Open
Bug 1020081
Opened 11 years ago
Updated 2 years ago
Firefox does not allow users to add certificate exceptions for stapled ocsp responses
Categories
(Core :: Security, defect)
Tracking
()
UNCONFIRMED
People
(Reporter: u435975, Unassigned)
References
Details
Attachments
(1 file)
1.78 MB,
image/jpeg
|
Details |
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:29.0) Gecko/20100101 Firefox/29.0 (Beta/Release)
Build ID: 20140506152807
Steps to reproduce:
attempted to connect to private webserver using https
Actual results:
no prompt to add exception for local website
Expected results:
in previous versions, the browser would allow me to add an exception for the local site. now only get the 'Try Again' button.
Updated•11 years ago
|
QA Whiteboard: [bugday-20140609]
Component: Untriaged → Security
Product: Firefox → Core
Comment 2•11 years ago
|
||
What is the specific error being displayed? (It'll be something like "sec_error_...")
Flags: needinfo?(dr431)
Comment 4•11 years ago
|
||
sec_error_ocsp_future_response can happen if:
1. There's a bug with how the OCSP verification code handles timezones
2. The OCSP responder's clock is incorrectly set (or it's otherwise using a response it shouldn't yet)
3. The clock of the computer the browser is running is incorrectly set.
Since developer.mozilla.org seems to work for me, it's probably either 1 or 3.
It doesn't matter why. I should be able to add an exception.
[In this case, I'm using a public computer with the clock incorrectly set that I cannot change, but this can happen because of other reasons too.]
Comment 6•11 years ago
|
||
I see. What's happening here is the server is stapling an OCSP response in the TLS handshake. Unlike with OCSP fetching (where such an error would be ignored by default), we've imposed stricter checking on OCSP stapling. In order to not end up in a situation where OCSP stapling is useless from a security perspective, I doubt we'll add the ability to add an override for this.
Well, I can't change the time, and I'm trying to access a site that does not have any sensitive information. I don't see any reason why this shouldn't be able to be overridden.
Updated•10 years ago
|
Flags: needinfo?(dr431)
Comment 8•10 years ago
|
||
I spot this behavior on Windows 7; on Windows 2003 exceptions work up to Firefox 31.
Starting from Firefox 3, if SSL certificate (CA or server) isn't accepted, exceptions can't be added.
Looks like this is universal Mozilla products SSL processing flaw (see similar Thunderbird bug 1036338).
Exceptions must be allowed under every possible circumstances. Browser/mail client may not forbid to add SSL exceptions.
Comment 9•10 years ago
|
||
Konstantin, that is probably a different issue. Please file a new bug: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security:%20PSM&short_desc=(mozilla::pkix)%20
Updated•10 years ago
|
Summary: Firefox 29.0.1 does not allow users to add certificate exceptions → Firefox does not allow users to add certificate exceptions for stapled ocsp responses
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•