Closed Bug 1057344 Opened 10 years ago Closed 10 years ago

Add exception for untrusted connection is missing on Firefox 31 & 32

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
31 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: Swarnava, Unassigned)

Details

In the latest update to Firefox for Android - 31.0 - the "Add exception" option disappeared on the Invalid certificate page. I have done a ton of research and apparently no one is bothered or am I the only one having this problem?

The website is https://ap2.commercialpress.com.hk Android ICS 4.0.4 There is a "Try again" button and nothing else. The previous versions up to 29.0.1 did ask for an exception through a dialog popup. 31.0 does not.
I see the same thing on desktop with Firefox 31/32, so it was a core problem.

On 33/34, I get the untrusted connection screen. Under, "I understand the risks" at the bottom you can add a permanent exception. 

David, do you know what the problem (?) was on 31 and on 32?
Component: Settings and Preferences → Security
Flags: needinfo?(dkeeler)
Product: Firefox for Android → Core
Version: Trunk → 31 Branch
Summary: Add exception for certificate is missing on Firefox Android → Add exception for untrusted connection is missing on Firefox 31 & 32
https://www.ssllabs.com/ssltest/analyze.html?d=ap2.commercialpress.com.hk

Path #1: Not trusted (path does not chain to a trusted anchor)
1 	Sent by server 	ap2.commercialpress.com.hk
SHA1: 3f790a8a2ed95f701aae8d0e5744c8e829a78cb0
RSA 1024 bits / MD5withRSA	
WEAK KEY   WEAK SIGNATURE	
2 	Sent by server
  Not in trust store		commercialpress.com.hk
SHA1: ead13fa949d61162e6630e1608898a215c777992
RSA 1024 bits / MD5withRSA
WEAK KEY

Cipher Suites (sorted by strength; the server has no preference)
TLS_RSA_WITH_DES_CBC_SHA (0x9)   WEAK		56
TLS_RSA_EXPORT1024_WITH_DES_CBC_SHA (0x62)   WEAK		56
TLS_RSA_WITH_RC4_128_MD5 (0x4) 	128
TLS_RSA_WITH_RC4_128_SHA (0x5) 	128
TLS_RSA_WITH_3DES_EDE_CBC_SHA (0xa) 	112

Server is SSL3 only & cert is 1024 bit w/ MD5. Security here is appallingly bad. I think the lack of override compatibility is intentional (though, I can't find the bug where exceptions for this were disabled).
OS: Android → All
The issuing certificate in this case lacks a basic constrants extension and is thus is not allowed to sign other certificates. This used to result in the error SEC_ERROR_CA_CERT_INVALID, which is not overridable, and never has been. However, in 33/34, I believe what happened is we changed the order of some checks having to do with signature verification. As a result, since the signature algorithm is the disabled/untrusted md5/rsa, we report that error (which is currently overridable, although there are plans to amend this situation).
Flags: needinfo?(dkeeler)
Sounds like this is expected then and working as intended on newer channels
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.