Open Bug 1491941 Opened 3 years ago Updated 1 year ago

display imported 3rd party roots in some fashion

Categories

(Core :: Security: PSM, defect, P5)

Product:
Core
Component:
Security: PSM
Version:
60 Branch
Type:
defect

Tracking

()

People

(Reporter: leith.tussing, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-backlog])

Attachments

(5 files)

FF_Certs.png
84.07 KB, image/png
Details
ff_security.enterprise_roots.enabled.png
6.90 KB, image/png
Details
ff_certpath-notOK.png
79.19 KB, image/png
Details
ie_certpath-ok.png
17.88 KB, image/png
Details
win_certstore.png
20.34 KB, image/png
Details
Attached image FF_Certs.png 
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/69.0.3497.81 Safari/537.36

Steps to reproduce:

This bug stems from this conversation on the mailing list.
https://mail.mozilla.org/pipermail/enterprise/2018-September/000270.html

Windows 10 1803
Firefox GPO 1.2
Firefox 60.2.0esr
GPO enabled that sets security.enterprise_roots.enabled=true

We push the core DoD CA certificates via GPO to all systems, there are 6 certificates in this set.  On specific systems that need ALL certificates we run the full DISA InstallRoot 5.2 tool to install all of the DoD certificates mainly for development purposes.  There are 100+ certificates in that bundle.

Using the Firefox GPO ADMX files we set security.enterprise_roots.enabled = true which shows as being set in the about:config window.  Looking in the Computer certificates store on these machines I can see the core certificates installed and then on development machines the entire bundle.  We have some systems that were running the normal FF and have been upgraded to ESR 60.2.0 or are fresh installs of ESR 60.2.0 on them.  All instances are loaded as a normal user and not an admin of the system.


Actual results:

The View Certificates tool shows none of the DoD certificates.  The other user in the thread on 60.1.0 ESR said they weren't working for them at all.  For me though even though they don't show up they work.  However, as I would go to a website that used a known certificate they would start to show up in the list.  My personal workstation at one point started showing all 100+ certificates where for a while it was showing nothing at all.

I've included an image showing the different states.  The first portion shows a machine correctly configured but no U.S. Government section shows.  The second portion shows after going to a website that uses one of those certificates and now the intermediate but not root certificate shows in the list.  The third section shows a machine that just started showing all 100+ certs in the U.S. Government section.


Expected results:

FF should include all of the local computer certificates and display them to the user.
Attached image ff_certpath-notOK.png
Attached image ie_certpath-ok.png
Attached image win_certstore.png 
Hi,

this is Chris from the enterprise mailing list.

Windows 2008R2
Firefox GPO 1.0
Firefox 60.1.0esr
GPO enabled that sets security.enterprise_roots.enabled=true

We've several RootCA and IssuingCA certificates in our certification store. All certificates are part of/issued by the Windows ADCS.

The GPO is applied to the system and other settings (i.e. block about:config) are working as aspected.

The certificates are stored in
* Certificates (Local Computer) / Intermediate Certification Authorities / Certificates
* Certificates (Local Computer) / Trusted Root Certification Authorities / Certificates
* Certificates (Current User) / Intermediate Certification Authorities / Certificates
* Certificates (Current User) / Trusted Root Certification Authorities / Certificates

None of the certificates are working in FF. They are working as aspected in IE.
I am assigning a component to this issue in order to involve the development team and get an opinion on this.
Component: Untriaged → Security: PSM
Product: Firefox → Core
NEEDINFOing Dana for input.
Flags: needinfo?(dkeeler)
Nevermind. Answered via email. I'll post here.
Flags: needinfo?(dkeeler)
"This is because we don't actually expose the
imported 3rd party roots in the certificate manager (mostly to make it
easy to reset the trust settings if the user turns the enterprise roots
feature off). Clearly people expect them to show up, though, so maybe we
should do something about that.

(The reason intermediates start to show up is that we cache
intermediates we encounter while browsing. The caching code isn't aware
of 3rd party roots - maybe that's something we should fix.)"
Priority: -- → P5
Summary: FF 60.1.0esr/60.2.0esr inconsistent behavior when security.enterprise_roots.enabled = true → display imported 3rd party roots in some fashion
Whiteboard: [psm-backlog]
Confirming.
Status: UNCONFIRMED → NEW
Ever confirmed: true
You need to log in before you can comment on or make changes to this bug.