Closed
Bug 403220
Opened 17 years ago
Closed 8 years ago
Cannot add exception for SSL certificates with sec_error_bad_signature
Categories
(Core Graveyard :: Security: UI, defect, P2)
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: tomwpryor, Unassigned)
References
()
Details
(Whiteboard: [no "me too" comments please, we all agree it's a problem, it's simply very difficult to fix][psm-cert-exceptions])
Attachments
(4 files)
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b1) Gecko/2007110703 Firefox/3.0b1 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b1) Gecko/2007110703 Firefox/3.0b1 Hello, I am unable to access Plesk (Server control panel software) using Mozilla Firefox 3 BETA. Plesk works in internet explorer and previous versions of the browser. Error: Secure Connection Failed An error occurred during a connection to 75.127.66.155:8443. Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Also I am unable to create a exception for the site, I just get the error listed above. Reproducible: Always Steps to Reproduce: 1. Visit Website 2. 3. Actual Results: Error produced Expected Results: Allowed me to create a exception, but warn me about the risk.
Comment 1•17 years ago
|
||
I'm seeing a similar issue with self-signed certificates in a development application. If I try to create a connection for the site, you just get the error mentioned above. Makes Firefox 3 unusable for development work.
Comment 2•17 years ago
|
||
Oops - I meant "exception" rather than "connection" in comment #1.
Updated•17 years ago
|
Flags: blocking-firefox3?
Comment 3•17 years ago
|
||
The problem is not that the certificate is self-signed but that it apparently also has a bad signature. This error breaks the add-exception dialog on mac leaving a broken dialog that you cannot close and you have to force quite firefox.
Summary: Self-signed SSL certificates generated by Plesk control panel make the webpage inaccessible. → Cannot add exception for SSL certificates with sec_error_bad_signature
Updated•17 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 4•17 years ago
|
||
Yeah, that's all the way broken, alright. Clearly something about bad signatures is sending us into a tailspin, bit it's also pretty surprising that we would find a signature broken that other common SSL stacks confirm. In either event, this dialog is PSM code, so moving to Core:Security UI
Assignee: nobody → kengert
Component: General → Security: UI
Flags: blocking-firefox3?
Product: Firefox → Core
QA Contact: general → ui
Version: unspecified → Trunk
Updated•17 years ago
|
Flags: blocking1.9?
Comment 5•17 years ago
|
||
I'm seeing something similar to this; however, the invalid cert that I see is rejected with sec_error_ca_cert_invalid. Also, I'm able to cancel the "Add Exception" dialog box with the cancel button. Is this likely the same issue?
Comment 6•17 years ago
|
||
(In reply to comment #5) > I'm seeing something similar to this; however, the invalid cert that I see is > rejected with sec_error_ca_cert_invalid. Also, I'm able to cancel the "Add > Exception" dialog box with the cancel button. Is this likely the same issue? Blake, are you saying that you, too, cannot add the exception? If so, is anything logged to the error console? Tom's report seems to be brokenness around our signature verification code, but sec_error_ca_cert_invalid is one of the cases that are well-anticipated, and has been successfully tested in the past, so you might be onto something subtle...
Comment 7•17 years ago
|
||
(In reply to comment #6) > Blake, are you saying that you, too, cannot add the exception? If so, is > anything logged to the error console? The answers to those questions are yes and no, respectively. The certificate is almost certainly invalid as both Firefox 2.0 and Safari both complain about it. Only, when I try to add https://1.1.1.1/?foo=bar as a security exception, clicking "add exception" does not do anything.
Comment 8•17 years ago
|
||
sec_error_bad_signature is treated as a "protocol error". I confirm, I get this error message with https://75.127.66.155:8443/ and conclude the cert is really broken. (Please provide more evidence should you believe that the cert is not broken and that we are incorrectly reporting this error) The SSL implementation is not willing/able to proceed when such technical inconsistencies are found. Therefore it's by design to reject the cert and not allow you to add an exception and would make the original request invalid. Regarding comment 3, that's a usability bug on our side that we should fix.
