[Privoxy-devel] Server certificate verification failed
Fabian Keil
fk at fabiankeil.de
Mon Jan 25 11:43:36 UTC 2021
Lee <ler762 at gmail.com> wrote on 2021-01-25:
> On 1/25/21, Hớ Hờ Hợ <kjllmeplz at gmail.com> wrote:
> > You need to add this cert to your trustedCAs.pem file manually .
>
> But why? I haven't had this problem with any other site.
>
> https://curl.se/docs/caextract.html
> says it's the Mozilla CA certificate store in PEM format. Firefox
> doesn't complain about the cert if I don't have privoxy playing https
> man-in-the-middle, so if Privoxy is using the Mozilla cert store, why
> is it complaining about the cert?
>
> > In your case,
>
> That's what I'm wondering. Is it just me or does everybody else see
> the same thing?
It's not just you.
The CA certificate store from curl.se seems to be missing the
"Sectigo RSA Organization Validation Secure Server CA"
intermediate certificate
(Serial Number: 13:7d:53:9c:aa:7c:31:a9:a4:33:70:19:68:84:7a:8d).
My Firefox (ESR 78.6.1) has the certificate but I don't know
how to tell Firefox to show the origin of the certificate.
I'm reasonably sure that I did not import it manually so I
assume it came from Mozilla.
When I contact www.theworld.com with "openssl s_client" it only
seems to send its own certificate, not the intermediate CA
certificate that would be required for Privoxy to follow the
certificate chain starting with the
"USERTrust RSA Certification Authority" certificate that is
included in the CA certificate store from curl.se.
Fabian
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.privoxy.org/pipermail/privoxy-devel/attachments/20210125/de5d1959/attachment.bin>
More information about the Privoxy-devel
mailing list