Closed Bug 1792651 Opened 3 years ago Closed 2 years ago

Private CA certificates are ignored by TB 102.x and FF ESR 102.x

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.79
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: nordmann, Unassigned)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0

Steps to reproduce:

Added a private CA certificate to TB 102.x / FF ESR 102.x certificate store with full trust enabled.

Actual results:

When accessing servers using a TLS certificate signed by the private CA certificate, both TB and FF ESR complain about an invalid server TLS certificate.

The only option to continue is to add a certificate exception to TB's/FF ESR's certificate store.

Expected results:

While determining the trust of a server's TLS certificate, TB/FF ESR should check not only against the common CA database included, but also against user-added CA Certificates wether they are added to TB's/FF SER's own certificate store or imported via the "security.enterprise_roots.enabled" set to "true" config setting.

Version 98.x of both TB and FF ESR in the above mentioned and expected way.

The severity field is not set for this bug.
:beurdouche, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(bbeurdouche)

This is probably due to the changes made in bug 1691122. Do the server certificates have subject alternative names?

Flags: needinfo?(nordmann)

No, they don't!

Bug 1691122 may explain the errors i got!

Yet i have to test it.

That Bug also states that the FF 101 release notes contain information about this behaviour.
But looking at FF ESR 101 release notes, no such info is given there!
Maybe FF ESR release notes should be compiled from all release notes since the last major FF ESR release.
As of now one has to browse through all FF / FF ESR release notes to find all important information.

It also may be helpful, if one gets a note about missing "subject alternative names" when adding certificates manually.
Especially if this requirement is known since 2012, which correlates to FF Version 10.x to 16.x!!!
In addition a config setting to reenable that fallback would be nice, because some times one has no influence on how
private (CA) certificates are generated! Some appliances do not add subject alternative names when generating their
CA and subsequent certifcates. At least for the ESR versions, as most non-enterprise users won't encounter these problems.

And a more specific reported error would be helpfull too!
Because the reported error "Bad certificate domain" doesn't intuitively hint one to a missing subject alternative names in the certificate.

Regards Christian

Flags: needinfo?(nordmann)

Should this be in PSM ?

Flags: needinfo?(bbeurdouche) → needinfo?(dkeeler)

I don't think there's anything we need to do here. I think the error code, and Firefox's handling of it, give enough information to point in the right direction. We can't realistically automatically provide detailed advice for every invalid certificate people encounter.

Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.