Comment 9•17 years ago
|
||
(In reply to comment #8) > > Regarding comment 3, that's a usability bug on our side that we should fix. I tried to reproduce the scenario that required you to force quit Firefox. I can't. I go to https://75.127.66.155:8443/ I get a popup with the error code. I dismiss the error code box with OK. I'm back at the add exception dialog. I can use cancel just fine. This was Linux. I see your report was about Mac. I tried the same on a Mac OSX 10.4.11 box with the latest Firefox nightly trunk build. Works exactly the same for me, I can't see a bug here. If you still can reproduce this "need to force quit on ssl protocol error", please file a separate bug report with more detailed steps to reproduce.
Comment 10•17 years ago
|
||
(In reply to comment #5) > I'm seeing something similar to this; however, the invalid cert that I see is > rejected with sec_error_ca_cert_invalid. (In reply to comment #7) > when I try to add https://1.1.1.1/?foo=bar as a security exception, > clicking "add exception" does not do anything. I don't understand, can you please be more detailed in your steps to reproduce? Here is my understanding: - you go to https://1.1.1.1/?foo=bar - you get an error page with sec_error_ca_cert_invalid right? at this point you should be able to use "page info" to view the cert. if you're able to view it, you should also be able to export it (using the export button on the cert details tab). Could you please export it as a full chain and attach it?
Comment 11•17 years ago
|
||
(In reply to comment #8) Note that in both Firefox 2.0 and IE 7.0, you can view the certificate from https://75.127.66.155:8443/ without seeing any error message indicating that the certificate is broken: For Firefox 2.0: 1. Enter URL https://75.127.66.155:8443/. 2. Click "Examine Certificate..." on pop up box. 3. Note that you are able to examine the certificate. For IE7: 1. Enter URL https://75.127.66.155:8443/. 2. Click "Continue to this website (not recommended)". 3. Left-click on "Certificate Error" (next to URL bar). 4. Click "View certificates". I'm not sure how you conclude that the certificate is really broken (on the basis that Firefox 3.0 can't parse it - though IE and Firefox 2.0 apparently can).
Comment 12•17 years ago
|
||
(In reply to comment #11) > > For Firefox 2.0: > 1. Enter URL https://75.127.66.155:8443/. > 2. Click "Examine Certificate..." on pop up box. > 3. Note that you are able to examine the certificate. Thanks for pointing this out. I didn't see that, because I was testing Firefox 2 with newer NSS 3.12, which shows the same behavior as Firefox 3. I filed bug 405966 to analyze whether this is a regression in NSS.
Comment 13•17 years ago
|
||
Note that the trunk SeaMonkey is also unable to add an exception for this error. The error dialog appears when you try to fetch the cert using the cert manager, with the result that you cannot view the cert or add the exception. I don't know why SM behaves differently than FF this way.
Comment 14•17 years ago
|
||
When I try to view page info for the invalid cert page, I get the following in my error console: Error: uncaught exception: [Exception... "Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsIX509Cert.issuerName]" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://browser/content/pageinfo/security.js :: anonymous :: line 41" data: no] I was able to access the cert through the exception box; however, and I'll attach the export in a second. I really do think the cert is invalid. It's only used on the page that verifies wireless credentials at my school, so I don't think anybody put too much thought into making it valid.
Comment 15•17 years ago
|
||
This is what I get when I click "export."
Comment 16•17 years ago
|
||
(In reply to comment #13) > Note that the trunk SeaMonkey is also unable to add an exception for this > error. The error dialog appears when you try to fetch the cert using the > cert manager, with the result that you cannot view the cert or add the > exception. That's exactly what happens with Firefox trunk, too. > I don't know why SM behaves differently than FF this way. I think we confused you. As I understand it, Firefox trunk and SeaMonkey trunk behave identically. It's Firefox 2.0 which behaves differently. Firefox 2 uses NSS 3.11 - works Firefox trunk uses NSS 3.12 - broken SeaMonkey trunk uses NSS 3.12 - broken When I did my initial tests, I used a non standard configuration, Firefox 2 with NSS 3.12, which is broken, too.
Comment 17•17 years ago
|
||
I think this bug probably has the same cause as bug 405399. Perhaps they should be combined. Perhaps we should revisit the list of error codes for which cert exceptions can be made. Given that the new cert exception feature does not bestow the same broad level of trust on the cert as the old method did, it may be reasonable to allow exceptions for certs that have errors that would have made them ineligible for receiving a trust flag.
Updated•17 years ago
|
Flags: blocking1.9? → blocking1.9+
Priority: -- → P2
Comment 19•16 years ago
|
||
It seems this is now WORKSFORME. Did you change the server cert? Or did we fix some code?
Comment 20•16 years ago
|
||
In particular, NSS complains the cert has "!invalid AVA!" for both issuer and subject names.
Comment 21•16 years ago
|
||
The subject and issuer names in this cert are irrelevant to the error reported. Erroneous reports of sec_error_bad_signature are the subject of bug 405966 which is now fixed on the trunk (but not yet taken in FF). Bug legitimate sec_error_bad_signature errors can and still do occur. This bug should be seen an an issue about whether exceptions can be added for certs that exhibit that error (regardless of whether the error is accurate or erroneous).
Updated•16 years ago
|
Flags: tracking1.9+ → wanted-next+
Comment 22•16 years ago
|
||
Hi, I'm having the same problem as Blake, in that when the wireless network at my school redirects me to its authentication page I get the sec_error_ca_cert_invalid error and I can't add the security exception. In the exception dialog box, I can get the certificate, but clicking the "Confirm Security Exception" button does nothing. (It isn't grayed out, but nothing at all happens when I click it.) Unfortunately, this prevents me from using the wireless network without using an older version of firefox or another browser for authentication. I'm using ff 3 beta 5 with linux.
Comment 23•16 years ago
|
||
Caleb, the version you are testing is outdated and does not yet have the fix. You may get and test the newer Firefox 3 RC1.
Comment 24•16 years ago
|
||
Great, thanks for fixing this.
Updated•14 years ago
|
Assignee: kaie → nobody
Whiteboard: [psm-cert-exceptions]
Comment 25•13 years ago
|
||
same issue here.
Comment 26•13 years ago
|
||
Comment 27•13 years ago
|
||
(In reply to SIRavecavec from comment #26) You shouldn't get this error on bugzilla.mozilla.org, which is using a good cert. Can you reproduce on a different computer? Are you suffering from a man-in-the-middle attack or is your network connection unreliable (corrupted data transfer)?
Comment 28•12 years ago
|
||
I'm currently seeing this issue with Firefox Nightly on a Mac. There is no way to add an exception so Firefox is just unusable for getting to the site I'm trying to go to (a HP iLO web UI).
Comment 29•12 years ago
|
||
Eric, you might experience this because we recently changed Firefox to reject insecure MD5 signatures (bug 650355). The site probably uses an certificate with a MD5 signature. Would you be willing to share the link of the site (either in private to me, or in that bug 650355). Maybe we should open a new evangelism bug to track sites that need to upgrade?
Comment 30•12 years ago
|
||
It's the out of band management interface for HP servers so upgrading the site would require HP to publish new firmware. It's only internally accessible within Mozilla so would you be able to get to it?
Comment 31•12 years ago
|
||
Eric, it's highly discouraged to use MD5, because it's no longer secure. But if your environment absolutely requires you to work with MD5 signatures, you can toggle the preference mentioned in bug 650355.
Comment 32•12 years ago
|
||
My hardware requires it (and it's quite common hardware so sysadmins around the world will need to know about this setting until HP catches up with modern encryption). I'll give security.enable_md5_signatures a try, thanks so much!
