Can't connect to my wrt54gl anymore (ssl_error_weak_server_cert_key)

RESOLVED FIXED in Firefox 48

Status

()

Core
Security: PSM
RESOLVED FIXED
3 years ago
2 years ago

People

(Reporter: hub, Assigned: keeler)

Tracking

({losing-users})

Trunk
mozilla48
losing-users
Points:
---

Firefox Tracking Flags

(firefox42 affected, firefox48 fixed)

Details

MozReview Requests

()

Submitter Diff Changes Open Issues Last Updated
Loading...
Error loading review requests:

Attachments

(1 attachment)

(Reporter)

Description

3 years ago
With the new security restrictions, I can no longer connect to the admin interface of my WRT54GL.

> An error occurred during a connection to 172.18.2.1. The server certificate 
> included a public key that was too weak. (Error code: 
> ssl_error_weak_server_cert_key) 

No chance to even go around this like it used to be (painfully).
(Reporter)

Comment 1

3 years ago
This is the stock Linksys firmware v4.30.12
Component: Networking → Security: PSM
Summary: Can't connect to my wrt54gl anymore → Can't connect to my wrt54gl anymore (ssl_error_weak_server_cert_key)

Updated

3 years ago
Duplicate of this bug: 1219519
Daniel, do you know why this was designed to not allow override? I am in the same position as Hubert and have to switch to Google Chrome to access my router configuration because Firefox doesn't allow for exceptions.
Flags: needinfo?(dveditz)
I don't know. Given the usual long lifetime of that kind of hardware this could be a real problem -- far easier for users to switch free browsers than go out and buy another router!
Flags: needinfo?(dveditz) → needinfo?(dkeeler)
Tagged as losing-users as this pushes people to use another browser.
Keywords: losing-users
Seems we either could add override ability for all websites, or at least allow this to be overridden for local network addresses.
This is unfortunate, but as long as Chrome is going to let users do this, we should too. Luckily, as of bug 1009429, this is much easier to accomplish. I'll attach a patch shortly.
Assignee: nobody → dkeeler
Depends on: 1009429
Flags: needinfo?(dkeeler)
Created attachment 8740133 [details]
MozReview Request: bug 1182742 - allow users to override small key size errors r?rbarnes

Key size enforcement for TLS certificates happens at two levels: PSM and NSS.
PSM enforces a minimum of 1024 bits. NSS enforces a minimum of 1023 bits by
default. The NSS error is not overridable, but the PSM error is. This change
allows users to connect to devices with small RSA keys (as little as 512 bits)
using the certificate error override functionality.

Review commit: https://reviewboard.mozilla.org/r/45575/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/45575/
Attachment #8740133 - Flags: review?(rlb)
This is reasonable.  Well, if we disregard the fact that anyone using keys of this size is asking to be pwned.
Right, but affected users are already adding overrides to access these devices, so it would probably be cheaper for an attacker to just pose as the device rather than factor its key.
Comment on attachment 8740133 [details]
MozReview Request: bug 1182742 - allow users to override small key size errors r?rbarnes

https://reviewboard.mozilla.org/r/45575/#review44357
Attachment #8740133 - Flags: review?(rlb) → review+
U+1F62D (LOUDLY CRYING FACE)

https://bugzilla.mozilla.org/show_bug.cgi?id=1265947
Flags: needinfo?(rlb)

Comment 14

2 years ago
Please, fix ASAP.

Comment 16

2 years ago
bugherder
https://hg.mozilla.org/mozilla-central/rev/280b570936bb
Status: NEW → RESOLVED
Last Resolved: 2 years ago
status-firefox48: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla48

Comment 17

2 years ago
This is not fixed. The latest Firefox (45.0.2) still can't connect to my own WiFi/LAN router inside my own home. The security tab of Firefox options dialog does not have a control for me to override this. Firefox's help site could not even find the error code (SSL_ERROR_WEAK_SERVER_CERT_KEY).

So there's no fix, no override, and no help. A bug is not resolved until its fix has been verified by QA (e.g. those who are affected). Please roll back the status until a patch has been released and verified. Until then, this issue should be "open - QA pending".

PS: I used to work in software QA, and I have some "free" time now between contracts, so I'd be willing to help more if I knew how to get involved.
Hi Jeffry - this is marked fixed target version 48 and the status-48 flag is marked fixed. So the expectation is that the changes are reflected there. If it were to be uplifted to < 48 you would see that reflected in the corresponding status flags.

48 is just about to become the dev channel (i.e aurora).
You need to log in before you can comment on or make changes to this bug.