User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release) Build ID: 20140506152807 Steps to reproduce: attempted to connect to private webserver using https Actual results: no prompt to add exception for local website Expected results: in previous versions, the browser would allow me to add an exception for the local site. now only get the 'Try Again' button.
QA Whiteboard: [bugday-20140609]
Component: Untriaged → Security
Product: Firefox → Core
What is the specific error being displayed? (It'll be something like "sec_error_...")
sec_error_ocsp_future_response can happen if: 1. There's a bug with how the OCSP verification code handles timezones 2. The OCSP responder's clock is incorrectly set (or it's otherwise using a response it shouldn't yet) 3. The clock of the computer the browser is running is incorrectly set. Since developer.mozilla.org seems to work for me, it's probably either 1 or 3.
It doesn't matter why. I should be able to add an exception. [In this case, I'm using a public computer with the clock incorrectly set that I cannot change, but this can happen because of other reasons too.]
I see. What's happening here is the server is stapling an OCSP response in the TLS handshake. Unlike with OCSP fetching (where such an error would be ignored by default), we've imposed stricter checking on OCSP stapling. In order to not end up in a situation where OCSP stapling is useless from a security perspective, I doubt we'll add the ability to add an override for this.
Well, I can't change the time, and I'm trying to access a site that does not have any sensitive information. I don't see any reason why this shouldn't be able to be overridden.
I spot this behavior on Windows 7; on Windows 2003 exceptions work up to Firefox 31. Starting from Firefox 3, if SSL certificate (CA or server) isn't accepted, exceptions can't be added. Looks like this is universal Mozilla products SSL processing flaw (see similar Thunderbird bug 1036338). Exceptions must be allowed under every possible circumstances. Browser/mail client may not forbid to add SSL exceptions.
Konstantin, that is probably a different issue. Please file a new bug: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security:%20PSM&short_desc=(mozilla::pkix)%20
Summary: Firefox 29.0.1 does not allow users to add certificate exceptions → Firefox does not allow users to add certificate exceptions for stapled ocsp responses
You need to log in before you can comment on or make changes to this bug.