Open Bug 1025708 Opened 10 years ago Updated 2 years ago

Unable to add security exception when using a self-signed CA

Categories

(Core :: Security, defect)

31 Branch
defect

Tracking

()

UNCONFIRMED

People

(Reporter: loic.yhuel, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:33.0) Gecko/20100101 Firefox/33.0 (Beta/Release) Build ID: 20140615030204 Steps to reproduce: Load https://bugzilla.softathome.com Actual results: It fails with an error : Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid) Expected results: Firefox 30 returned a sec_error_cert_signature_algorithm_disabled error (since the *.softathome.com certificate uses an MD5 signature), which allowed to add an exception. There should be a way to add an exception for the certificate without trusting the whole CA.
I can still add exceptions for the same certificate on other servers, as long as they don't send the CA certificate (so the error is sec_error_unknown_issuer), for example https://mailfr.softathome.com. From a security point of view : - I don't see why a self signed issuer would be worse than an unknown one. - Trusting the individual certificate for a specific host is better than trusting the whole CA (protecting privacy in corporate networks, CA leaks, ...).
OS: Windows 7 → All
Hardware: x86_64 → All
When searching for workarounds, I found something strange. If I import the ldapntr2.softathome.com certificate in servers tab in the certificate manager, I get a sec_error_untrusted_issuer error. It seems logic, as it was not added as CA. But in this case the error page allows to add an exception, but the "Add security exception" dialog does not work : "No information available", and all buttons grayed execpt "Get certificate" and "Cancel".
The issuer certificate (ldapntr2.softathome.com) is a v1 certificate, and thus doesn't have a basic constraints extension. Since it's not a trusted root, mozilla::pkix (the new certificate verification library) doesn't allow it to act as an issuer. One workaround would be to import the issuer certificate as a CA in the certificate manager and trust it to identify websites.
But why adding an exception for the site doesn't work ? It's possible if the site doesn't send the issuer certificate, so it should be the same if it's present but untrusted.
Summary: [regression] Unable to add security exception when using a self-signed CA → Unable to add security exception when using a self-signed CA
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.