Closed Bug 416850 Opened 12 years ago Closed 12 years ago

Cannot recreate exception after deleting it

Categories

(Core :: Security: PSM, defect)

x86
macOS
defect
Not set

Tracking

()

RESOLVED FIXED

People

(Reporter: marcia, Assigned: KaiE)

References

Details

Attachments

(1 file)

Seen while testing Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9b3) Gecko/2008020511 Firefox/3.0b3 and while writing test cases for Bug 408432

If I create a security exception for the site referenced in the above bug using preferences and then delete it, when I try to re-add the exception in the Preferences UI I get a message that the security cert is valid.  Do I have to restart the browser in order for the cache to clear or is this supposed to happen dynamically when the exception is deleted? 

I exchanged mail with Kai regarding this, and here are his comments:

"I assume in your test, after you had added the exception, you connected to the site, which succeeded (because the exception was effective).

I think this caused the status of the site's certificate to get cached (with a good status).
This caching is temporary, at the https/SSL level.
(I'm not sure how long that caching will be active.)

You can force an immediate flush of that cached information using the "clear private data" feature found in the tools menu (it's sufficient to clear "authenticated sessions").

In my testing, if I execute that command prior to the add-exception-again step, I get the expected behavior (site reported as bad).

I confirm, when I simply do add-delete-add, the second add step will report the cert as good (due to caching).

Unfortunately we don't have a fine grained control over that cache, so we can't simply delete the cache for that given target address. All we could do it to clear the cache altogether (as done using the clear-private-data UI), but that would have the side effect of clearing any other authenticated sessions as well.

A bug would be good, so other people can comment. Maybe I'm wrong, and there is a better way to solve the problem. Maybe we need to release note what you found?"
Assignee: nobody → kengert
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
Actually, I think we could use SSL_ClearSessionCache whenever we delete a security exception.

For example, we already do this each time the user imports or deletes a CRL.
Attached patch Patch v1Splinter Review
Attachment #304019 - Flags: review?(rrelyea)
Comment on attachment 304019 [details] [diff] [review]
Patch v1

r+ rrelyea
Attachment #304019 - Flags: review?(rrelyea) → review+
Attachment #304019 - Flags: approval1.9?
Comment on attachment 304019 [details] [diff] [review]
Patch v1

a=beltzner for 1.9
Attachment #304019 - Flags: approval1.9? → approval1.9+
fixed
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → FIXED
Duplicate of this bug: 402710
Summary: Deleting a security exception and then re-adding it causes cert exception to remain valid → Cannot recreate exception after deleting it
You need to log in before you can comment on or make changes to this bug.