Closed Bug 1063945 Opened 10 years ago Closed 10 years ago

Firefox 31/32: Cannot override bad cert of old router

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
32 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1063315

People

(Reporter: KaiE, Unassigned)

Details

(Keywords: regression)

Attachments

(2 files)

certificate PEM
1.51 KB, text/plain
Details
certificate text dump
4.15 KB, text/plain
Details 
I have a DSL router, which I had stored in my shelf as a backup device. I don't need it anymore, so I want to connect to it, reset its connection, in order to sell it.

When connecting to the router's web interface, Firefox 31 and 32 don't allow me to connect. They report SEC_ERROR_CA_CERT_INVALID, no override is offered.

It's a sha1 based signature, 1024bit cert, expired in 2013, issued by verisign.

However weak it is, I think Firefox should allow me to override, if I deliberately decide to do so.

(I was able to override and continue the connection using another browser.)
(In reply to Kai Engert (:kaie) from comment #0)
> ... so I want to connect to it, reset its connection

typo: I want to reset its configuration.
I notice that there is a delay before Firefox gives up and shows the error page.

In my scenario, the computer is connected directly to the router, and doesn't have any other Internet connectivity (because the purpose is to configure the router...).

Does Firefox attempt to connect to the outside world, maybe for OCSP, and fails because of that?
Can you also test some old FF version? I saw this bug on FF3.0 or so when reverse DNS record of the site does not exist...
Kai: the network console in the developer tools (Ctrl-Shift-I) will at least show you if Firefox is attempting an OCSP request.

In general, I think that introducing mozilla::pkix should not change particular errors from one class of UI presentation to another; if we want to make changes in that area, we should make them intentionally, not as a side effect. So if this worked before, I'd say this is a bug.

Gerv
Unfortunately I had to give the router away, because the auction had already ended...
I have saved a copy of the certificate that was saved by the router.

Unfortunately I currently cannot reproduce. I tried to create equivalent certificates, but for my own test certificates, Firefox always allows to override.

So we need to figure out which property actually triggeres this specific failure...
Attached file certificate PEM 

    
    

    
  

      
      
      
      

        Attached file
          
        certificate text dump
      

    


  

    
    

    
  
Ok, luckily bug 1063315 contains an URL to a site that shows this issue.

I'm able to add an override with ff 24, so it's clearly a regression.
Keywords: regression

    
  
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: