1151641 - Cannot bypass SSL "sec_error_unknown_issuer" error when using hostname

Status: RESOLVED DUPLICATE of bug 1138273

(Core :: Security: PSM, defect)

Description

[Bitt Faulk]

Attachment: Certificate from device

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:37.0) Gecko/20100101 Firefox/37.0
Build ID: 20150402191859

Steps to reproduce:

I am accessing an internal web server with a self-signed certificate.  The device generates its own self-signed certificate and does not provide a way to use any other certificate.

The certificate's CN is the server's IP address and there is a Subject Alternative Name section that contains the IP as IP Address, DNS, and in a URI.  The hostname is not to be found in the certificate.  (The certificate is attached.)


Actual results:

As of v37.0, if I access the page using a hostname in the URL, nothing happens when I click the "Add Exception" button.

If I access it using the IP address in the URL, I am able to add an exception as I have been in the past.

When using the hostname, the "Technical Details" are:

An error occurred during a connection to <hostname>:215.
Peer's Certificate issuer is not recognized.
(Error code: sec_error_unknown_issuer)

When using the IP address, the "Technical Details" are:

192.168.0.235:215 uses an invalid security certificate.
The certificate is not trusted because it is self-signed.
(Error code: sec_error_unknown_issuer)


Expected results:

I should be able to add an exception by pressing the "Add Exception" button on the "Untrusted Connection" page regardless of what URL is used.

Through FF v36.0.4, I was able to do so.

Comment 1

[Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)]

Thank you for the detailed report. This looks like the same root cause as bug 1138273. That certificate has an entry in the subject alternative name extension that specifies "DNSName:192.168.0.235", which is not valid. We'll probably end up allowing overrides for this sort of thing.