Adding of permanent exception for SSL-Certificate served via https://[IP]/ not possible

RESOLVED DUPLICATE of bug 1116625

Status

()

Core
Security: PSM
RESOLVED DUPLICATE of bug 1116625
2 years ago
a year ago

People

(Reporter: Roman Fiedler, Unassigned)

Tracking

47 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

2 years ago
User Agent: Mozilla/5.0 (X11; Linux i686; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160131030347

Steps to reproduce:

Connect to a site with https://[IP]:[Port]/ and SSL certificate issues from private CA (which is available in the CA store - not clear if this adds to the issue)

No options to add permanent exception

It is quite annoying, that this does not work: Management network gateway binds lot of SSL endpoints to one jump-IP, all with internal CA certificates. DNS-Name for cert would point to public IP of the system, so access via IP to get to mgmt access necessary.


Actual results:

Only options to add temporary exception, via preferences no way to import the certificate and make it valid for this IP/Port.


Expected results:

Allow adding of permanent exception: even through menues, preferences, ... would be OK (no fast click for stupid users) but any possibility to add those entries would be required.

With current implementation, users are just trained to click "add temporary exception" for any connection, that is not pure standard - without checking the certificate after some days. Hence not really suitable for daily work.

Current workaround: Use IE

Updated

2 years ago
Component: Untriaged → Security: UI
Product: Firefox → Core
Roman, in the bottom-left corner of the "Add Security Exception" dialog is a checkbox labeled "Permanently store this exception". Is this not what you're seeing? Or is the dialog not working as expected?
Component: Security: UI → Security: PSM
Flags: needinfo?(roman.fiedler)
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year ago
Resolution: --- → INCOMPLETE
(Reporter)

Comment 2

a year ago
Yes, the checkbox and the label is here but the label is grey and the checkbox cannot be selected. There is no indication of reason, why it cannot be selected.

The message on the page before (the one with the "add exception" button) only says:

[IP] uses an invalid security certificate.
The certificate is not valid for the name [IP].
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Status: RESOLVED → UNCONFIRMED
Resolution: INCOMPLETE → ---
Flags: needinfo?(roman.fiedler)
Is this in a private browsing window? Or do you have history configured to never remember history and/or clear history when you close Firefox?

(Also, if you keep the needinfo box checked when you submit a comment, it tells the person who asked you for the information that you've responded. This has the additional benefit that they can use the needinfo functionality again to ask for further information if necessary.)
Flags: needinfo?(roman.fiedler)
(Reporter)

Comment 4

a year ago
* No, not a private browsing window.

* History is cleared, but the SSL certificate will never make it to the history (as permanent exception checkbox cannot be selected")

* Clear the needinfo request for ..." checked

* Need more information from ... checked, filled - hope your username is correct, my GUI tells me, that you have 2 profiles with just 1 letter difference.

New information:

* It also happens with a normal https://[name]/ site where the certificate was issued for another subject, no SAN but custom root CA (working for other correct certs) plus intermediate CA.(In reply to
Flags: needinfo?(roman.fiedler) → needinfo?(dkeeler)
(In reply to Roman Fiedler from comment #4)
...
> * History is cleared, but the SSL certificate will never make it to the
> history (as permanent exception checkbox cannot be selected")

Hmmm - it looks like there's a slight difference between how the exception dialog behaves for "never remember history" vs. "clear history when Firefox closes" - can you post a screenshot of the privacy tab of preferences?

Also, do you have any add-ons installed?

> * Need more information from ... checked, filled - hope your username is
> correct, my GUI tells me, that you have 2 profiles with just 1 letter
> difference.

Yep - you got the right one.
Flags: needinfo?(dkeeler) → needinfo?(roman.fiedler)
(Reporter)

Comment 6

a year ago
(In reply to David Keeler [:keeler] (use needinfo?) from comment #5)
> (In reply to Roman Fiedler from comment #4)
> ...
> > * History is cleared, but the SSL certificate will never make it to the
> > history (as permanent exception checkbox cannot be selected")
> 
> Hmmm - it looks like there's a slight difference between how the exception
> dialog behaves for "never remember history" vs. "clear history when Firefox
> closes" - can you post a screenshot of the privacy tab of preferences?

See attachment.

> Also, do you have any add-ons installed?

about:addons
Tamper Data

about:plugins
OpenH264 Video Codec provided by Cisco Systems, Inc.

I will try with addons disabled after restarting.
(Reporter)

Comment 7

a year ago
Created attachment 8788507 [details]
Privacy tab screenshot
(Reporter)

Comment 8

a year ago
Deactivation of addon did not change the behaviour.
Flags: needinfo?(roman.fiedler) → needinfo?(dkeeler)
Thanks for the detailed information, Roman. It looks like this is the same as bug 1116625. Essentially, when Firefox has been configured to never remember history, it assumes the user never wants to permanently save a certificate error override since that essentially saves a little bit of history (the file backing that feature keeps track of the hostname the override is for). Hence, the checkbox is disabled. My idea in that bug was to add a little mouseover text that explains the situation, but it hasn't been implemented yet.
Status: UNCONFIRMED → RESOLVED
Last Resolved: a year agoa year ago
Flags: needinfo?(dkeeler)
Resolution: --- → DUPLICATE
Duplicate of bug: 1116625
You need to log in before you can comment on or make changes to this bug.