Closed Bug 919807 Opened 11 years ago Closed 8 years ago

Need a certificate manager to handle SSL

Categories

(Firefox OS Graveyard :: Gaia::Browser, defect)

Product:
Firefox OS Graveyard
Component:
Gaia::Browser
Platform:
ARM
Gonk (Firefox OS)
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: nhirata, Unassigned)

References

Details

(Keywords: feature, foxfood)

Attachments

(1 file)

firefox_os_add_certificates.sh
1.22 KB, text/x-sh
Details 
I think we need a certificate manager to handle importing of SSL certificates, deleting certificates, adding certificates, etc.

possible related bugs : bug 846734, bug 868373, bug 911047, bug 856529
There is a workaround for now to add root certificates http://www.pending.io/add-cacert-root-certificate-to-firefox-os/ and it worked for me.
It's not a real workaround. Since Edward Snowden we know that official singing authorities are not trustworthy at all.
I use a self signed CA-Cert certificate. It is really annoying that an open source os does not accept self singed signatures! We all know that the NSA has masterkeys for all official singing authorities. So allow me this question. How much money do you got for not even allow advanced users to override this limitation?
(In reply to mail from comment #2)
> It's not a real workaround. Since Edward Snowden we know that official
> singing authorities are not trustworthy at all.
> I use a self signed CA-Cert certificate. It is really annoying that an open
> source os does not accept self singed signatures! We all know that the NSA
> has masterkeys for all official singing authorities. So allow me this
> question. How much money do you got for not even allow advanced users to
> override this limitation?

This comment is inappropriate here. I encourage you to read the bugzilla etiquette (https://bugzilla.mozilla.org/page.cgi?id=etiquette.html) before posting such messages.

That being said, we made no decision to not support that. We'll happily add the functionality when we have time ourselves as Mozilla employees or if someone from the community contributes - hint, that could be you!
Hi,

just want to agree to this request. I have a bunch of services chaining up to my own root CA.
Furthermore, this is quite common in enterprise scenarios and as BYOD is becoming more and more popular, don't let Firefox OS be out of the game ;-)

So thumps up for a certificate manager.

Regards
Tim
For me this is the biggest FAIL of Firefox OS! I bought a phone to test it, and love FiefoxOS, but not let us, to use self signed certificate, this is a shame. Many company use self signed certificate for mail server. I think you shoud find some solution ASAP.
blocking-b2g: --- → 2.0?
blocking-b2g: 2.0? → ---
I got my ZTE Open C today and I was trying the work around mention in #c1 but I get the following error 
"Profile directory does not exists. Please start the b2g process at least once before running this script."

Do you need root access to start b2g process? Is there another way I can manually install root certificates? 

Except for this trouble, this phone is a big improvement over ZTE Open.
(In reply to Praveen A from comment #6)
> but I get the following error 
> "Profile directory does not exists. Please start the b2g process at least
> once before running this script."

I got it, too.

> Do you need root access to start b2g process? 

And I came to the same conclusion :)
Just to mention as a temporary workaround this post (and script from Enrico Tröger) http://www.pending.io/add-cacert-root-certificate-to-firefox-os/

Add this script to the temporary directory, download certificates to the certs subdirectory with

(mkdir -p certs ; cd certs ;
openssl s_client -showcerts -connect hostname.example.com:https|tee cert.pem
)

connect the phone (with Remote Debugging on), and then just run the script. Enter the same simple password couple of times (it is just during the run of the script not in the phone).
Aso can that certificate manager also support client certificates. It is important client certificates to be also supported with active sync (related to bug 932267)
Blocks: 1064352
I just bought a Geeksphone Revolution, I didn't expect Firefox OS to be so immature after all the hype that everyone has created. To me, the ability to add exceptions (thunderbird style) for self-signed certificates is a very basic thing that should work in a 1.0 version. I also tried http://www.pending.io/add-cacert-root-certificate-to-firefox-os/ with no results. The fact that tech enthusiasts like myself cannot get this done is troublesome, to say the least. Can anyone help?
Fist, I really appreciate the discussions about email security.

My opinion is that we desperately need this manager.

I have 3 FFOS phones (v1.1, 1.3, 2.0) and no one can do email, not even with the script+.pem certs workaround. It just says bad security - which is wrong.

The argumentation throughout bugzilla about this issue is flawed. It has been said so often that you can trust "official" authorities more than those you have chosen by yourself. But this not true. 
Self-signed certificates are not bad security if you know who the certificates come from. I understand the idea using official signing authorities like thawte etc., but this ideology also is flawed. 
People CHOOSE authorities - and should not be just told who the authority is. This practice is undermining the free society. FFOS should empower people to trust who they want and not tell them who to trust. FREEDOM also means the freedom to trust the wrong people (and many are in the opinion, that thawte for example are the wrong people).
Blocks: 1095816
Let me point out that the caldav strategy is also broken without this; I have a private server and have to reach it IN THE CLEAR because the calendar app won't talk to a self-signed (Revolution 2.0).  Yah, I'm a dev and yah, I'll look at coding such a cert manager myself.  But I'm way new to the FFOS game so that's going to be a while.  But the FFOS concept is brilliant... hang in there, guys!
FWIW, another case I ran into is that for security, I have configured my email server to only accept email submissions to be sent out along with a valid client certificate - and because of that, I can't add my email account to the email app. Would be good if I could put a client cert on the phone and it would be handed to the outgoing email server.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: