181556 - Connecting to a site whose SSL cert is revoked

Status: RESOLVED INVALID

(Core Graveyard :: Security: UI, defect, P2)

Description

[Michael J Dalby]

User-Agent:       Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2b) Gecko/20021016

On clicking OK to continue (in this case it was an Linux server admin page) 
does nothing (won't connect) have to cancel and use MSIE etc.

Reproducible: Always

Steps to Reproduce:
1.
2.
3.

Comment 1

[Matthias Versen [:Matti]]

example URL ?

-> PSM

Comment 2

[John Unruh]

*** Bug 98211 has been marked as a duplicate of this bug. ***

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

The https server residential.qwest.com appears to me to be using a revoked cert.  
When OCSP is enabled, or when you have imported Verisign's CRL from the URL
  http://crl.verisign.com/RSASecureServer.crl
and you then visit 
  https://residential.qwest.com/flibberty.gibbet
you get a dialog that says
 "Could not establish an encrypted connection because certificate presented by
  residential.qwest.com has been revoked."
The dialog has only one button, which says "OK".  Clicking it does not 
override the cert revocation, but rather cancels the attempt to fetch the URL.  

However, when no CRL for verisign is loaded, and OCSP is disabled, the url
cited above returns a page-not-found error.  The SSL connection is unhindered
in that case.  

I think the submittor of this bug is complaining that he cannot override 
the cert revocation and visit the web site anyway.  If that is indeed the 
complaint, then this bug should be resolved invalid, because mozilla can be
configured to disable configuration checking, although we do not recommend 
this for the average user.

Submittor, is that the essence of your complaint?

Comment 4

[John G. Myers]

Mass reassign ssaux bugs to nobody