Closed Bug 1076329 Opened 8 years ago Closed 7 years ago

sec_error_unknown_issuer for site signed with imported CA certificate

Categories

(Core :: Security, defect, P5)

All
Android
defect

Tracking

()

RESOLVED FIXED
mozilla38
Tracking Status
firefox38 --- fixed
fennec + ---

People

(Reporter: will, Assigned: keeler)

References

Details

Attachments

(1 file)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:32.0) Gecko/20100101 Firefox/32.0
Build ID: 20140924083558

Steps to reproduce:

* Imported my personal CA root cert (http://ca.hhome.me/root.cert.pem) into the browser
* Checked 'Trust to identify websites', 'Trust to identified email users' and 'Trust to identify software developers' and clicked 'OK'
* Visited a web site with an SSL certificate signed by this CA (https://weave.hhome.me/)

* Importing the same CA cert into desktop Firefox (also v32) works as expected
* Adding the CA cert to the Android system store allows Chrome to connect as expected
* Android device is a Nexus 7 (2013 - 'flo'), running Android 4.4.4 (Cyanogenmod 11M10)
* Same issue with Firefox Beta via Google Play
* Output of openssl s_client follows:
[williamh@chch-williamh certs]$ openssl s_client -CAfile ./root.cert.pem -connect weave.hhome.me:443 -servername weave.hhome.me                                                                                                                                                                 [11/1910]
CONNECTED(00000003)
depth=2 C = NZ, L = Christchurch, O = Will Hughes, CN = Personal Root Authority, emailAddress = admin@hhome.me
verify return:1
depth=1 C = NZ, O = Will Hughes, CN = Web Server Authentication Authority, emailAddress = admin@hhome.me
verify return:1
depth=0 CN = weave.hhome.me
verify return:1
---
Certificate chain
 0 s:/CN=weave.hhome.me
   i:/C=NZ/O=Will Hughes/CN=Web Server Authentication Authority/emailAddress=admin@hhome.me
 1 s:/C=NZ/O=Will Hughes/CN=Web Server Authentication Authority/emailAddress=admin@hhome.me
   i:/C=NZ/L=Christchurch/O=Will Hughes/CN=Personal Root Authority/emailAddress=admin@hhome.me
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIFszCCA5ugAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwcDELMAkGA1UEBhMCTlox
FDASBgNVBAoMC1dpbGwgSHVnaGVzMSwwKgYDVQQDDCNXZWIgU2VydmVyIEF1dGhl
bnRpY2F0aW9uIEF1dGhvcml0eTEdMBsGCSqGSIb3DQEJARYOYWRtaW5AaGhvbWUu
bWUwHhcNMTQwOTMwMDIyNzM1WhcNMTUwOTMwMDIyNzM1WjAZMRcwFQYDVQQDDA53
ZWF2ZS5oaG9tZS5tZTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALXr
ahFEBiUJ0U9+vGrV3MVE05ol/tXW8i61LIuYfhZnfXgxSJ3FGUDOk7EoX8PYoZtX
Fz9jL+RooU2tK/6SVtAPiVYGPfBj32fwUnOLg4YXWAUd5xMI9eZ7vj99vNR+DlEK
cvjEn/sKzynsq9ANjrtTAjmpuLrPCKkGlQarbYg4uRSnZIoXoyRZKuGw5ahH5gVW
fbJdR161VQigoaTFQ4OH3yy/GiQINAcjamWGWLFJee/o8MuEJs6gbtAX3N3+7Ydf
Rk9gr6R8D5W334SItA5SS7a8apKv0Fxkfo0SdElP8Cm4N6ptRiJTWhPgVX3HxMJc
5zY2vsFYkcLTgufgO8H+bImgSp4TU78Hb3CcLXeAOFhe++FAJrYa1UJANO6Iik9m
8Nt7/WHkL3zpOWcaM4JSO6tshl54wrJnHW8xSY4Kyi4+jDNjkn+q1yhJPGBOIMqI
YjHTYye+HD5CN64MopkIBHzLpheOt79v5uF/E2ukRTNzRfhMjuR6+25PT8Us0nZJ
5rP/BPyaQgv845JjHH9qZ5ZdeUsUP2DleuJdMDlfbOj39EcYMhYUstEPDmw/Q9Oa
Wr4ve06x2CLK3SGdlTzYfhE3fzsamCmjsCnubFNge3NPu8Xz57AgZN9f9+cxYK4/
COHua9OFiTPhprlH/Az+fExT0fAwpvECeTBvmzQJAgMBAAGjga0wgaowCQYDVR0T
BAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBHZW5lcmF0ZWQgQ2VydGlmaWNh
dGUwHQYDVR0OBBYEFIWkOIsq7spBHrJME1szlPgF9QdzMB8GA1UdIwQYMBaAFC4q
CUwnvb3GlNsH4hc1KA2mAFa8MC8GA1UdHwQoMCYwJKAioCCGHmh0dHA6Ly9jYS5o
aG9tZS5tZS93ZWIvY3JsLnBlbTANBgkqhkiG9w0BAQsFAAOCAgEAiSf/494wfdom
Uim+nSiKYPlS+B+iv5VVq+tUo2ZBBiy4i23zyHjGXCeM47iROttzsCVceklHiizA
xZ5slUUPyMysJHXqhNJOAcN1cW/JgeF7a/F188myKF7+2Egubnz2YxdxLHJQEXK/
83+vxL4cS77AlL6jn043nDyW2SnnnsAtq5+cokeDvKbZbaI+c27u8ORojqi2DOx8
45Mu6Kn2YKtSeoWprz8hcXMhyNIdr3Dp6TPBIyikZUxtaMaeIrJ6wc5P86wrjhJq
yGqBv76t2CN2Cwy7VPa7poOB9/mh2kfDDwsFpk3WIeWp/v5bN6ElW4QnmIW0fdIr
vMukjRCKxd41vwpPO9DK7cU7YVukqZxheerOjSra1IaJ1EQbZ3iWiGr8fUWbORkG
kM5ujCUNuEtA4I+jGtddlMa38ILGYXPlKzEzV9F8JlHamne7AL9V/Ns367A6oaI7
njFdHm0/14bwxJOSOlgbN7fD/eRHLGsn3qb5HPwIy4rohpMIy6DWA+OPWtA4igIY
YsXpXAJxGGJmb4uNiCctQuiwGpOUmGaFwpKzH79S2aT62mlehNjDdUoobagABXFk
8/Lp7c6saaMQBog991nmin8AMxx+Xp7MNc7EfOeNBlPDNpgV9r3OeZxckinQODq7
PpYeObKNCmpYD1WLCqLLK0+EMGhiRGM=
-----END CERTIFICATE-----
subject=/CN=weave.hhome.me
issuer=/C=NZ/O=Will Hughes/CN=Web Server Authentication Authority/emailAddress=admin@hhome.me
---
No client certificate CA names sent
---
SSL handshake has read 3952 bytes and written 454 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1.2
    Cipher    : ECDHE-RSA-AES256-GCM-SHA384
    Session-ID: D68EC1A867E151941AA84B93297ABF28538C6747BE476C58C2216B0BCAC88499
    Session-ID-ctx: 
    Master-Key: BEAE548151B1BE7CFE3E914D78FB2007E4665544E84D39C4D8BB240A05B83FE8BC72E61983C836A141B2F3E68C286542
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 300 (seconds)
    TLS session ticket:
    0000 - 8c 10 e7 bb ba db 2f ca-9e 10 97 57 b9 75 0b 55   ....../....W.u.U
    0010 - 3d bb ca d5 d1 2b 59 09-49 4d 87 19 8c 7d 1b 1d   =....+Y.IM...}..
    0020 - 4a 65 b6 05 99 a2 68 29-55 1f 68 94 70 1e 5f f1   Je....h)U.h.p._.
    0030 - 77 5b 8b 50 b3 12 aa 19-09 31 9d 9a 67 60 a3 a8   w[.P.....1..g`..
    0040 - 03 66 9a c6 03 aa c4 94-1e b3 17 ab b0 89 18 00   .f..............
    0050 - e7 fc 06 f1 0f 8b f9 3d-e1 45 d9 df 6d 0e eb b5   .......=.E..m...
    0060 - be a9 d2 20 16 99 07 18-a7 bd dc ef 01 a4 48 33   ... ..........H3
    0070 - ad 81 df 42 b2 55 f3 71-53 ea d4 92 00 08 aa b5   ...B.U.qS.......
    0080 - 51 fe 89 03 74 6f a8 68-a7 7c 2b 08 af 06 28 5e   Q...to.h.|+...(^
    0090 - a8 60 40 89 fb 28 44 df-94 82 34 9a fe d3 6e 1b   .`@..(D...4...n.
    00a0 - 72 e3 10 fc 35 66 70 ff-63 2f 0e b4 b5 ab 71 ea   r...5fp.c/....q.
    00b0 - ef 3a 35 d9 eb c5 a0 b6-24 c3 f2 bc e4 46 26 af   .:5.....$....F&.

    Start Time: 1412203850
    Timeout   : 300 (sec)
    Verify return code: 0 (ok)
---



Actual results:

* Firefox presents the 'Untrusted connection' dialog with error 'sec_error_unknown_issuer'
* Attempting to use this server as a Firefox Sync server causes 'no peer certificate' errors in logcat


Expected results:

* Firefox should connect to the site without error
Component: General → Security
Product: Firefox for Android → Core
Version: Firefox 32 → unspecified
Status: UNCONFIRMED → NEW
tracking-fennec: --- → ?
Ever confirmed: true
If I understand the issue correctly, the problem is that Firefox on Android doesn't consult the Android certificate db when validating certificates. One way to approach this would be to have Firefox also consult the Android certificate db. This ends up trusting many more certificate authorities than on Desktop. Another approach would be to add some UI to the browser so certificates can be imported/trusted/distrusted in Firefox itself (see also bug 795767).
OS: Linux → Android
Hardware: x86_64 → All
David: This is mostly correct, however Firefox on Android *does* have a mechanism for importing a CA certificate (try opening http://ca.hhome.me/root.cert.pem with Firefox on Android). Firefox will show a dialog offering to import the certificate in the same way it does in the desktop browser, however it doesn't seem to actually do anything with this certificate once it is actually imported. http://www.jethrocarr.com/2013/05/17/firefox-mobile-for-android-cas/ suggests that at one point it did check these certificates
N.B., ignore the Sync half of this. Sync uses only the Android-side cert mechanism. It doesn't touch Gecko at all. If visiting the page works in Chrome, it should work as a Sync server.
The behavior here is different in Firefox for Android and desktop Firefox. Firefox desktop accepts the cert Firefox for Android does not. Who is doing the correct thing here?
Flags: needinfo?(rlb)
Flags: needinfo?(dougt)
(In reply to Richard Newman [:rnewman] from comment #3)
> N.B., ignore the Sync half of this. Sync uses only the Android-side cert
> mechanism. It doesn't touch Gecko at all. If visiting the page works in
> Chrome, it should work as a Sync server.

Opening the sync server in Chrome on Android does work (after importing the root certificate into the system store), but produces the following log when trying to sync to it:

I/FxAccounts( 9023): firefox_beta :: FirefoxAccounts :: Requesting sync.
I/FxAccounts( 9023): firefox_beta :: FirefoxAccounts :: Sync hints; scheduling now: true; ignoring local rate limit: true; ignoring remote server backoff: true.
I/FxAccounts( 9023): firefox_beta :: FxAccountSyncAdapter :: Syncing FxAccount account named like XXXX@XXXXXXXXXX.XXXX for authority org.mozilla.firefox_beta.db.browser with instance org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter@424da458.
I/FxAccounts( 9023): firefox_beta :: FirefoxAccounts :: Sync hints; scheduling now: true; ignoring local rate limit: true; ignoring remote server backoff: true.
I/FxAccounts( 9023): firefox_beta :: Utils :: Asked to sync 'clients, tabs' and to skip ''.
I/FxAccounts( 9023): firefox_beta :: FxAccountSyncAdapter :: Forced sync (rate): overruling remaining backoff of 17688ms.
I/FxAccounts( 9023): firefox_beta :: FxAccountSyncAdapter :: handleFinal: in Married
I/FxAccounts( 9023): firefox_beta :: AndroidFxAccount :: Moving account named like XXXX@XXXXXXXXXX.XXXX to state Married
I/FxAccounts( 9023): firefox_beta :: FxAccountNotificationManager :: State Married needs no action; cancelling any existing notification.
D/class ch.boye.httpclientandroidlib.impl.conn.DefaultClientConnection( 9023): Connection closed
D/class ch.boye.httpclientandroidlib.impl.conn.DefaultClientConnection( 9023): Connection shut down
D/class ch.boye.httpclientandroidlib.impl.conn.DefaultClientConnection( 9023): Connection closed
D/class ch.boye.httpclientandroidlib.impl.conn.DefaultClientConnection( 9023): Connection shut down
E/FxAccounts( 9023): firefox_beta :: FxAccountSyncAdapter :: Failed to get token.
E/FxAccounts( 9023): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
E/FxAccounts( 9023):    at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.impl.conn.DefaultClientConnectionOperator.openConnection$5238a6d6(DefaultClientConnectionOperator.java:148)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.impl.conn.AbstractPoolEntry.open$7c4f2834(AbstractPoolEntry.java:149)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.impl.conn.AbstractPooledConnAdapter.open$7c4f2834(AbstractPooledConnAdapter.java:121)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:818)
E/FxAccounts( 9023):    at org.mozilla.gecko.sync.net.BaseResource.execute(BaseResource.java:248)
E/FxAccounts( 9023):    at org.mozilla.gecko.sync.net.BaseResource.retryRequest(BaseResource.java:287)
E/FxAccounts( 9023):    at org.mozilla.gecko.sync.net.BaseResource.execute(BaseResource.java:258)
E/FxAccounts( 9023):    at org.mozilla.gecko.sync.net.BaseResource.go(BaseResource.java:315)
E/FxAccounts( 9023):    at org.mozilla.gecko.sync.net.BaseResource.get(BaseResource.java:321)
E/FxAccounts( 9023):    at org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter.syncWithAssertion$7f7fa7c7(FxAccountSyncAdapter.java:422)
E/FxAccounts( 9023):    at org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter$3.handleFinal(FxAccountSyncAdapter.java:603)
E/FxAccounts( 9023):    at org.mozilla.gecko.fxa.login.FxAccountLoginStateMachine.advance(FxAccountLoginStateMachine.java:78)
E/FxAccounts( 9023):    at org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter.onPerformSync(FxAccountSyncAdapter.java:528)
E/FxAccounts( 9023):    at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:259)
W/FxAccounts( 9023): firefox_beta :: FxAccountSyncAdapter :: Global session failed.
E/FxAccounts( 9023): firefox_beta :: FxAccountSyncAdapter :: Got exception syncing.
E/FxAccounts( 9023): javax.net.ssl.SSLPeerUnverifiedException: No peer certificate
E/FxAccounts( 9023):    at com.android.org.conscrypt.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:146)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.conn.ssl.AbstractVerifier.verify(AbstractVerifier.java:128)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.conn.ssl.SSLSocketFactory.connectSocket(SSLSocketFactory.java:397)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.impl.conn.DefaultClientConnectionOperator.openConnection$5238a6d6(DefaultClientConnectionOperator.java:148)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.impl.conn.AbstractPoolEntry.open$7c4f2834(AbstractPoolEntry.java:149)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.impl.conn.AbstractPooledConnAdapter.open$7c4f2834(AbstractPooledConnAdapter.java:121)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.tryConnect(DefaultRequestDirector.java:573)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.impl.client.DefaultRequestDirector.execute(DefaultRequestDirector.java:425)
E/FxAccounts( 9023):    at ch.boye.httpclientandroidlib.impl.client.AbstractHttpClient.execute(AbstractHttpClient.java:818)
E/FxAccounts( 9023):    at org.mozilla.gecko.sync.net.BaseResource.execute(BaseResource.java:248)
E/FxAccounts( 9023):    at org.mozilla.gecko.sync.net.BaseResource.retryRequest(BaseResource.java:287)
E/FxAccounts( 9023):    at org.mozilla.gecko.sync.net.BaseResource.execute(BaseResource.java:258)
E/FxAccounts( 9023):    at org.mozilla.gecko.sync.net.BaseResource.go(BaseResource.java:315)
E/FxAccounts( 9023):    at org.mozilla.gecko.sync.net.BaseResource.get(BaseResource.java:321)
E/FxAccounts( 9023):    at org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter.syncWithAssertion$7f7fa7c7(FxAccountSyncAdapter.java:422)
E/FxAccounts( 9023):    at org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter$3.handleFinal(FxAccountSyncAdapter.java:603)
E/FxAccounts( 9023):    at org.mozilla.gecko.fxa.login.FxAccountLoginStateMachine.advance(FxAccountLoginStateMachine.java:78)
E/FxAccounts( 9023):    at org.mozilla.gecko.fxa.sync.FxAccountSyncAdapter.onPerformSync(FxAccountSyncAdapter.java:528)
E/FxAccounts( 9023):    at android.content.AbstractThreadedSyncAdapter$SyncThread.run(AbstractThreadedSyncAdapter.java:259)
I/FxAccounts( 9023): firefox_beta :: FxAccountSyncAdapter :: Syncing done.
D/SyncManager(  608): failed sync operation will@willhughes.name u0 (org.mozilla.firefox_beta_fxaccount), org.mozilla.firefox_beta.db.browser, USER, latestRunTime 71480967, reason: 10166, SyncResult: stats [ numIoExceptions: 1 numUpdates: 1]

Desktop browser can sync to it just fine after importing the root cert into the browsers store
Please spin any questions you have about Sync off into a separate bug in Android Background Services :: Android Sync.

I mentioned Sync here because it's a completely different issue, and I wanted to make sure it didn't lead you down the wrong trail when considering Gecko cert handling.

Most likely there's a cipher suite mismatch or you're not adding the cert into the Android cert store itself (the cert never making it past Chrome).
Kevin, it sounds like Firefox for Android isn't doing something correct when important a cert.  Not sure what kind of priority this bug is.  Is this a high priority at all?
Flags: needinfo?(dougt)
How did you import the certificate into Firefox for Android?  

1. Browse to a page and click "add permanent exception"
2. Android settings: Security / Trusted credentials
3. Sync from Desktop
4. Browse to a certificate and click to add it as a root

I just tested (1) by with https://weave.hhome.me/ and it worked.  (4) should work, but I'm not able to test it at the moment.

(2) and (3) will not work.  (2) will import the cert into Android, not Firefox, and as far as I know, Sync doesn't synchronize the root cert DBs.
Flags: needinfo?(rlb) → needinfo?(will)
(In reply to Richard Barnes [:rbarnes] from comment #8)

> (2) and (3) will not work.  (2) will import the cert into Android, not
> Firefox, and as far as I know, Sync doesn't synchronize the root cert DBs.

Sync does not sync certs with desktop, though it sounds like Will is trying to set up Sync, so that's putting the cart before the horse.

Sync also does not use any certs managed by the Firefox browser itself.

Your #2 -- the Android settings itself -- should allow Sync to work, according to reports.
(In reply to Richard Barnes [:rbarnes] from comment #8)
> How did you import the certificate into Firefox for Android?  
> 
> 1. Browse to a page and click "add permanent exception"
> 2. Android settings: Security / Trusted credentials
> 3. Sync from Desktop
> 4. Browse to a certificate and click to add it as a root
> 
> I just tested (1) by with https://weave.hhome.me/ and it worked.  (4) should
> work, but I'm not able to test it at the moment.
> 
> (2) and (3) will not work.  (2) will import the cert into Android, not
> Firefox, and as far as I know, Sync doesn't synchronize the root cert DBs.

I tried (4) which didn't work (still get sec_unknown_issuer), so I tried (2) to check that it wasn't an issue with the certs I was using or the server configuration, which allows Chrome to connect without errors or trust warning (but obviously has no effect on Firefox). Sync does not work after (2) (see stack trace in my comment above)
Flags: needinfo?(will)
tracking-fennec: ? → +
filter on [mass-p5]
Priority: -- → P5
Just wanted to clarify that I have tried adding my cacert to fennec-nightly and it also fails to work. I have tested the same cacert and site on ff-linux-33.1 and it works fine there.
I encountered the same problem when using method #4. To clarify:

I open Firefox for android 34.0.1. I type into the address bar “http://cacert.org/certs/root.crt” and press Enter. I get a popup window with three checkboxes for what purposes to trust; I check all three and tap OK. Loading appears to happen (progress bar crosses the screen), leaving a blank page afterwards. I then type “https://cacert.org/” and still get an untrusted connection warning with reason sec_error_unknown_issuer. I *think* the certificate has been imported properly, for two reasons. First, if I reopen “http://cacert.org/certs/root.crt”, this time I get a message saying the certificate authority is already installed. Second, I opened /data/data/org.mozilla.firefox/files/mozilla/myprofile/cert9.db in the sqlite3 command-line client and ran “select count(*) from nssPublic where a101 like '%cacert%';”; before the import attempt this returned zero, while afterwards it returned one, suggesting that the certificate is making its way into the database, it’s just being ignored after it gets in there.

As a side note, I do also have the same root added to my Android store for other purposes.
Duplicate of this bug: 1118129
Attached patch patchSplinter Review
What's going on here is that those values are booleans, not strings (and note that true != "true").
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Attachment #8561714 - Flags: review?(mbrubeck)
Attachment #8561714 - Flags: review?(mbrubeck) → review?(rnewman)
Comment on attachment 8561714 [details] [diff] [review]
patch

kats and mfinkle touched those lines in Bug 807606.
Attachment #8561714 - Flags: review?(rnewman)
Attachment #8561714 - Flags: review?(mark.finkle)
Attachment #8561714 - Flags: review?(bugmail.mozilla)
Comment on attachment 8561714 [details] [diff] [review]
patch

Yeah. Prompts code returns those as real booleans. Not sure if they always did, but they do now.
Attachment #8561714 - Flags: review?(mark.finkle)
Attachment #8561714 - Flags: review?(bugmail.mozilla)
Attachment #8561714 - Flags: review+
You probably know this, but this appears not to be fixed in version 35.0. I just tried the same procedure as documented in my comment 13 above, and there was no change in outcome.
(In reply to Christopher Head from comment #18)
> You probably know this, but this appears not to be fixed in version 35.0. I
> just tried the same procedure as documented in my comment 13 above, and
> there was no change in outcome.

A patch was just attached to this bug. It still needs to land, be tested in Nightly 38, and optionally be uplifted to Aurora 37 and Beta 36. It's unlikely to be fixed in a 35 point release.
https://hg.mozilla.org/mozilla-central/rev/e2fbc7f6ac3b
Status: ASSIGNED → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Duplicate of this bug: 1138702
Duplicate of this bug: 1154872
Did this make it into stable releases?
(In reply to Michael Monreal [:monreal] from comment #24)
> Did this make it into stable releases?

It did - it made it into Firefox 38, which was released 2015-05-12.
Then the fix was no fix ;) I use ff 42.0 and I'm still concerned by this bug. Or do we need to reimport the certificates? This wouldn't possible, because ff says, the certificates are already imported...
You need to log in before you can comment on or make changes to this bug.