Comment 33•12 years ago
|
||
FWIW I get this message in *both* Firefox 15.0 (MS Windows) and 3.6.28 (Linux) for an internal website signed by my company's own certificate. Both Chrome and IE8 accept the certificate. (All browsers have my company's certificates installed for authority). Bits of info from those two browsers' view of the certificates: IE: Version: V3 Signature Algorithm: sha1RSA Valid from: 30 August 2012 13:56:57 Valid to: 30 August 2017 13:56:57 Public key: RSA (1024 bits) Chrome: .... is encrypted with 128-bit encryption The connection uses TLS 1.0 The connection is encrypted using RC4_128, with SHA1 for message authentication and ECDHE_RSA as the key exchange mechanism. (Today isn't the first time I've hit this - just that I hit it again today with a new certificate - I usually use The website is run by a tomcat server which has this just this key in, along with the relevant company certificate, added via keytool as -trustedcacerts As this is internal you can't all have a look, but it does show that: a) Firefox does reject certificates which other browsers accept b) When it does so you are completely stuck, as their is *no way to view that web site at all* in Firefox. c) The error message isn't helpful, as you can't see *why* FF thinks the signature is bad (although that might be inevitable...)
Comment 34•12 years ago
|
||
"I usually use " was meant to continue with "4096-bit certs, as they seem to be OK". The one with the problem is a 2048-bit one.
Comment 35•12 years ago
|
||
This continues to be a *serious* problem (for me). I can't use Firefox 17.0.1 (on Windows *or* Linux) to connect to sites with certs signed with my company's internal 2048-bit signing authority certificate. (The 4096-bit ones are OK, but most sites don't use those...) IE, Chrome and wget all work with the same signing certificate when I connect to same sites. And Firefox doesn't give me *ANY* way to override this!!! So Firefox is stuffed!!
Comment 36•11 years ago
|
||
I have to confirm, that this problem is a really serious one for me too. Although that issue seems to be fixed in Firefox 18, an upgrade to this version is no practical way due to the much more higher cpu-usage especially while many tabs are opened. So either Mozilla get the problem with the certificates fixed soon, or they make the new version v18 cpu-friendly. But at the moment, I have to say with tearful eyes: Firefox is getting worse with any new major-release...
Updated•11 years ago
|
Whiteboard: [psm-cert-exceptions] → [no "me too" comments please, we all agree it's a problem, it's simply very difficult to fix][psm-cert-exceptions]
Comment 37•11 years ago
|
||
This issue persists for me (18.0.1). It has been an issue with *all* versions of Firebox for the last 3+ years (at least). Not sure why there is a problem in allowing an override, given that it is done elsewhere, but I suppose there might be a difference between accepting a certificate that looks OK, but you can't validate to a know source, and one that you can't make sense of at all. And if you don;t want "me too" posts it would help to say what people *should* do if they are suffering the same issue. Vote for it? Add themself as a cc? (there are far more ccc's than votes on this one).
Comment 38•11 years ago
|
||
It seems that this issue is not interesting for the dev team. 3 years and the problem still persist in version 20.0. It's incredible that you cannot add an exception where both Safari and Internet Explorer has no problem to do this. It seems that developers thinks that you have to buy a commercial certificate even when you are in development with your app ... incredible! Of course it's UNUSABLE for DEVELOPMENT!
Comment 39•11 years ago
|
||
Some info for my case. Where I work we have 4 internal CA roots, for 1024-, 2048-, 3072- and 4098-bit certificates signings. So the 4 public CA root certificates need to be loaded into Firefox so that it will accept certificates signed by them - which I do. But now Firefox refuse to accept any 2048-bit signed certificates - and also refuses to let me add any exceptions for them. It *is* happy with 1024- and 4096-bit ones. HOWEVER, if I removed the 3072-bit root CA from Firefox it will now *accept* the 2048-bit signed certificates!! And, in case anyone is listening, it was still a problem at FF 22.0.
