i didn't get any popup when navigating to that URL

chromium is now telling me that the example URL site's cert *has been revoked* (it 
hasn't). 

it is doing the same thing for all certificates signed by a couple of private CAs i 
use for work and home. the CA certificates for these private CAs have been in my 
nssdb for weeks (i manually added them using a copy of firefox running with 
NSS_DEFAULT_DB_TYPE="sql").

i sincerely hope this is unintended behavior.

wtc, is this your area?

cmroddy: you are experiencing  issue 13336 , which was reintroduced
by ukai's checkin last night of a CL for  issue 10911 .  Please watch
 issue 10911  for my fix.  Sorry about the bug.

I get the same error about certificate revokation on a few sites, notably:

http://pbxes.org/
http://bugzilla.gnome.org/

My system time is correct, so it is probably not the nss bug.

chromium-4.0.220.0-0.1.20090930svn27599.fc12.x86_64
nss-3.12.4-14.fc12.x86_64

luke.hutch: what's the exact error message you get?  I just need the
first sentence (the title) of the SSL error page.

I can connect to the two sites you listed with no SSL errors with my
own build of NSS 3.12.4 on Ubuntu.  (I don't have Fedora 12.)

Here is the whole text of the error in Chromium.  The page title is "Security Error" 
and the text on the page says:

The server's security certificate is revoked!
You attempted to reach www1.pbxes.com, but the certificate that the server presented 
has been revoked by its issuer. This means that the security credentials the server 
presented absolutely should not be trusted. You may be communicating with an 
attacker. You should not proceed.

Help me understand
When you connect to a secure website, the server hosting that site presents your 
browser with something called a "certificate" to verify its identity. This 
certificate contains identity information, such as the address of the website, which 
is verified by a third party that your computer trusts. By checking that the address 
in the certificate matches the address of the website, it is possible to verify that 
you are securely communicating with the website you intended, and not a third party 
(such as an attacker on your network).

In this case, the certificate presented to your browser has been revoked by its 
issuer. This usually means that the integrity of this certificate has been 
compromised, and that the certificate should not be trusted. You absolutely should 
not proceed past this point.

luke.hutch: Thanks.  You get an SSL error page with the error message
"The server's security certificate is revoked!", whereas this bug
report is about getting a *pop-up* (when you mouse over the warning
icon) with the message "unable to check whether the server's certificate
was revoked".  So you are experiencing a different bug.

If your system time is correct (please doublecheck whether the time
zone is also correct), please file a new bug report about your issue.

rogerd007: are you still experiencing this bug?  Neither progame nor
I can reproduce this bug.

My timezone is correct.  I filed separate  issue 24731 .  Thanks.

I'm going to limit the scope of this bug to the original problem
reported by rogerd007.  I changed the OS to Windows based on the
2.0.172.33 Chrome version and the fact that rogerd007 also tested
IE 8.

"Unable to check whether the server's certificate was revoked"
means Chrome could not check revocation using CRL or OCSP.  It
does not mean the server's certificate has been revoked.  This
is why the certificate's serial number was not on the CRL.  There
may have been a network problem or the CRL download site or OCSP
responder was not available when rogerd007 got the "unable to
check whether the server's certificate was revoked" warning
message.  Note: rogerd007 was able to download the CRL manually,
so there could still be a Chrome bug.

Marked the bug WontFix (for "works as intended").

Some more info:

The certificate chain for https://migs.mastercard.com.au/ma/ has
five certificates:

http://www.valicert.com/
  RSA Public Root CA v1
    MasterCard Root Public CA
      MasterCard SSL Sub CA
        migs.mastercard.com.au

None of the certificates specify an OCSP responder URL.

The bottom two certificates specify a CRL distribution point
URL of http://certificates.mastercard.com/CRL_PUB/.  rogerd007
was able to download a CRL from there manually.

The certificate in the middle specifies a CRL distribution point
URL of
http://www.rsasecurity.com/products/keon/repository/certificate_status/RSA_Public_Roo
t_CA.crl
Perhaps it was this CRL that Chrome could not download.  (Chrome
checks the revocation status of every certificate in the chain except
the root CA certificate.)

The top two certificates don't have a CRL distribution point extension.

Hi,

Just a little observation as I have users reporting the issue when accessing another mastercard 
domain (https://cap.securecode.com/acspage/cap?RID=183&VAA=A), not that it's limited to 
mastercard - googling lead me to find the following post 
http://code.google.com/p/chromium/issues/detail?id=27125,
in which it lists https://net.pbz.hr/pbz365/ as a problem site - which I went to on 02/01/10 and 
replicated the issue - read the SSL cert - took a screen shot of (which I only have in very low 
res thanks to outlook)the SSL General tab showing expiry date of 26/06/10.

More googling found this post you are reading and the URL (https://migs.mastercard.com.au/ma/) 
which expires on 01/03/10 and also has the problem.

Interestingly when accessing https://net.pbz.hr/pbz365 today i do not get the problem - 
possiblely leading me back to blaming mastercard as the the certs are both issued by MasterCard 
SSL CA...

Sorry for the long post - just want to get to the bottom of this one..

The following revision refers to this bug:
    http://src.chromium.org/viewvc/chrome?view=rev&revision=89897

------------------------------------------------------------------------
r89897 | jhawkins@chromium.org | Tue Jun 21 14:24:19 PDT 2011

Changed paths:
 M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/fileapi/file_system_file_util_proxy.cc?r1=89897&r2=89896&pathrev=89897
 M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/plugins/npapi/plugin_list.cc?r1=89897&r2=89896&pathrev=89897
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/socket/ssl_client_socket_pool.cc?r1=89897&r2=89896&pathrev=89897
 M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/glue/glue_serialize.cc?r1=89897&r2=89896&pathrev=89897
 M http://src.chromium.org/viewvc/chrome/trunk/src/media/filters/ffmpeg_demuxer.cc?r1=89897&r2=89896&pathrev=89897
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/proxy/proxy_config_service_linux.cc?r1=89897&r2=89896&pathrev=89897
 M http://src.chromium.org/viewvc/chrome/trunk/src/net/base/listen_socket.cc?r1=89897&r2=89896&pathrev=89897
 M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/fileapi/file_system_directory_database.cc?r1=89897&r2=89896&pathrev=89897
 M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/plugins/npapi/plugin_instance.cc?r1=89897&r2=89896&pathrev=89897
 M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/plugins/ppapi/ppb_audio_impl.cc?r1=89897&r2=89896&pathrev=89897
 M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/plugins/ppapi/ppb_widget_impl.cc?r1=89897&r2=89896&pathrev=89897
 M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/fileapi/file_system_operation_context.cc?r1=89897&r2=89896&pathrev=89897
 M http://src.chromium.org/viewvc/chrome/trunk/src/webkit/plugins/ppapi/message_channel.cc?r1=89897&r2=89896&pathrev=89897

Coverity: Initialize member variables.

CID=9299,13805,14203,14284,14459,15435,15897,16023,16614,16773,16819,16820,
    16908,16916
BUG=none
TEST=none

R=kmadhusu@chromium.org

Review URL: http://codereview.chromium.org/7215027
------------------------------------------------------------------------

This issue has been closed for some time. No one will pay attention to new comments.
If you are seeing this bug or have new data, please click New Issue to start a new bug.