No button to add security exception for sec_error_unknown_critical_extension
Categories
(Core :: Security: PSM, defect)
Tracking
()
People
(Reporter: nelson, Unassigned)
References
()
Details
(Whiteboard: [psm-cert-exceptions])
This bug is very similar to Bug 403220, which is: Cannot add exception for SSL certificates with sec_error_bad_signature I gather that PSM has a list of NSS/NSPR error codes for which it is willing to allow security exceptions to be created. That list presently does not include sec_error_unknown_critical_extension. IMO, it should. That list should be reviewed.
Reporter | ||
Updated•16 years ago
|
Updated•14 years ago
|
Comment 1•10 years ago
|
||
That's effecting me on Firefox 32. I can't access sites Brazilian government websites because they have their own chain (which is not included in Firefox).
Comment 2•10 years ago
|
||
As this works on Firefox 29 and Firefox 30 I'm marking it as a regression.
Sergio, this bug refers to a long-standing issue with what Firefox does when it decides it's encountered an unknown critical extension. This behavior hasn't changed recently. However, we've been developing a new certificate verification library which may make different decisions regarding whether or not to report that it has encountered an unknown critical extension. This behavior has changed recently, so we should track it in a separate bug. Please file a new bug under Product: Core, Component: Security: PSM with some example URLs where you've encountered this error. Thanks!
Updated•10 years ago
|
Comment 4•10 years ago
|
||
Thanks David. I've opened https://bugzilla.mozilla.org/show_bug.cgi?id=1009161 What's the bug number where you are tracking blockers?
We have no plans to allow overrides for unknown critical extensions.
Comment 6•5 years ago
|
||
So I have this problem where my router is experiencing the SEC_ERROR_UNKNOWN_CRITICAL_EXTENSION error. I cannot access my router's configuration page because of this. How should I go about addressing an issue when I cannot access the resource to address the issue? Why is Firefox deciding that I don't deserve to make decisions for myself?
The answer is obvious. I don't use Firefox. But is that the kind of workaround the Mozilla team wants people to use?
Comment 7•5 years ago
|
||
Carlin, which critical extension did the router vendor add to the router's certificate?
By including that critical extension, the vendor has explicitly asked "don't connect to me unless you understand exactly how to treat my server certificate". Because Firefox is following the guidelines, that's what it does. The only way is to ask your vendor to find a way to support Firefox, or we could identify if it makes sense for Firefox to support that extension.
Comment 8•5 years ago
|
||
I don't know what the extension was because the button I'd normally use to view that info was missing from the error page. The problem showed up after I've been accessing the router control panel using HTTPS for years. I've since replaced the certificate to get around the issue.
Comment 9•5 years ago
|
||
Here's what the error and site details look like:
https://i.imgur.com/5CGFgWX.png
Description
•