Closed Bug 443972 Opened 16 years ago Closed 8 years ago

No button to add security exception for sec_error_unknown_critical_extension

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: nelson, Unassigned)

References

(
URL
)

Details

(Whiteboard: [psm-cert-exceptions]) 

This bug is very similar to Bug 403220, which is:
Cannot add exception for SSL certificates with sec_error_bad_signature

I gather that PSM has a list of NSS/NSPR error codes for which it is 
willing to allow security exceptions to be created.  That list presently
does not include sec_error_unknown_critical_extension.  IMO, it should.

That list should be reviewed.
Summary: No link to add security exception for sec_error_unknown_critical_extension → No button to add security exception for sec_error_unknown_critical_extension
Assignee: kaie → nobody
Whiteboard: [psm-cert-exceptions]
That's effecting me on Firefox 32. I can't access sites Brazilian government websites because they have their own chain (which is not included in Firefox).
As this works on Firefox 29 and Firefox 30 I'm marking it as a regression.
Keywords: regression
Sergio, this bug refers to a long-standing issue with what Firefox does when it decides it's encountered an unknown critical extension. This behavior hasn't changed recently. However, we've been developing a new certificate verification library which may make different decisions regarding whether or not to report that it has encountered an unknown critical extension. This behavior has changed recently, so we should track it in a separate bug. Please file a new bug under Product: Core, Component: Security: PSM with some example URLs where you've encountered this error. Thanks!
Thanks David. I've opened https://bugzilla.mozilla.org/show_bug.cgi?id=1009161

What's the bug number where you are tracking blockers?
We have no plans to allow overrides for unknown critical extensions.
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → WONTFIX

So I have this problem where my router is experiencing the SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error. I cannot access my router's configuration page because of this. How should I go about addressing an issue when I cannot access the resource to address the issue? Why is Firefox deciding that I don't deserve to make decisions for myself?

The answer is obvious. I don't use Firefox. But is that the kind of workaround the Mozilla team wants people to use?

Carlin, which critical extension did the router vendor add to the router's certificate?

By including that critical extension, the vendor has explicitly asked "don't connect to me unless you understand exactly how to treat my server certificate". Because Firefox is following the guidelines, that's what it does. The only way is to ask your vendor to find a way to support Firefox, or we could identify if it makes sense for Firefox to support that extension.

I don't know what the extension was because the button I'd normally use to view that info was missing from the error page. The problem showed up after I've been accessing the router control panel using HTTPS for years. I've since replaced the certificate to get around the issue.

Here's what the error and site details look like:

https://i.imgur.com/5CGFgWX.png

You need to log in before you can comment on or make changes to this bug.