Closed Bug 1147202 Opened 10 years ago Closed 10 years ago

sec_error_ca_cert_invalid cannot override...

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
36 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: carlos, Unassigned)

References

(
URL
)

Details

User Agent: Mozilla/5.0 (X11; Linux i686; rv:36.0) Gecko/20100101 Firefox/36.0 Build ID: 20150320202338 Steps to reproduce: I just tried to open our internal company site... Actual results: An error occurred during a connection to sigma.ttk.pte.hu. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. (ff 36.0.4) Expected results: The browser may give me a hint how to override that. Or the browser should know that I already visited that site and I accepted the privately generated ssl key... Or the pki disabling in about config should work. But none of the above! The browser displays a dialog where I can "report" the site, but why I can't report that firefox is silly? If I use firefox I have to pay for an ssl key, and I can't use my own? Why? How can I buy ssl for private sites, or embedded devices? This issue was resolved once, and now it's back. This is a really BAD idea.
The URL must be https://sigma.ttk.pte.hu/ sigma.ttk.pte.hu doesn't show this error. Using Firefox 36.0.4 de on Win XP I'm seeing the same error, using nightlies (aurora & comm-central) I get the old error page, This Connection is Untrusted ... What Should I Do? ... Take me to my home page instead ... Technical Details ... I Understand the risks ... Add Exception Maybe disabling this page has been the quick resolution to the security problem in ff 36.0.3
Status: UNCONFIRMED → NEW
Component: Untriaged → Security
Ever confirmed: true
OS: Linux → All
Yes, the url is https://sigma.ttk.pte.hu sigma.ttk.pte.hu ( http://sigma.ttk.pte.hu ) is not valid, the server's 80. port is closed.... How do you mean disabling the page? :)
In other versions of firefox (older & newer) you can click on 'I understand the risks', then get the warning: (here on seamonkey, similar on firefox aurora) If you understand what's going on, you can tell SeaMonkey to start trusting this site's identification. Even if you trust the site, this error could mean that someone is tampering with your connection. Don't add an exception unless you know there's a good reason why this site doesn't use trusted identification. or on Aurora: If you understand what's going on, you can tell Firefox Developer Edition to start trusting this site's identification. Even if you trust the site, this error could mean that someone is tampering with your connection. Don't add an exception unless you know there's a good reason why this site doesn't use trusted identification. And reading this warning or not, you can click 'Add exception...' which opens a pop-up, where you can inform yourself of details, and can allow this certifikate for the session, or permanently. This classical page has been changedm the option to add certificates has been removed. But you still can import certificates using the certificates manager: Open tools -> options -> advanced -> certificates -> View Certificates (on linux tools -> options maybe edit->preferences)
Please try again with Firefox 37 (currently beta: https://www.mozilla.org/en-US/firefox/channel/ ). Bug 1138332 should have fixed this issue.
(In reply to Hermann Schwab from comment #3) Yes, I know the site, and I know that a man in the middle attack can couse dialogs like that, but that's not this case. 1. I have no problems with this in seamonkey (I don't know if that browser is up to date anyway), or in older firefox, but in my current browser there is no dialog, that's the problem. 2. There's only 3 good reason why not use "trusted identification": a) the site is really private and you don't want to inform any ca about it's existence. b) the site has a locally available domain name, and used in private net space ( like 192.168,10. ...), so you can't get a signed cert - no ca will provide any. c) you have no money for the cert. ( my situation ) 3. In the certificate manager I still have the sigma.ttk.pte.hu:443 in the servers category with permanent lifetime ( because I already accepted the not official cert, when the browser was able to display a dialog for me ), so I don't know, I should delete it, and readd? If this is the case I should recheck the cert, etc., and yes I am not protected to man in the middle attacks now (if the browser would honour my previously accepted cert I would not... because after the first accept I have nearly the same security level as with official certs). Theoretically, how about using another site's cert? Will firefox displays a dialog about that's not for this site, but I can accept it because the cert itself is signed and valid? By the way, another odd behavior is that I had a site with a generated private cert, signed by our generated CA cert, which was imported into the browser. However, that site is for public, so after the test phase we bought a cert for it. And my firefox happily accepted the new cert without any warning. BUT the old cert was not revoked by me, and it was valid in time. So if NSA, or any root CA generates a new valid cert for my site and intalls it to a server, and make a man in the middle attack, I will be hacked... so firefox is not safe in this behaviour, but it's annoying that presently I can't access a site with this version. (In reply to David Keeler from comment #4) Keeler, ok, I'll test the beta version...
