Closed Bug 473970 Opened 16 years ago Closed 16 years ago

turn off the sec_error_reused_issuer_and_serial error

Categories

(Firefox :: Settings UI, enhancement)

Product:
Firefox
Component:
Settings UI
Platform:
x86
Windows XP
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 447847

People

(Reporter: ashley.black, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.9.0.5) Gecko/2008120122 Firefox/3.0.5

I am a network tech who prefers Firefox to IE when configuring all the various devices I need to. However, because of changing IP's and backups and copys of existing systems onto test boxes, the sec_error_reused_issuer_and_serial cert error occurs, and thus I am forced to switch to horrible horrible IE to continue to work on that test copy of the device.

can there please please be a simple tick box option somewhere to disable this security feature or at least provide a "proceed anyway I know the risks" option? even if it is the 4 mouse click option that is needed for non-trusted certficates?

thanks
Ashley Black
Network security specialist.
JNCIS-SSL, JNCIS-FWV


Reproducible: Always

Steps to Reproduce:
1. backup config from a ssl device
2. restore config onto a new box thus creating a copy of the original box. 
3. attempt to https on to copy box on different IP/URL and hew presto: sec_error_reused_issuer_and_serial

Actual Results:  
forced to use IE for the rest of the testing on copyed box

Expected Results:  
Provide a option asking "this is possible hack attempt, if you are really really sure, you can proceed <here>, otherwise <get out of here>"

Run into this often as do all my colleges. the result is some of us have up to 4 different web browsers, when firefox should be the one and only
Hi Ashley,

I'm sympathetic to your plight. Particularly when dealing with machines that auto-generate certs badly, this can be a huge pain, and particularly given that you're a Firefox fan.

The problem here is that the combination of issuer+serial is the only way we can index certs reliably, so the issue isn't (just) about security, in which case we could let you override it, it's a fundamental assumption built into security certificate management.  I'm going to dupe this bug against bug 447847, where it originally came up, but don't read that bug unless you're feeling patient - it's a lot to go through, and not all the comments are friendly ones.

There are a couple of things that might make life a bit easier:

 - Use temporary exceptions instead of permanent, so that they're forgotten at the end of the session.  Maybe that means you're less likely to have the old cert around when you encounter the new ones?
 - Flip the browser.xul.error_pages.expert_bad_cert pref to true from about:config, so that you can more easily add an exception.
 - Likewise, set browser.ssl_override_behavior to 2, so that the exception dialog will pre-fetch the certificate.
 - You could also install the MitM-Me addon, to simplify some of this, but please be careful with that, since it neuters legitimate protections against MitM attacks, which do happen.

I'm sorry I don't have a better answer for you here.  Machines should really not duplicate issuer+serial, it breaks the relevant RFCs and also, quite unfortunately, our ability to manage our cert database.  If I could offer you a better solution there, I would.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
Thanks for the helps anyways.
You need to log in before you can comment on or make changes to this bug.