Firefox does not allow users to add certificate exceptions for stapled ocsp responses

UNCONFIRMED
Unassigned

Status

()

Core
Security
UNCONFIRMED
4 years ago
4 years ago

People

(Reporter: u435975, Unassigned)

Tracking

29 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140506152807

Steps to reproduce:

attempted to connect to private webserver using https


Actual results:

no prompt to add exception for local website


Expected results:

in previous versions, the browser would allow me to add an exception for the local site. now only get the 'Try Again' button.

Updated

4 years ago
QA Whiteboard: [bugday-20140609]
Component: Untriaged → Security
Product: Firefox → Core

Updated

4 years ago
Duplicate of this bug: 1022109
What is the specific error being displayed? (It'll be something like "sec_error_...")
Flags: needinfo?(dr431)

Comment 3

4 years ago
Created attachment 8437162 [details]
screenshot
sec_error_ocsp_future_response can happen if:
1. There's a bug with how the OCSP verification code handles timezones
2. The OCSP responder's clock is incorrectly set (or it's otherwise using a response it shouldn't yet)
3. The clock of the computer the browser is running is incorrectly set.

Since developer.mozilla.org seems to work for me, it's probably either 1 or 3.

Comment 5

4 years ago
It doesn't matter why.  I should be able to add an exception.  

[In this case, I'm using a public computer with the clock incorrectly set that I cannot change, but this can happen because of other reasons too.]
I see. What's happening here is the server is stapling an OCSP response in the TLS handshake. Unlike with OCSP fetching (where such an error would be ignored by default), we've imposed stricter checking on OCSP stapling. In order to not end up in a situation where OCSP stapling is useless from a security perspective, I doubt we'll add the ability to add an override for this.

Comment 7

4 years ago
Well, I can't change the time, and I'm trying to access a site that does not have any sensitive information.  I don't see any reason why this shouldn't be able to be overridden.
Flags: needinfo?(dr431)

Comment 8

4 years ago
I spot this behavior on Windows 7; on Windows 2003 exceptions work up to Firefox 31.

Starting from Firefox 3, if SSL certificate (CA or server) isn't accepted, exceptions can't be added. 

Looks like this is universal Mozilla products SSL processing flaw (see similar Thunderbird bug 1036338).

Exceptions must be allowed under every possible circumstances. Browser/mail client may not forbid to add SSL exceptions.
Summary: Firefox 29.0.1 does not allow users to add certificate exceptions → Firefox does not allow users to add certificate exceptions for stapled ocsp responses
You need to log in before you can comment on or make changes to this bug.