firefox 31 self-signed cert chain requires hand-import of root

RESOLVED DUPLICATE of bug 1042915

Status

()

Firefox
Untriaged
RESOLVED DUPLICATE of bug 1042915
3 years ago
3 years ago

People

(Reporter: James E. Leinweber, Unassigned)

Tracking

31 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release)
Build ID: 20140716183446

Steps to reproduce:

upgraded from firefox 30 to 31
visited a tripwire enterprise 8.3 console at https://some.host.local
There is a two-certificate chain for some.host.local --> TripmasterDSA


Actual results:

Got a message:
		An error occurred during a connection to some.host.local 
		Issuer certificate is invalid. 
		(Error code: sec_error_ca_cert_invalid)



Expected results:

In earlier versions, before the pkix conversion, we got the "This Connection is Untrusted"  dialog, which allowed adding an exception.  IE11 and Chrome 37 and Firefox 30 all do this.  

In Firefox 31 I had to use the workaround of:
   openssl s_client -connect some.host.local:443 -showcerts
to obtain tripwire console's cert, then hand-import it using firefox's 
   certificate manager | authorities --> import
before visiting http://some.host.local would offer the "This connection is untrusted ..." dialog.

While I certainly agree that a 3rd party application vendors self-signed cert should not be included in mozilla's default root cert authorities pool, the behavior of the
"This connection is untrusted" dialog should deal with a multi-cert chain, not
just the server you are trying to connect to.

Updated

3 years ago
Status: UNCONFIRMED → RESOLVED
Last Resolved: 3 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1042915
You need to log in before you can comment on or make changes to this bug.