Closed Bug 1310629 Opened 9 years ago Closed 3 years ago

bitdefender tls intercepting proxy has trouble keeping its root certificate in Firefox's trust store

Categories

(Web Compatibility :: Site Reports, defect, P5)

Product:
Web Compatibility
Component:
Site Reports
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: Ba7es.Android, Unassigned)

References

Details

(Whiteboard: [tls] [needscontact] )

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20161013030204 Steps to reproduce: I did an update last Friday on Nightly (installed and problematic version is 52.0a1 (2016-10-13) (64-bit)) Opening https://www.google.com ends us in an Insecure Connection message. Other https websites give the same results. Sometimes adding an exception help, but few websites can be added, messages might be different Actual results: https://www.google.com/search?q=&ie=utf-8&oe=utf-8&client=firefox-b Peer’s Certificate issuer is not recognized. HTTP Strict Transport Security: false HTTP Public Key Pinning: true Certificate chain: -----BEGIN CERTIFICATE----- MIIDaDCCAlCgAwIBAgIJALQSJlNzgnG5MA0GCSqGSIb3DQEBCwUAMGAxLTArBgNV BAMMJEJpdGRlZmVuZGVyIFBlcnNvbmFsIENBLk5ldC1EZWZlbmRlcjEMMAoGA1UE CwwDSURTMRQwEgYDVQQKDAtCaXRkZWZlbmRlcjELMAkGA1UEBhMCVVMwHhcNMTYx MDA2MTMwMjQ1WhcNMTYxMjI5MTIyODAwWjBoMQswCQYDVQQGEwJVUzETMBEGA1UE CAwKQ2FsaWZvcm5pYTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzETMBEGA1UECgwK R29vZ2xlIEluYzEXMBUGA1UEAwwOd3d3Lmdvb2dsZS5jb20wggEiMA0GCSqGSIb3 DQEBAQUAA4IBDwAwggEKAoIBAQDVSChme7q9TIi8jpk96VNzrM+7zH5pAsrm9hBH Azk1l/iDAqgR64sdNKfbZ9c5qnm8tXROcU9zSC8SvOeP/TA/OsmUwTRpwOdNqHc+ O92Tbvy3Yv02CTQ0vmhqYgeJP+Icn3Lf2KAQqixydzTsTrMeFARxGLym+3k6ayVX jpyzmdCQIm/iiLvl4piflB2vgBhJc6i15MJxCeBPyzFr+abMPghUpzqXkuKgSNc9 JkxV+/EgXuJQcvY6oOJrW97VxEloT+PNYKinl3HXsr8jp/8MfkBylKYXJogaPvnD SYbMgfKwAfeAmBnZCNu8vT7xt/IfQhGiqrIxPb+U2WeRvtsTAgMBAAGjHTAbMBkG A1UdEQQSMBCCDnd3dy5nb29nbGUuY29tMA0GCSqGSIb3DQEBCwUAA4IBAQDLfh08 MDuxo+FXDHSmcJFNOaQix5ZDhEkzABYPWvtP85Q3aRe+aBZg9uBoJQRI/LQA24v/ j6ayzQQYI96mJNOMaYsrol2MEPC77DslVQsrQfFFHZBkJuusLkj4LRLQcOfyG4fA q+x9++yb8zaG/B0m9JJwDu9NqVgfvN4M7YVoN4DBi8L//A5ZuDd8DJafUln/s5aq e25yxCwl8EdWvJvb9LU5XpP1wU5ksYV0b4F80cnWZBFCdPuFBUKw0980O9UB31OW InpN/Rm0aKDq8XWkGaUuD6rq0BATIoc7gvQtqLqR53fXn5VkQv4f3s2DfcYB1n3u JtKk/wxou40OfYVB -----END CERTIFICATE----- Expected results: Website should be displayed.
HTTPS websites work for me with the latest Nightly. Are you sure you antivirus is not blocking HTTPS traffic due toits web protection settings?
Component: Untriaged → Security: PSM
Flags: needinfo?(Ba7es.Android)
Product: Firefox → Core
This is what I was thinking first. But I can access google under iexplore, chrome and edge. Besides, it worked before update, and is working on my colleague's firefox with same network and AV software (Bitdefender Endpoint installed through GPO). I will try to uninstall nightly and do a fresh install (I saw a popup to inform me that nightly update cant be find and am still under the 2016-10-13 build) I will keep you informed
This issue is pretty common with AVs. It can appear after a Firefox update. http://www.bitdefender.com/support/what-to-do-when-security-certificates-cannot-be-verified-installed-1090.html
You might be interested in a new feature we've been working on where Firefox inspects the Windows trust stores and imports certificates it determines have been installed by the user or an administrator. Try adding a new preference called "security.enterprise_roots.enabled" and setting it to true.
Hi @Loic, my problem with bitdefender is I don't have access to any settings. This is my work computer and AV is managed by our network team, it is installed from domain policies or something similar. @David, setting the new preference worked ! Thanks both of you.
Ok - sounds like this is an issue with bitdefender. Basically, it needs to install a root certificate in every Firefox user's profile, and it looks like this didn't work as expected here. The preference in comment 4 is available in Firefox 49, but depending on where bitdefender puts its root certificate, that method might not work until Firefox 52 (where we expanded the number of Windows trust stores Firefox looks in when that feature is enabled).
Component: Security: PSM → Desktop
Flags: needinfo?(Ba7es.Android)
Product: Core → Tech Evangelism
Summary: https insecure connection → bitdefender tls intercepting proxy has trouble keeping its root certificate in Firefox's trust store
Version: 52 Branch → unspecified
Priority: -- → P5
Whiteboard: [tls] [needscontact]
Product: Tech Evangelism → Web Compatibility

See bug 1547409. Moving webcompat whiteboard tags to keywords.

Keywords: webcompat:needs-contact

Unfortunately, I don't have Bitdefender, and with my current setup, the page loads correctly.

Ba7es.Android does the issue still occur for you?

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(Ba7es.Android)
Severity: normal → S3

Redirect a needinfo that is pending on an inactive user to the triage owner.
:denschub, since the bug has recent activity, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(Ba7es.Android) → needinfo?(dschubert)

Closing as incomplete based on comment 10.

Status: NEW → RESOLVED
Closed: 3 years ago
Flags: needinfo?(dschubert)
Keywords: webcompat:needs-contact
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.