Closed Bug 1182742 Opened 9 years ago Closed 8 years ago

Can't connect to my wrt54gl anymore (ssl_error_weak_server_cert_key)

Categories

(Core :: Security: PSM, defect)

defect
Not set
normal

Tracking

()

RESOLVED FIXED
mozilla48
Tracking Status
firefox42 --- affected
firefox48 --- fixed

People

(Reporter: hub, Assigned: keeler)

References

Details

(Keywords: losing-users)

Attachments

(1 file)

With the new security restrictions, I can no longer connect to the admin interface of my WRT54GL.

> An error occurred during a connection to 172.18.2.1. The server certificate 
> included a public key that was too weak. (Error code: 
> ssl_error_weak_server_cert_key) 

No chance to even go around this like it used to be (painfully).
This is the stock Linksys firmware v4.30.12
Component: Networking → Security: PSM
Summary: Can't connect to my wrt54gl anymore → Can't connect to my wrt54gl anymore (ssl_error_weak_server_cert_key)
Daniel, do you know why this was designed to not allow override? I am in the same position as Hubert and have to switch to Google Chrome to access my router configuration because Firefox doesn't allow for exceptions.
Flags: needinfo?(dveditz)
I don't know. Given the usual long lifetime of that kind of hardware this could be a real problem -- far easier for users to switch free browsers than go out and buy another router!
Flags: needinfo?(dveditz) → needinfo?(dkeeler)
Tagged as losing-users as this pushes people to use another browser.
Keywords: losing-users
Seems we either could add override ability for all websites, or at least allow this to be overridden for local network addresses.
This is unfortunate, but as long as Chrome is going to let users do this, we should too. Luckily, as of bug 1009429, this is much easier to accomplish. I'll attach a patch shortly.
Assignee: nobody → dkeeler
Depends on: 1009429
Flags: needinfo?(dkeeler)
Key size enforcement for TLS certificates happens at two levels: PSM and NSS.
PSM enforces a minimum of 1024 bits. NSS enforces a minimum of 1023 bits by
default. The NSS error is not overridable, but the PSM error is. This change
allows users to connect to devices with small RSA keys (as little as 512 bits)
using the certificate error override functionality.

Review commit: https://reviewboard.mozilla.org/r/45575/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/45575/
Attachment #8740133 - Flags: review?(rlb)
This is reasonable.  Well, if we disregard the fact that anyone using keys of this size is asking to be pwned.
Right, but affected users are already adding overrides to access these devices, so it would probably be cheaper for an attacker to just pose as the device rather than factor its key.
Review ping?
Flags: needinfo?(rlb)
Comment on attachment 8740133 [details]
MozReview Request: bug 1182742 - allow users to override small key size errors r?rbarnes

https://reviewboard.mozilla.org/r/45575/#review44357
Attachment #8740133 - Flags: review?(rlb) → review+
U+1F62D (LOUDLY CRYING FACE)

https://bugzilla.mozilla.org/show_bug.cgi?id=1265947
Flags: needinfo?(rlb)
Please, fix ASAP.
https://hg.mozilla.org/mozilla-central/rev/280b570936bb
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
This is not fixed. The latest Firefox (45.0.2) still can't connect to my own WiFi/LAN router inside my own home. The security tab of Firefox options dialog does not have a control for me to override this. Firefox's help site could not even find the error code (SSL_ERROR_WEAK_SERVER_CERT_KEY).

So there's no fix, no override, and no help. A bug is not resolved until its fix has been verified by QA (e.g. those who are affected). Please roll back the status until a patch has been released and verified. Until then, this issue should be "open - QA pending".

PS: I used to work in software QA, and I have some "free" time now between contracts, so I'd be willing to help more if I knew how to get involved.
Hi Jeffry - this is marked fixed target version 48 and the status-48 flag is marked fixed. So the expectation is that the changes are reflected there. If it were to be uplifted to < 48 you would see that reflected in the corresponding status flags.

48 is just about to become the dev channel (i.e aurora).
You need to log in before you can comment on or make changes to this bug.