Closed Bug 402710 Opened 13 years ago Closed 12 years ago

Clear server validation result after user deletes cert exception or trust


(Core :: Security: PSM, defect)

Not set





(Reporter: KaiE, Assigned: KaiE)


Do this:
- visit a site with a bad cert
- notice the error
- add an exception
- reload
- site works

Now do this:
- cert manager
- servers tab
- delete exception
- close cert manager
- reload web page
- open page info and view cert

Actual behavior:
- Page still loads
- cert is shown as "verified for usage ssl server"

What I would expect:
- Page no longer loads after removing the exception
- cert no longer is reported as valid as ssl server cert

Should this get fixed?
Note, I can force the expected behavior by either:
- clearing all private data, including authenticated sessions
- restarting firefox
I've noticed this behaviour too while working on the exception dialog, and I could have sworn I filed a bug, but since I can't find it now, let's use this one!  :)  

I do think it is undesirable behaviour, and should be fixed, but I don't know what such a fix would entail, since I suspect it's on the NSS side of things?
PSM should clear the SSL cache. (The SSL session is still cached, while the session is cached, full handshakes don't happen and the certs are not processed).

I know you can clear the whole SSL cache (SSL_ClearSessionCache()). In theory, clearing the cache should not have any ill effect unless the server side is tracking the session for authentication reasons.

I don't think there's an interface to clear the cache for a given host or host/port (which the exception handler knows). This would be a desirable optimization, but probably not critical.
Bob, thanks for your comment, what you say sounds reasonable.

I wonder if the "confirm delete" box should contain a hint "all authenticated sessions will be cleared to ensure this change is effective immmediately"...?

I wonder if we should clear the SSL session cache on all actions that remove trust, including:
- user edits CA or peer cert and removes explicit trust
- user deletes a CA cert or another person's cert
Summary: Clear server validation result after user deletes cert exception → Clear server validation result after user deletes cert exception or trust
Closed: 12 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 416850
You need to log in before you can comment on or make changes to this bug.