Remove Import button in Server Certificates tab (or add option to edit trust)
Categories
(Core :: Security: PSM, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox47 | --- | fixed |
People
(Reporter: hrosik, Assigned: Cykesiopka)
References
Details
(Keywords: addon-compat)
Attachments
(2 files, 2 obsolete files)
4.78 KB,
patch
|
Cykesiopka
:
review+
|
Details | Diff | Splinter Review |
9.60 KB,
patch
|
Cykesiopka
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26 Build ID: 20140505221916 Steps to reproduce: Go to server for which there is no trust chain. Add exception Export server certificate Delete server certificate Import previously exported server certificate Actual results: The "server" field in the certificate list changes from the hostname under which it was added as an exception to "*", but the certificate is not trusted and the trust can't be edited from UI. While I understand that it is a Bad Idea (TM) to blindly trust for example the Subject or Subject Alternative Name fields on an imported certificate (or even accepting it for a wildcard "*" hostname with which it gets imported), it doesn't seem to make much sense to have an Import button when the import actually doesn't effectively do anything. It seems as if the "Import" button should be removed or a UI for editing server certificate trust added.
Reporter | ||
Updated•10 years ago
|
Updated•10 years ago
|
Assignee | ||
Comment 1•8 years ago
|
||
Yes, the import button is pretty much useless now.
Assignee | ||
Comment 2•8 years ago
|
||
Comment on attachment 8715642 [details] [diff] [review] bug1064402_rm-import-btn-certmgr-servers-tab_v1.patch Review of attachment 8715642 [details] [diff] [review]: ----------------------------------------------------------------- Good call. I think we can go further, though. This is the only code that calls nsNSSCertificateDB::ImportCertsFromFile with nsIX509Cert::SERVER_CERT as the type of certificate, which is the only way nsNSSCertificateDB::ImportServerCertificate (aka nsIX509CertDB.importServerCertificate) gets called, so we can remove all of that server cert-specific code.
Assignee | ||
Comment 4•8 years ago
|
||
Comment on attachment 8716153 [details] [diff] [review] bug1064402_part2_rm-nsIX509CertDB-import-server-cert-support_v1.patch Review of attachment 8716153 [details] [diff] [review]: ----------------------------------------------------------------- Awesome! ::: security/manager/ssl/nsNSSCertificateDB.cpp @@ -711,5 @@ > - nsrv = NS_ERROR_FAILURE; > - goto loser; > - } > - > - trust.SetValidServerPeer(); Looks like we can also remove nsNSSCertTrust::SetValidServerPeer().
Assignee | ||
Comment 6•8 years ago
|
||
Thanks for the review! (In reply to David Keeler [:keeler] (use needinfo?) from comment #5) > Looks like we can also remove nsNSSCertTrust::SetValidServerPeer(). Done.
Assignee | ||
Comment 7•8 years ago
|
||
+ Mention Bug 1202636 in commit message as another reason why the import functionality should go away.
Assignee | ||
Comment 8•8 years ago
|
||
+ Remove nsNSSCertTrust::SetValidServerPeer() as well
Assignee | ||
Comment 9•8 years ago
|
||
https://treeherder.mozilla.org/#/jobs?repo=try&revision=aa205b7be666
Comment 10•8 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/2d3ec6c8bfe4 https://hg.mozilla.org/integration/mozilla-inbound/rev/1bde49e1fb13
Comment 11•8 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/2d3ec6c8bfe4 https://hg.mozilla.org/mozilla-central/rev/1bde49e1fb13
Assignee | ||
Comment 12•8 years ago
|
||
Part 2 affects addon compat by removing nsIX509CertDB.importServerCertificate() and nsIX509Cert::SERVER_CERT support in nsIX509CertDB.importCertsFromFile(). The same effect can probably be achieved by using nsIX509CertDB.addCert() instead.
Comment 13•8 years ago
|
||
So this breaks the CCK2. We had specific requests from enterprises to import server certificates, so we use this API in the CCK2. I don't believe addCert imports a server certificate specifically, does it? It just adds a generic certificate. I honestly didn't know exactly what I was adding, I just know people said "please support server certificates" and I did using this API. Can someone explain what a server certificate is and how it differs from a regular certificate?
Generally, I think a "server certificate" is the end-entity certificate presented by a server in a TLS handshake. It may be that it used to be possible in Firefox to trust a server certificate as its own trust anchor (that is, when validating it, it wouldn't be necessary to find a trusted certificate that issued that certificate). However, this is not currently possible. What you can do instead is use nsICertOverrideService to add an override for a given host and certificate (and port, and expected error bits - see https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/nsICertOverrideService.idl ).
Comment 15•8 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #14) > Generally, I think a "server certificate" is the end-entity certificate > presented by a server in a TLS handshake. It may be that it used to be > possible in Firefox to trust a server certificate as its own trust anchor > (that is, when validating it, it wouldn't be necessary to find a trusted > certificate that issued that certificate). However, this is not currently > possible. What you can do instead is use nsICertOverrideService to add an > override for a given host and certificate (and port, and expected error bits > - see > https://dxr.mozilla.org/mozilla-central/source/security/manager/ssl/ > nsICertOverrideService.idl ). So given that I already support overrides for specific domains (using the cert override mechanism), it sounds like I should probably just remove support for server certs since they don't work anyway. Thanks for the clarification.
Comment 16•5 years ago
|
||
I would like to import some server certificates. Since the button has been removed: What is the intended way to do that?
You can use certutil
, but I guess my question would be what effect are you hoping this will have?
Comment 18•5 years ago
|
||
Well, I got a new laptop and I wanted to export the certificates I had manually trusted to import them again and thus carry over the trust.
Hmm - that probably won't work. Maybe copy over the files cert9.db
and cert_override.txt
from your old profile to the new one? Or maybe I'm misunderstanding. Are these root certificates that you're trying to trust? You should just be able to import them in the "Authorities" tab.
Comment 20•5 years ago
|
||
No, these are just individual servers with usually self-signed certs or from organizations with internal CAs which I don't have. Maybe copying some of the cert files would work but it's not a huge deal anyway. I was just wondering if there was some other easy way to import them but if there isn't then I'm not going to bother. :)
Description
•