Closed Bug 1187666 Opened 9 years ago Closed 9 years ago

Can't connect to WSS/SSL websocket server with a self-signed certificate

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
39 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: fresheneesz, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/43.0.2357.134 Safari/537.36

Steps to reproduce:

* create a secure websocket server listening on port 8080 using a self-signed certificate
* create an https server listening on port 9000 which, on load, attempts to create a websocket connection with wss://localhost:8080
* Go to https://localhost:9000


Actual results:

An error in the console:

Firefox can't establish a connection to the server at wss://localhost:8080/.


Expected results:

The connection should have been made. At very least, i would expect a dialog to come up that indicates the certificate might be dangerous to accept, but allow the option of accepting it (ie adding an exception).
Component: Untriaged → Security: PSM
Product: Firefox → Core
we don't create dialogs for failed subresources, which is what wss is.

You can add the exception by going to https://localhost:8080/ first, and ten loading the page on 9000 with the subresource.
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → WONTFIX
No Patrick. I'm not talking about a "failed resource". I'm talking about a self signed LOCAL resource. The fact that it's local should be enough to be considered "not failed". And also, you're wrong that I can add an exception "by going to https://localhost:8080/ first, and ten loading the page on 9000 with the subresource". There is no prompting at all to add an exception in either the 8080 case nor the 9000 case. There is no possibility to add the resource such that it will be accepted.
(In reply to fresheneesz from comment #2)
> No Patrick. I'm not talking about a "failed resource".

I'm not trying to be prejorative - I'm trying to help. I wrote a lot of the code you're interacting with. That's just what it is - a failed subresource load because the wss/https security requirements aren't satisfied (yet!)

 I'm talking about a
> self signed LOCAL resource. The fact that it's local should be enough to be
> considered "not failed".

https:// and wss:// require certificate validation - the hostname is never enough. You can either have a certificate that is validated via the PKI or you can use a stored exception for validation. You're looking to store the exception, and that's fine.

> And also, you're wrong that I can add an exception
> "by going to https://localhost:8080/ first, 

This is odd. There must be a https server on that port, because websockets bootstraps itself via https. When you type https://localhost:8080 into the location bar what do you see? Does it change if you add a slash to the end of the url?

(In reply to fresheneesz from comment #2)
> either the 8080 case nor the 9000 case. There is no possibility to add the

I'm confused by the 9000 case - have you already stored an exception for it? If not, how are you loading the html on that page?

Tools > Options > Advanced : Encryption: Certificates - View Certificates (Servers)
I'm sorry if I came across aggressive, of course you're trying to help, and I appreciate it : ) . I must admit I didn't have my full faculties last night. 

Going back to this today, it appears to be working *if* I go to 8080 first and add the exception. Whereas before I *could* go to https://localhost:8080 and add the exception, but https://localhost:9000 still refused to connect to wss://localhost:8080 . Now after adding the exception, it is able to connect fine!

This is a good positive step forward, but I would expect the dialog to come up when localhost:9000 attempts to connect to wss://localhost:8080 . I shouldn't have to directly go to 8080 first to add the exception.
I wonder why a self signed certificate will not work on localhost, having to ask all customers to manually visit the localhost endpoint and accepting the cert is really weird, specially because no cert authority will never issue a certificate for localhost and also Firefox does not allow non ssl websockets to localhost to run if the hosting page is on ssl. I'm not sure this improves security (we are on localhost), as the only solutions seems to embed the self signed cert and key into the application running at localhost and have the CA injected in the user trust chain, is this really more secure than allowing non ssl localhost websockets ?
I confirm @fresheneesz comments is a walkaround of the issue.
This means if you have websocket on port 9000, like
wss://1.2.3.4:9000

Then simply go to:
https://1.2.3.4:9000

And you'll be able to add exception.
You need to log in before you can comment on or make changes to this bug.