Exception dialog needs to support cert across different ports

RESOLVED WONTFIX

Status

--
major
RESOLVED WONTFIX
11 years ago
2 years ago

People

(Reporter: mimecuvalo, Assigned: kaie)

Tracking

unspecified
Bug Flags:
blocking1.9 ?

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

11 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b2pre) Gecko/2007112405 Minefield/3.0b2pre
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9b2pre) Gecko/2007112405 Minefield/3.0b2pre

When opening sockets my extension would be able to add exceptions that would apply across different ports (and servers I believe for that matter).  Now, I think you guys have done a fantastic job with the new security improvements but it now restricts the exception to be valid for only a certain port.

The way FTP works, for those unfamiliar, you have the control connection on port 21 but the data connections are opened on various ports that are chosen dynamically at runtime.

So, I can bother the user to add an exception for the control connection, that's fine - but I can't have the user approve every single new port for every single transfer.

Reproducible: Always

Steps to Reproduce:
1. Install Filezilla FTP server on your machine.
2. Set it up and enable SSL/TLS support using Generate New Certificate... to create a self-signed cert.
3. Install the latest developer version of the FireFTP extension: http://nightlight.ws/fireftp.xpi
4. Create an account to connect to the localhost server with AUTH TLS enabled (under the Connections tab).
5. When connecting you will go through the exception dialog to add the cert.
6. The cert will be only valid for the control connection (on port 21).
7. That sucks :)
(Reporter)

Updated

11 years ago
Depends on: 401575
(Reporter)

Comment 1

11 years ago
And actually, if I could expand this bug, there is also the issue that the domain name and the IP address of a site are considered to be two different things as well.  So, a site which throws the invalid security error like:
https://www.kuix.de
and it's matching IP:
https://212.227.62.41

have to be separately approved.  The same is true for FTP here - I approve the domain name but then I start opening sockets to certain IP addresses.
(Reporter)

Updated

11 years ago
Summary: Exception dialog needs to support cert across different ports → Exception dialog needs to support cert across different ports (and domain/IP address)
You've got a point with your initial comments about the ports, nominating for consideration.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: blocking1.9?
(Reporter)

Comment 3

11 years ago
FWIW, I tried working around this issue by programmatically doing importServerCertificate but it interestingly produces the same problem.  In the UI it lists '*' for the server which would in theory make it valid for any server/port combo.
Please file a separate ("depends on") enhancement bug about the IP address, it's not as clear-cut a case and in fact I'm pretty dubious about it.
Summary: Exception dialog needs to support cert across different ports (and domain/IP address) → Exception dialog needs to support cert across different ports
(Assignee)

Comment 5

11 years ago
Re comment 1 and comment 4, Mime filed separate bug 405514.
(Assignee)

Comment 6

11 years ago
resolving as WONTFIX.

please reopen if you disagree.
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → WONTFIX
(Assignee)

Comment 7

11 years ago
Reason for my WONTFIX proposal:

- the reporter was able to work around the original issue, 
  see his comments in bug 405514

- I believe the "need two ports" is an edge case, and should be 
  worked around by the specific application scenario.
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.