Open Bug 1020081 Opened 10 years ago Updated 2 years ago

Firefox does not allow users to add certificate exceptions for stapled ocsp responses

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
29 Branch
Platform:
x86_64
Windows 7
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: u435975, Unassigned)

References

Details

Attachments

(1 file)

screenshot
1.78 MB, image/jpeg
Details 
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140506152807

Steps to reproduce:

attempted to connect to private webserver using https


Actual results:

no prompt to add exception for local website


Expected results:

in previous versions, the browser would allow me to add an exception for the local site. now only get the 'Try Again' button.
QA Whiteboard: [bugday-20140609]
Component: Untriaged → Security
Product: Firefox → Core
What is the specific error being displayed? (It'll be something like "sec_error_...")
Flags: needinfo?(dr431)
Attached image screenshot 

    
    

    
  
sec_error_ocsp_future_response can happen if:
1. There's a bug with how the OCSP verification code handles timezones
2. The OCSP responder's clock is incorrectly set (or it's otherwise using a response it shouldn't yet)
3. The clock of the computer the browser is running is incorrectly set.

Since developer.mozilla.org seems to work for me, it's probably either 1 or 3.

    
    

    
  
It doesn't matter why.  I should be able to add an exception.  

[In this case, I'm using a public computer with the clock incorrectly set that I cannot change, but this can happen because of other reasons too.]

    
    

    
  
I see. What's happening here is the server is stapling an OCSP response in the TLS handshake. Unlike with OCSP fetching (where such an error would be ignored by default), we've imposed stricter checking on OCSP stapling. In order to not end up in a situation where OCSP stapling is useless from a security perspective, I doubt we'll add the ability to add an override for this.

    
    

    
  
Well, I can't change the time, and I'm trying to access a site that does not have any sensitive information.  I don't see any reason why this shouldn't be able to be overridden.

    
    

    
  
I spot this behavior on Windows 7; on Windows 2003 exceptions work up to Firefox 31.

Starting from Firefox 3, if SSL certificate (CA or server) isn't accepted, exceptions can't be added. 

Looks like this is universal Mozilla products SSL processing flaw (see similar Thunderbird bug 1036338).

Exceptions must be allowed under every possible circumstances. Browser/mail client may not forbid to add SSL exceptions.
Summary: Firefox 29.0.1 does not allow users to add certificate exceptions → Firefox does not allow users to add certificate exceptions for stapled ocsp responses

    
  
Severity: normal → S3

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: