1113130 - Allow notBefore dates before the UNIX epoch

Status: RESOLVED WONTFIX

(Core :: Security: PSM, defect)

Description

[Aimar]

Attachment: charles-proxy-ssl-proxying-certificate.crt

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95 Safari/537.36

Steps to reproduce:

1. Install Charles Proxy (http://www.charlesproxy.com/download/)
2. Run Charles Proxy (IMPORTANT)
3. Setup Charles to proxy SSL connections (http://www.charlesproxy.com/documentation/proxying/ssl-proxying/)
3.1 (In charles) open Proxy > Proxy Settings... > SSL. In there mark "Enable SSL proxying" and add entries to the Locations panel. (*.mydomain.com)
4. Install Charles CA certificate in Firefox (with option "Trust this CA to identify websites"). I did this following the steps described in http://www.charlesproxy.com/documentation/using-charles/ssl-certificates/ to install Charles certificates into Firefox.
5. Opened "jira.mydomain.com" (notice that mydomain.com does not exist, is only an example).



Actual results:

Firefox shows "This Connection is Untrusted", and under Technical Details i can see "Error code: sec_error_expired_issuer_certificate".

The issuer certificate is the one provided by Charles Proxy, which I previously installed in Firefox. I'm attaching the Cert so you can verify how the cert is not expired (1899 to 2038).

As workarounds I tried:
* uninstalling the certificate and install it again manually. (didn't worked)
* installing the certificate i windows certificate storage as "Trusted Root Certification Authorities". (didn't worked)


It is working fine for Chrome and IE. Not for Firefox.

I had the same behaviour in other PCs.




Expected results:

1. Browser requests server SSL certificate.
2. Charles answers with its own fake certificate (since its Proxying the SSL connections for the given domain)
3. Browser verifies successfully that the cert was issued by the Charles Certification Authority (previously installed cert).
4. Loads the page normally (while allows its traffic to be monitored in Charles Proxy app)

Comment 1

[Dana Keeler (she/her) [:keeler]]

I thought there was a bug on this, but it turns out I was thinking of a discussion over email. Here's what I said:

This appears to be a consequence of the certificate having a "not
before" time of 1899. In the new implementation, we specifically
disallow everything before 1970 (the UNIX epoch). Since we're unlikely
to see a legitimate certificate with a time value before then, we're
unlikely to change this, so perhaps the best thing to do here would be
to tell Charles Proxy to re-generate their certificate with something a
little more reasonable.

(The "new implementation" here is mozilla::pkix, the new certificate verification library.)

Comment 2

[Alan Tam]

This is a CA cert installed on any OS and/or browser that wants to proxy traffic  through Charles Proxy. When Charles Proxy wants to access an SSL site, it clones the incoming SSL cert from the web server and signs this clone using the CA cert, so that users do not see SSL warning for every website they go to.

If Charles Proxy wants to migrate to a new CA cert, everyone needs to reinstall this new cert (to all their OS'es and/or browsers; not just Firefox). I expect this cert has been installed more than a million times among all Charles Proxy users, so this would be a huge migration project. Since this problem occurs only to Firefox and nowhere else, a more likely outcome is Charles Proxy doing nothing about this, and the affected users will move away to another browser.

Comment 3

[:Cykesiopka]

Thanks for filing the bug. Per Comment 1, we're unlikely to fix this.