Closed Bug 1600509 Opened 5 years ago Closed 4 years ago

Enterprise root certs option not working in linux

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Version:
70 Branch
Platform:
Unspecified
Linux
Type:
defect

Tracking

()

Status:
RESOLVED WONTFIX
Tracking Flags:
Tracking Status
firefox-esr78 --- wontfix
firefox83 --- wontfix
firefox84 --- wontfix
firefox85 --- wontfix

People

(Reporter: mozilladev, Unassigned)

Details

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.3 Safari/605.1.15

Steps to reproduce:

I am trying to access sites whose certificates are issued by a local CA in firefox 70 version in RHEL 7 machine. I have added this CA cert to linux system certificate store. But I am not able to access the site and I see MOZILLA_PKIX_ERROR_MITM_DETECTED error in the webpage.

In windows and Mac I was able to make it work by setting the option security.enterprise_roots.enabled to true in preferences file and adding the root cert in system key store. But seems this option is not available in linux.

If I import this certificate manually in firefox UI (Preferences -> Certificate Manager -> Authorities and Import), I was able to access the site.

To make this work programmatically, I have created policies.json file with the following contents, and placed in distribution folder in the firefox location.

{
"policies": {
"Certificates": {
"ImportEnterpriseRoots": true
"Install": ["cert.crt", "cert1.pem"]
}
}
}

Actual results:

The website is not trusted by the browser.

Expected results:

The website should be accessible, as the root cert for this site, should have been trusted by firefox, by ImportEnterpriseRoots option, or the certificate location.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Security: PSM
Product: Firefox → Core
OS: Unspecified → Linux
Severity: normal → critical
Priority: -- → P1
Severity: critical → blocker

Are you using Firefox as built by Mozilla or as re-packaged by RedHat?

Flags: needinfo?(mozilladev)

I have downloaded and install Firefox from Mozilla site. But now I was able to make it work giving the complete path, instead of copying the cert to the given location and giving the path.

But still I couldn't make it work with ImportEnterpriseRoots option. In RHEL 7 I have added the root cert to the cert stores in /etc/pki/ca-trust/extracted/pem location and also I tried adding $HOME/.pki/nssdb/ with CT,C,C options. But still I see that the Firefox is not picking up the new root cert added. Could you please let me know is this a known issue or I am adding the cert in the wrong place.

Severity: blocker → critical
Flags: needinfo?(mozilladev)

The enterprise roots feature is not available for the Mozilla version of Firefox for linux (and we have no plans to implement it). You can either use the repackaged RHEL version, which should use the system CA store, or you can import a PKCS#11 module that has the same effect, like p11-kit. See also bug 1505026.

Status: UNCONFIRMED → RESOLVED
Closed: 4 years ago
Resolution: --- → WONTFIX

[Tracking Requested - why for this release]:

Description:
Please provide an explanation of the feature or change. Include a description of the user scenario in which it would be used and how the user would complete the task(s).
Screenshots and visual UI specs are welcome, but please include sufficient accompanying explanation so that blind members of the accessibility team are able to understand the feature/change.

How do we test this?
If there is an implementation to test, please provide instructions for testing it; e.g. setting preferences, other preparation, how to trigger the UI, etc.

When will this ship?
Tracking bug/issue:
Design documents (e.g. Product Requirements Document, UI spec):
Engineering lead:
Product manager:

The accessibility team has developed the Mozilla Accessibility Release Guidelines which outline what is needed to make user interfaces accessible:
https://wiki.mozilla.org/Accessibility/Guidelines
Please describe the accessibility guidelines you considered and what steps you've taken to address them:

Describe any areas of concern to which you want the accessibility team to give special attention:

[Tracking Requested - why for this release]:

[Tracking Requested - why for this release]:

[Tracking Requested - why for this release]:

Release Note Request (optional, but appreciated)
[Why is this notable]:
[Affects Firefox for Android]:
[Suggested wording]:
[Links (documentation, blog post, etc)]:

a11y-review: --- → requested
Fission Milestone: --- → ?
status-firefox83: --- → fix-optional
status-firefox84: --- → fix-optional
status-firefox85: --- → fixed
status-firefox-esr78: --- → ?
tracking-firefox83: --- → ?
tracking-firefox84: --- → ?
tracking-firefox85: --- → ?
tracking-firefox-esr78: --- → ?
relnote-firefox: --- → ?
tracking-thunderbird_esr78: --- → ?
Flags: sec-bounty?
Flags: in-testsuite+
Flags: in-qa-testsuite+
Flags: behind-pref+
Flags: needinfo?(dkeeler)
a11y-review: requested → ---
Fission Milestone: ? → ---
status-firefox83: fix-optionalwontfix
status-firefox84: fix-optionalwontfix
status-firefox85: fixedwontfix
status-firefox-esr78: ?wontfix
tracking-firefox83: ? → ---
tracking-firefox84: ? → ---
tracking-firefox85: ? → ---
tracking-firefox-esr78: ? → ---
relnote-firefox: ? → ---
tracking-thunderbird_esr78: ? → ---
Flags: sec-bounty?
Flags: needinfo?(dkeeler)
Flags: in-testsuite+
Flags: in-qa-testsuite+
Flags: behind-pref+
You need to log in before you can comment on or make changes to this bug.