Comment 40•11 years ago
|
||
Some more info here. Which might be significant? It runs out that those 4 root CAs have some Subject fields with a trailing space on. But the 2k-bit and 3k-bit ones share the same space-oddity. So it appears that I have two different certificates for the same root CA - a 2k-bit and a 3k-bit one, and Firefox is only checking the 3k one? It is certainly only checking the 3k one, as I've tracked that down to the code in pk11obj.c in PK11_VerifyRecover that calls C_VerifyRecover. Unfortunately at that point I'm stuck, as o C_VerifyRecover is a function call lookup in a array, and I can't see what actually gets called o I'm having problems tracking backwards to find out where the original call to CERT_VerifyCertChain came from. However - some questions; o is it legal to have different types of root CA with the same "Subject" (bear in mind that IE and Chrome seem to handle these same root CAs OK). o is Firefox set up to handle this if it exists?
Comment 41•11 years ago
|
||
I am having the same issue, my chain is like this (from leaf to root): 1: 2048 bit (SHA256 signature) SSL server certificate 2: 2048 bit (SHA256 signature) intermediary CA 3: 4096 bit (SHA1 signature) intermediary CA 4: 1024 bit (SHA1 signature) root CA If I try to open the site I get the sec_error_bad_signature page. Now, if I add the CAs to the Authorities list and set the 4096 bit one to full trust, I can access the website. In my view, there seems to be some issue with 4096 bit CAs.
Comment 42•11 years ago
|
||
Gordon, Paul: Thank you for reporting your experience with this issue. Could you please attach all the relevant certificates (end-entity, intermediates, and roots) to this bug using the "add attachment" interface in this bug? If you don't want to share them publicly, there will be checkbox in the "add attachment" interface for making the attachment private. Alternatively, please add the certificates as attachments to an email to cviecco@mozilla.com; dkeeler@mozilla.com; brian@briansmith.org. If you have certificates with the same or similar subject names or trailing spaces or whatnot, please include all variants of them that you think might be relevant. Thanks in advance.
Flags: needinfo?(paul)
Updated•11 years ago
|
Flags: needinfo?(gordon.lack)
Comment 43•11 years ago
|
||
Brian, I've just sent an E-Mail to the addresses you listed with an example certificate chain that exhibits this problem. If you guys don't receive that properly, feel free to let me know through Bugzilla. I realize I wasn't one of those you requested info from, but hopefully it will still be useful. It's worth noting that much like Paul, we have an intermediate cert with a 4096 bit signature. So there's a good chance that's where the problem lies.
Comment 45•11 years ago
|
||
I am having the same issue with https://www.google.com or gmail behind an enterprise proxy zscaler. Using FF 25.0.1 under Mac OSX 10.6.8 without proxy configured I can reach gmail without problem. Configuring proxy it fails with FF with error "Code d'erreur : sec_error_bad_signature", while it works with Google Chrome and Safari. Issue seems to have appeared with 25.0.1 (worked before)
Comment 46•10 years ago
|
||
I've had this problem a few times. Today I had the problem when I connected to a Fiddler web debugging proxy on a remote box. I already had a Fiddler CA certificate trusted on the local box and I suspect not being able to differentiate between the two might have something to do with this problem. I've made a small example. Attached are two CA certificates and I signed a certificate for localhost with each of them: box1.FiddlerRoot.cer box1.localhost.pem box2.FiddlerRoot.cer box2.localhost.pem I used makecert in the Fiddler directory to make the localhost certificates: makecert.exe -pe -ss my -n "CN=localhost, O=DO_NOT_TRUST, OU=Created by http://www.fiddler2.com" -sky exchange -in DO_NOT_TRUST_FiddlerRoot -is my -eku 1.3.6.1.5.5.7.3.1 -cy end -a sha1 -m 132 -b 03/27/2013 As long as the box they come from is the same everything is fine in Firefox but if I trust a different box CA than the one that's signed the presented certificate I get sec_error_bad_signature with no option for an exception. box1.FiddlerRoot.cer box2.localhost.pem box2.FiddlerRoot.cer box1.localhost.pem To reproduce create a new Firefox profile and trust box1 or box2, for example box2.FiddlerRoot.cer: Options > Advanced > Certificates > View Certificates > Authorities > Import Now start a server with the key from the other box (box1 in this example): socat openssl-listen:4433,reuseaddr,cert=box1.localhost.pem,verify=0,fork - In Firefox (tested in Firefox 24 ESR) go to https://localhost:4433/ An error occurred during a connection to localhost:4433. Peer's certificate has an invalid signature. (Error code: sec_error_bad_signature) In the past as a workaround for sec_error_bad_signature I've removed cert8.db. If you do that you'll lose everything but the hard coded NSS CA certificates. I've since been using certutil to add certificates to a cert8.db for default profiles so for now I guess I can reset to that cert8.db or trust all Fiddler certificates by manually adding them to cert8.db which will probably look something like this: certutil -A -n "DO_NOT_TRUST_FiddlerRoot - DO_NOT_TRUST" -t "CT,c,c" -i FiddlerRoot.cer -d ./ certutil -A -n "DO_NOT_TRUST_FiddlerRoot - DO_NOT_TRUST #2" -t "CT,c,c" -i FiddlerRoot2.cer -d ./ certutil -A -n "DO_NOT_TRUST_FiddlerRoot - DO_NOT_TRUST #3" -t "CT,c,c" -i FiddlerRoot3.cer -d ./ etc etc
Comment 47•10 years ago
|
||
I have same problem but with one note: If i install certificate signed by my self-signed CA certificate on IIS or linux Zimbra(8.0.6) - it works fine. But if i put private key, certificate and CA certificate to apache (using mod_ssl or mod_gnutls, version 2.2.14) or to webmin the Firefox shows me "sec_error_ca_cert_invalid" and doesn't allow add exception. Chrome, IE, .Net(System.Web.HttpUtility) work fine. My CA certificate is installed both in Windows registry and Firefox.
Comment 48•10 years ago
|
||
Additional note: if i extract certificate with key out from zimbra and put it to apache - problem disappear. So problem in certificates. Differences in certificates: Version: Invalid= V3, Valid= V1 Serial: Invalid=28, Valid=00 8c 23 ce f8 63 47 b9 4a Subject: Invalid - Additionally contain e-mail Other: Invalid certificate contains few additional fields: X509v3 Subject Alternative Name, X509v3 Subject Key Identifier, X509v3 Authority Key Identifier, X509v3 Basic Constraints (CA:TRUE)
Comment 49•10 years ago
|
||
As of last week, I still had this problem on FF versions 25 through 28, and as I recall, prior versions of FF. Which made me sigh and get frustrated and consume a lot of research time. I believe the issue of this report has WORKAROUND/TEMPORARY SOLUTION (I hope for all or most), until FF is patched, at the following article: So, a How-To Fix article has been published for it at http://technotes.whw1.com/computer-related/software/firefox/30-firefox-fix-to-no-exception-button-showing-when-invalid-ssl-certificate If you know how or got authority to modify top section of this report and have it reference to this comment or article as a temporary fix, please feel free to do so. It should help save people the frustration and higher blood pressure I experienced. If the article helps you resolve this problem but you got a different error screen message than the few displayed at the article site, then let me know or attach image to this ticket so I can add it as an additional example. Note that I think maybe report of bug 443972 is a duplicate, and other reports of bug 659736, bug 545606, and bug 660749 are related some how, but not duplicates.
Comment 50•10 years ago
|
||
(In reply to Tech Notes from comment #49) > As of last week, I still had this problem on FF versions 25 through 28, and > as I recall, prior versions of FF. Which made me sigh and get frustrated and > consume a lot of research time. > > I believe the issue of this report has WORKAROUND/TEMPORARY SOLUTION (I hope > for all or most), until FF is patched, at the following article: So, a > How-To Fix article has been published for it at > http://technotes.whw1.com/computer-related/software/firefox/30-firefox-fix- > to-no-exception-button-showing-when-invalid-ssl-certificate > > If you know how or got authority to modify top section of this report and > have it reference to this comment or article as a temporary fix, please feel > free to do so. It should help save people the frustration and higher blood > pressure I experienced. > > If the article helps you resolve this problem but you got a different error > screen message than the few displayed at the article site, then let me know > or attach image to this ticket so I can add it as an additional example. > > Note that I think maybe report of bug 443972 is a duplicate, and other > reports of bug 659736, bug 545606, and bug 660749 are related some how, but > not duplicates. This workaround work with certificates that don't have corresponding CA certificate in Firefox database or with self-signed server certificates. If i remove/rename cert8.db i get database clean of previously installed certificates. I can save certificate of new site as trusted and access this site. But if i install CA certificate of some group of sites that sites becomes completely untrusted with no possibility to override it (depending on conditions i've described before). Following uninstall of CA certificate resolve problem. /Nightly 31.0a1/
Comment 51•10 years ago
|
||
> I believe the issue of this report has WORKAROUND/TEMPORARY SOLUTION (I hope
> for all or most), until FF is patched, at the following article: So, a
> How-To Fix article has been published for it at
> http://technotes.whw1.com/computer-related/software/firefox/30-firefox-fix-
> to-no-exception-button-showing-when-invalid-ssl-certificate
I have tried this workaround in Mac (Mavericks) and didn't worked.
1) There is no cert_override.txt file.
2) The file is being auto generated after deleting it / renaming it.
This is getting annoying to do development in Mozzila, is there another known workaround or temp. fix ?
Comment 52•10 years ago
|
||
Please check Bug 1042889 As i think it is one side of bug described here.
Comment 53•10 years ago
|
||
The same problem with self-signed certificates, and it is even increasing. Started after upgrade to 31. On Windows 7, mostly. Deleting them (internal certificates) helped for a week (we were able to confirm security exception), but then, week later, the very same problem appeared again, on the same computers; it affects whole company and people are beginning to distrust Firefox, what is really really sad :-(( Please, fix it somehow...
Comment 54•9 years ago
|
||
Yup, "bad for business" is all I know. No way to get through to site with Firefox. All avenues blocked. With chrome there I am without a murmur. Bug 1227777.
This bug isn't particularly useful as-is. If anyone is having issues like this, please file a new bug in the product Core / component Security: PSM and include the error you're seeing, the site you're connecting to (if it's publicly-accessible), and the certificate chain the server is sending.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(paul)
Resolution: --- → INCOMPLETE
Comment 56•8 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #55) > ...include the error you're seeing, the site you're connecting to (if it's > publicly-accessible), and the certificate chain the server is sending. Isn't that what I did in Comment 44?
(In reply to Gordon Lack from comment #56) > (In reply to David Keeler [:keeler] (use needinfo?) from comment #55) > > ...include the error you're seeing, the site you're connecting to (if it's > > publicly-accessible), and the certificate chain the server is sending. > > Isn't that what I did in Comment 44? I didn't receive the email mentioned in comment 44. Brian isn't involved as much in Mozilla these days, so I think the fastest route would be for you to file a new bug or to email me if you would rather the certificate chain not be public. Thanks.
Comment 58•8 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #57) > > I didn't receive the email mentioned in comment 44. Brian isn't involved as > much in Mozilla these days, so I think the fastest route would be for you to > file a new bug or to email me if you would rather the certificate chain not > be public. Thanks. I've been retired for 2.5 years so can no longer check things out on my employer's internal Web sites. I did do some debugging on this though, and post #40 explains as far as I got, before getting lost in a maze of object method calls where I couldn't figure out where the objects were coming from. Note that there was no chain. This was an internal certificate authority. You got a key+certificate (?) for your web server, and all company browsers had the internal CA root installed in them.
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•