Closed Bug 1054007 Opened 11 years ago Closed 11 years ago

Need security.use_mozillapkix_verification=false to access site with imported self signed CA

Categories

(Tech Evangelism Graveyard :: English US, defect)

Product:
Tech Evangelism Graveyard
Component:
English US
Platform:
x86_64
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1034124

People

(Reporter: bugzilla, Unassigned)

Details

Attachments

(1 file)

Self signed CA cert
7.69 KB, application/pkix-cert
Details
Attached file Self signed CA cert
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Firefox/31.0 (Beta/Release) Build ID: 20140716183446 Steps to reproduce: Visit site https://assign5.stanford.edu/ Actual results: After upgrading to 31 site is blocked with certificate error even though the CA was previously imported and trusted in FF. Worked fine in prior versions. Expected results: Should have accepted the imported self signed certificate. Setting security.use_mozillapkix_verification=false is a work around.
Component: Untriaged → General
OS: Linux → All
Component: General → Security
Product: Firefox → Core
First of all, the server should be sending the appropriate intermediates, but it isn't: https://www.ssllabs.com/ssltest/analyze.html?d=assign5.stanford.edu Anyway, it looks like the certificate you attached has expired and that the one it's been replaced with has a different key, which explains why it isn't working for you any more. Do you know who runs the server? It would be nice to let them know it's not properly set up.
Flags: needinfo?(bugzilla)
Assignee: nobody → english-us
Component: Security → English US
Product: Core → Tech Evangelism
Version: 31 Branch → unspecified
I run that server. I upgraded the certificate to an InCommon signed cert. The original problem still stands but the example I gave is not longer valid. FF is no longer accepting self-signed certs. Lack of intermediate cert noted.
Flags: needinfo?(bugzilla)
Ah, I see. It sounds like there might be a problem with having an override when the server changes its cert. What error/ui are you seeing? (e.g. SEC_ERROR_UNKNOWN_ISSUER or something?)
My localhost is still setup with a self-signed cert. If I set security.use_mozillapkix_verification=true then reload I get an error with these lines: Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid) Previous to 31 this worked fine.
It's possible that bug 1034124 will fix this. If you use Nightly, what error do you get?
This is a duplicate of bug 1034124. My certificate does have the basicConstraints extension with the value CA=TRUE as described in that bug report. I am using this because my server application needs to issues certs to other servers. However, I later realized that the certificate chain used internally by the servers does not have to be the same one used for the Web interface. For this reason I'm now using two separate certificate chains. So this is not really a problem for me anymore. It was surprising that FF blocked my cert all of a sudden but now that I know it's due to the CA=TRUE option it makes more sense. Perhaps the error message could be made more informative.
Ok - sounds good. For future reference, bug 1040446 added an error name/string specific to this situation and bug 1034124 made that error overridable. Hopefully we'll be able to uplift those to 33, but they'll both be in 34 anyway.
Status: UNCONFIRMED → RESOLVED
Closed: 11 years ago
Resolution: --- → DUPLICATE
Product: Tech Evangelism → Tech Evangelism Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: