Closed Bug 1540968 Opened 5 years ago Closed 5 years ago

Using enterprise_roots.enabled in FF 66.0.2 32/64 does not work

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
66 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1473573

People

(Reporter: ken, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36

Steps to reproduce:

Sign a web server with root and intermediate certs from private CA. Deploy public certs to a Windows Server 2016 host by either GPO or local install (User or Computer). Install Firefox 66.0.2 (32 or 64) on this host. Configure Firefox using mozilla.cfg, about:config, or Firefox ADMX file to set and lock the security.enterprise_roots.enable to true. Attempt to load a page from the previously mentioned web server.

Actual results:

Firefox will present a SEC_ERROR_UNKNOWN_ISSUER page despite the certificates being verified as loaded in the Windows OS certificate store.

Expected results:

Firefox should validate the website certificate against the intermediate and root certificates in the Windows OS cert store. Chrome is also installed on this host and validates the website without issue. Manually loading the root/intermediate certs into Firefox results in the expected website validation behavior. I tried both 32 and 64 bit versions of Firefox and both behaved the same way. I believe this worked fine in FF 52 or 55 when I used mozilla.cfg and autoconfig.js to enforce the setting.

I did check about:config and verify that the 'security.enterprise_roots_enabled' is set and locked to true.

I keep making a mess of the setting name, but its 'security.enterprise_roots.enabled' and the value is 'true'.

Component: Untriaged → Security: PSM
Product: Firefox → Core

Does the web server actually send the intermediates in the TLS handshake or are they in the windows cert store?

Flags: needinfo?(ken)

Most of the web servers I am trying to connect to are the integrated servers built into Out of Band Management equipment (HP iLO's and KVM equipment). I do not believe they provide any certificate other than the server certificate. I would be happy to check this if you can provide the steps. I know that on the host running Firefox, both the root and intermediate certs are in the Windows OS store. Chrome and IE open the web page without any complaint.

I need to correct my previous comment about this working int FF 52/55. I can only say that the autoconfig.js/mozilla.cfg file properly set the 'security.enterprise_roots.enabled' to 'true'. I dont think I had any certs loaded at that point to test.

Flags: needinfo?(ken)

I also read in another bug report that Firefox only loaded the Root CA certs and not the intermediate certs. Could this be the problem?

https://wiki.mozilla.org/CA/AddRootToFirefox

https://bugzilla.mozilla.org/show_bug.cgi?id=1473573

If this is still the case, doesnt that really limit the usefulness of this feature?

Sounds like bug 1473573, then. This should work in 67. Let me know if it doesn't.

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #6)

Sounds like bug 1473573, then. This should work in 67. Let me know if it doesn't.

*** This bug has been marked as a duplicate of bug 1473573 ***

I just commented in the other bug thread. FF 67.0b8 seems to be working perfectly.

You need to log in before you can comment on or make changes to this bug.