy: (430, 'testing'), (420, 'unstable'), (410, 'experimental')
> Architecture: amd64 (x86_64)
>
> Kernel: Linux 2.6.32-trunk-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
>
> Versions of packages libnss3-1d depends on:
> ii dpkg 1.15.5.4 Debian package management system
> ii libc6 2.10.2-2 GNU C Library: Shared libraries
> ii libnspr4-0d 4.8.2-1 NetScape Portable Runtime Library
> ii libsqlite3-0 3.6.21-2 SQLite 3 shared library
> ii zlib1g 1:1.2.3.3.dfsg-15 compression library - runtime
>
> libnss3-1d recommends no packages.
>
> libnss3-1d suggests no packages.
>
> - -- no debconf information
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
>
> iEYEARECAAYFAks9+IoACgkQshl/216gEHgbmgCg4/dEMui2RE3t+GgVJ9je7ouJ
> AB0AmgOjth0/Cy2emJ/RkhIl56IzQ0Ec
> =kMHW
> -----END PGP SIGNATURE-----
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 836 bytes
Desc: Dies ist ein digital signierter Nachrichtenteil
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20100101/cf274c45/attachment-0001.pgp>
More information about the pkg-mozilla-maintainers
mailing list