(In reply to Harka Győző from comment #5) > (In reply to Hermann Schwab from comment #3) > > Yes, I know the site, and I know that a man in the middle attack can couse > dialogs like that, but that's not this case. > 1. I have no problems with this in seamonkey (I don't know if that browser > is up to date anyway), or in older firefox, but in my current browser there > is no dialog, that's the problem. I confirmed seeing this bug in the current release 36.0.4 of firefox, and tested developer versions of firefox, i didn't see the bug in Aurora or mozila-central (about:support) Firefox Version 38.0a2 Build ID 20150325004010 Firefox Version 39.0a1 Build ID 20150325030206 After accepting the certificate at my own risk (without looking) I searched this certificate in certificate manager and was warned by a bold line that this certificate could not be verified because of using an unsecure algorithm Looking at 'Details' I found: PKCS #1 MD5 With RSA Encryption > 2. There's only 3 good reason why not use "trusted identification": not (technically) relevant for this bug > 3. In the certificate manager I still have the sigma.ttk.pte.hu:443 in the > servers category with permanent lifetime I used mozilla central (39.0a1) to add the cert, see the site, and export the cert. After importing the certificate in 36.0.4, I could see the cert in cert-manager, but loading the website still fails, because the cert is not trusted. So adding a cert in this version of firefox is useless, if it uses an outdated, insecure algorithm. You can add the cert, but it doesn't work.
Another form of the error, occured now... I was upgrading an old ilo firmware in a hp server, and after the firmware upgrade i received this: Secure Connection Failed An error occurred during a connection to 192.168.X.Y. You have received an invalid certificate. Please contact the server administrator or email correspondent and give them the following information: Your certificate contains the same serial number as another certificate issued by the certificate authority. Please get a new certificate containing a unique serial number. (Error code: sec_error_reused_issuer_and_serial) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. So this is not exactly the same error... should I open a new bug?
The sec_error_reused_issuer_and_serial issue is bug 435013.
Worksforme using Firefox 37.0.1 Mozilla/5.0 (Windows NT 5.1; rv:37.0) Gecko/20100101 Firefox/37.0
URL: https://sigma.ttk.pte.hu/
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → WORKSFORME
Oh, yes, sorry, there was no fix in time, so I changd the cert to another site's signed cert, and now it's working. The bug is not fixed, the site was.
Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---
(In reply to Harka Győző from comment #10) > Oh, yes, sorry, there was no fix in time, so I changd the cert to another > site's signed cert, and now it's working. The bug is not fixed, the site was. So if you have fixed the site, I can't test the bug. Please give us another URL for testing where we can see the bug. You filed this bug about not being able to override errormessage sec_error_ca_cert_invalid in Firefox 36.0.4 In comment #3 I confirmed your bug seen on Firefox 36.0.4, I couldn't see it on newer (nightly) versions. Using the original URL https://sigma.ttk.pte.hu/ today I'm getting same old error: sec_error_ca_cert_invalid and now using current Firefox Release 37.0.1 or current mozilla-central Nightly I can override it, so the bug is WORKSFORME. Maybe it has been fixed by the bug mentioned in comment #4. If you want to reopen this bug again, give us an URL where you get sec_error_ca_cert_invalid and can't override this errormessage. If you see another bug, file another bug. If you want resolution fixed, test some nightlys around the date mentioned in Bug 1138332 comment #36, and tell the version the bug was last seen, and the first version the bug seemed to be fixed. I'm resolving this bug as WORKSFORME, as I did see the bug, confirmed it, and now this bug is WORKSFORME.
Status: REOPENED → RESOLVED
Closed: 10 years ago10 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.