enterprise roots: consider importing from CERT_SYSTEM_STORE_CURRENT_USER{,_GROUP_POLICY} on Windows
Categories
(Core :: Security: PSM, enhancement, P1)
Tracking
()
People
(Reporter: amandeep, Assigned: keeler)
References
Details
(Whiteboard: [psm-assigned])
Attachments
(4 files)
|
1.26 KB,
application/x-x509-ca-cert
|
Details | |
|
1.34 KB,
application/x-x509-ca-cert
|
Details | |
|
1.30 KB,
application/x-x509-ca-cert
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
lizzard
:
approval-mozilla-beta+
lizzard
:
approval-mozilla-esr68+
|
Details | Review |
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.87 Safari/537.36
Steps to reproduce:
- On Windows, install the certificate attached with the bug as a Trusted Root Certification Authorities for the Current User.
- Set the security.enterprise_roots.enabled to true in Firefox.
- Launch https://self-signed.badssl.com in Firefox.
Actual results:
Firefox fails to show the webpage with error code: MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT
Expected results:
Firefox should have displayed the page without any error.
Note:
- If you install the same certificate to Local Machine store in place of Current User, Firefox is able to display the page. I think along with reading the certificates from HKLM\SOFTWARE\Microsoft\SystemCertificates registry location, Firefox should also read the certificates from HKCU\Software\Microsoft\SystemCertificates
- On Mac, Firefox honors user account certificates.
|
||
Updated•6 years ago
|
|
Reporter | |
Updated•6 years ago
|
|
||
Comment 1•6 years ago
|
||
The priority flag is not set for this bug.
:keeler, could you have a look please?
For more information, please visit auto_nag documentation.
|
Assignee | |
Updated•6 years ago
|
|
|
Assignee | |
Comment 2•6 years ago
|
||
Presumably you're not actually using the end-entity certificate from badssl.com. Can you attach the actual certificate you're using? That might help figure out why Firefox doesn't treat it as a trust anchor.
|
|
Reporter | |
Comment 3•6 years ago
|
||
|
|
Reporter | |
Comment 4•6 years ago
|
||
|
|
Reporter | |
Comment 5•6 years ago
|
||
|
|
Reporter | |
Comment 6•6 years ago
|
||
Dana, I have attached the CA.crt, server.crt and server.key. I am using these to launch my https server. In case I add the CA.crt to Trusted Root Certification Authorities for the Current User, Firefox still shows error. But in case the same is installed to the Trusted Root Certification Authorities for the Local Machine, it works fine.
|
|
Reporter | |
Comment 7•6 years ago
|
||
Any update on the issue???
Adobe is planning to release CC Libraries support in Microsoft Office and for it to work on Firefox, we need this issue to be fixed.
|
|
Assignee | |
Comment 8•6 years ago
|
||
Firefox can successfully verify that server certificate with that ca certificate, so the problem is not with the certificates.
Are you still getting the error MOZILLA_PKIX_ERROR_SELF_SIGNED_CERT? That should only be possible if the server certificate Firefox is seeing is self-signed. The server certificate you attached to this bug is not self-signed. Are you sure your TLS server is using the correct certificate?
|
|
Reporter | |
Comment 9•6 years ago
|
||
Hi Dana,
Please see the screen recording to get the idea what is the real problem.
https://share.getcloudapp.com/7Ku2wpmz
|
|
Assignee | |
Comment 10•6 years ago
|
||
I see. Currently Firefox looks in CERT_SYSTEM_STORE_LOCAL_MACHINE, CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, and CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE. Is there a reason your system can't use one of these locations?
|
|
Reporter | |
Comment 11•6 years ago
|
||
We have to cater to users who don't have administration rights on the machine. They can't install the certificates to the local machine cert store. They can install it on the current user cert store only.
|
|
Assignee | |
Updated•6 years ago
|
|
|
||
Updated•6 years ago
|
|
|
Assignee | |
Comment 12•6 years ago
|
||
|
|
Assignee | |
Comment 13•6 years ago
|
||
Can you give this build a try? (click the green B for the appropriate platform, click "Job Details", and then the file I think you want is "target.installer.exe")
https://treeherder.mozilla.org/#/jobs?repo=try&revision=c9c9eeb621001a650d43329a422cf081be958ed5
|
|
Reporter | |
Comment 14•6 years ago
|
||
The build works fine. Thanks :)
When can we expect this build to be available?
|
|
Assignee | |
Comment 15•6 years ago
|
||
Great - thanks! It'll land in Nightly shortly (hopefully). Once it has some bake time, we may be able to uplift it to ESR 68, although I doubt we'll uplift it to the current non-ESR Release version.
|
||
Comment 16•6 years ago
|
||
|
|
||
Comment 17•6 years ago
|
||
| bugherder | ||
|
|
Reporter | |
Comment 18•6 years ago
|
||
Can you shed some light on ESR vs non-ESR versions? Also please share the approximate timelines we can expect for the fix to be available for both the versions.
|
|
Assignee | |
Comment 19•6 years ago
|
||
Here's information on ESR: https://support.mozilla.org/en-US/kb/firefox-esr-release-cycle
Here's the release calendar: https://wiki.mozilla.org/Release_Management/Calendar
You can use the tracking flags and the release calendar to determine when a fix will be available. For instance, right now this bug is fixed in Firefox 71 (firefox71 tracking flag is fixed), and it is (currently) scheduled for release December 3rd.
|
|
Assignee | |
Comment 20•6 years ago
|
||
Comment on attachment 9092436 [details]
bug 1571548 - support "current user" registry locations for enterprise certificates on Windows r?kjacobs,mhowell
Beta/Release Uplift Approval Request
- User impact if declined: Users that don't have administrative privileges on their machines won't be able to import their own 3rd party (enterprise) roots using the enterprise roots feature on Windows.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This change expands the list of locations the enterprise roots feature looks in for 3rd party certificates to include registry locations controlled by the current user. The added risk of looking in locations modifiable by the user is that malware with user privileges can add certificates that Firefox will import and trust. However, malware running with user privileges can already do this by modifying the user's
cert9.db, so this doesn't decrease the security of Firefox. - String changes made/needed:
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: This is an enterprise-focused feature.
- User impact if declined: Users that don't have administrative privileges on their machines won't be able to import their own 3rd party (enterprise) roots using the enterprise roots feature on Windows.
- Fix Landed on Version:
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): This change expands the list of locations the enterprise roots feature looks in for 3rd party certificates to include registry locations controlled by the current user. The added risk of looking in locations modifiable by the user is that malware with user privileges can add certificates that Firefox will import and trust. However, malware running with user privileges can already do this by modifying the user's
cert9.db, so this doesn't decrease the security of Firefox. - String or UUID changes made by this patch:
|
|
||
Comment 21•6 years ago
|
||
Comment on attachment 9092436 [details]
bug 1571548 - support "current user" registry locations for enterprise certificates on Windows r?kjacobs,mhowell
Change to enterprise cert handling, OK for beta 10 / esr uplift.
|
|
||
Comment 22•6 years ago
|
||
| bugherder uplift | ||
|
|
||
Comment 23•6 years ago
|
||
| bugherder uplift | ||
Description
•