[tbb-bugs] #13926 [Tor Browser]: No certificate hierarchy

Tor Bug Tracker & Wiki blackhole at torproject.org
Wed Apr 22 20:50:04 UTC 2015

#13926: No certificate hierarchy
     Reporter:  cypherpunks  |      Owner:  tbb-team
         Type:  defect       |     Status:  reopened
     Priority:  normal       |  Milestone:
    Component:  Tor Browser  |    Version:
   Resolution:               |   Keywords:  tbb-usability, ff38-esr
Actual Points:               |  Parent ID:
       Points:               |
Changes (by mcs):

 * keywords:  tbb-usability => tbb-usability, ff38-esr


 Kathy and I spent some time in the debugger and reading code to try to
 understand this issue.  Unfortunately, we have not yet found the root
 cause.  Here are some of the things we learned:

 - The bug occurs because the intermediate CA certificate is no longer
 available.  That cert. is present in the temporary (SSL context)
 certificate store while the https connection is open, but when the SSL
 socket is closed, it is deleted (see ssl3_CleanupPeerCerts() inside

 - It is not clear to us why the security.nocertdb pref. value changes
 things, but for sites like https://blog.torproject.org/, if
 security.nocertdb=false (not the default), then the intermediate CA is
 found in the permanent / built-in certificate store even after it has been
 purged -- and everything works fine.  We suspect in that case the cert.
 may be present because of the cert. pinning feature that was backported to
 Tor Browser.  Maybe security.nocertdb=true (the default setting) makes it
 so that not everything is available to the UI code that is trying to
 construct the certificate chain.

 - For unpinned sites such as https://github.com/, the bug described by
 this ticket occurs in Tor Browser 4.5a5+ even when
 security.nocertdb=false.  But the pinned vs. unpinned theory is not 100%
 proven at this point.

 The NSS code is a maze of twisty little passages, all alike.  If we do not
 solve this issue soon, we should re-test when we have ff38-esr based
 builds and debug it further.

 We have not been able to reproduce this problem with unmodified copies of
 Firefox 31 or 37.0.2.


 Info. that is helpful for debugging this:

 The call that returns the incomplete list of certificates is
 CERT_CreateSubjectCertList() inside security/nss/lib/certdb/stanpcertdb.c.
 The relevant C++ portion of the call stack is:

 CERT_CreateSubjectCertList() is in security/nss/lib/certdb/stanpcertdb.c.

 The in-memory / session certificate store is implemented by

 The relevant JS code is the call to cert.getChain() within setWindowName()
 within the file security/manager/pki/resources/content/viewCertDetails.js

Ticket URL: <https://trac.torproject.org/projects/tor/ticket/13926#comment:5>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online

More information about the tbb-bugs mailing list