1305711 - Self-signed root certificate authority (CA) certificates disappear when upgraded to v49.0.1

Status: RESOLVED INVALID

(Core :: Security: PSM, defect)

Description

[Levan]

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36

Steps to reproduce:

Upgraded to version 49.0.1


Actual results:

Any self-signed root CAs are no longer listed under the "Authorities" Tab.


Expected results:

self-signed root CAs should remain listed under the "Authorities" Tab. 
Downgrading to version 48 fixes this issue.

Comment 1

[Dana Keeler (she/her) [:keeler]]

Can you attach to this bug some of the root CAs that are no longer present in 49? Thanks.

Comment 2

[Levan]

Hi David, See attached test root CA. 

Here is test I Did:
1. Added root CA under "Authorities" on version 48. (Will be under name "PPSdom Inc.")
2. Upgraded to version 49. Root CA disappeared from "Authorities" list.
3. Downgraded back to version 48. Root CA appeared again.


-----BEGIN CERTIFICATE-----
MIID9zCCAt+gAwIBAgIJAP9RX/zNZ134MA0GCSqGSIb3DQEBCwUAMIGRMQswCQYD
VQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzEQMA4GA1UEBwwHVG9yb250bzEUMBIG
A1UECgwLUFBTZG9tIEluYy4xETAPBgNVBAsMCEluZm8gU2VjMRQwEgYDVQQDDAtw
cHNkb20uaW5mbzEfMB0GCSqGSIb3DQEJARYQaW5mb0BwcHNkb20uaW5mbzAeFw0x
NjA5MjcxOTIyNDFaFw0xOTA3MTgxOTIyNDFaMIGRMQswCQYDVQQGEwJDQTEQMA4G
A1UECAwHT250YXJpbzEQMA4GA1UEBwwHVG9yb250bzEUMBIGA1UECgwLUFBTZG9t
IEluYy4xETAPBgNVBAsMCEluZm8gU2VjMRQwEgYDVQQDDAtwcHNkb20uaW5mbzEf
MB0GCSqGSIb3DQEJARYQaW5mb0BwcHNkb20uaW5mbzCCASIwDQYJKoZIhvcNAQEB
BQADggEPADCCAQoCggEBAM5cbnrR2qdrayBT4ZwHqu4z0aO8wjrvFxyoNPUqKOJv
gwF92zVDaIHFugmR0qLumcXKCHplAqyCVulhsNIshcjOtL6OxPDOSQJ0NU/7Orsn
eqNNH1DZSIAWhyzUfBbdIGXfUj3dqRH1Fin9gyP9Bhvq4im+DAQhDcr7hJFXILti
zBO2J1mAj3styPACWkQtBV65aJjfgFX0K324hmG9gmlxWEvTvLeVCCldYDFZ0KjL
tUvdgy/zcYSN1Bk/1ucE5BW/R4dE4Tcv7tNDY30OJxvrC9r7tFXowVII0OQSYg31
DuPdKs7w8ZRFr6oPoP/JtJ4F8m3QuPuklX5QZqCnkekCAwEAAaNQME4wHQYDVR0O
BBYEFI1IRBIyJGAOXbk44b7ZVeX4t+5nMB8GA1UdIwQYMBaAFI1IRBIyJGAOXbk4
4b7ZVeX4t+5nMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAAMuD6GD
WIVPOX+7VEcU8zV1/Itu1X52jKTARgQiwV2NwTNhJw8QZF6cKARSi2AdjlPE6n1J
JZOlhCu7NJi1wT9lb4x0pr0I9Sz57Z5NKW889WqIsGtt88kBr4gcVcWwwjmMJ3VH
pde698CJZ5r4rXh97t5VtOZ32EorJ1xnJzuP4THEgH5lzQb8h7yreZmZr0SHJ+vn
pB2uyhEJmh9d6eqZhourv80rjS9M1tfDoVjodvqg0g00z435YH/OfM4V+9s6nmrJ
Cz4yA9kmyNI1fyeHDablA63+vlfiK6RkoLEtfJUq8IxySC/PWrNDLEPJ0g3AxQl2
eqwGunM5d4CNGNc=
-----END CERTIFICATE-----

Thanks.

Comment 3

[Dana Keeler (she/her) [:keeler]]

Hmmm - that CA sticks around for me when I import it in 48 and then upgrade to 49. Can you post the output from running the two versions with the environment variable "MOZ_LOG" set to "pipnss:5"?

Comment 4

[Levan]

David, Sorry I am new to mozlog. When you have a chance, could you please instruct me where log outputs are? I tried SET MOZ_LOG_FILE="mozlog.txt" but still do not see output file.

Thanks.

Comment 5

[Dana Keeler (she/her) [:keeler]]

It should be standard out or standard error, so you'll only see them if you run from a console. For MOZ_LOG_FILE, try using a full path? (e.g. c:\temp\mozlog.txt or something)

Comment 6

[Levan]

Attachment: mozlogs.zip

Logs are attached.

Comment 7

[Levan]

Hi David,

I have attached logs from v48 and v49.

Just to provide you some context, we need to add self-signed root CA so that HTTPS sites are working through company's SSL proxy.

Thanks.

Comment 8

[Levan]

Hi David, 
Looks like it is not a Firefox bug. This issues is limited to my company desktops only. I have also tested it on my home PC and did not experienced any problems with certificates there. I suspect some security software running on our company desktops causing this issues.

Thanks.

Comment 9

[Dana Keeler (she/her) [:keeler]]

Thanks - I'm resolving this as "invalid" which is just an unfortunate way of saying "not due to a flaw in Firefox".