Last Comment Bug 500148 - certificate exceptions don't work in every case
: certificate exceptions don't work in every case
Status: NEW
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: 3.5 Branch
: All All
-- major with 1 vote (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
Depends on:
  Show dependency treegraph
Reported: 2009-06-24 02:51 PDT by Wolfgang Rosenauer [:wolfiR]
Modified: 2009-06-24 09:08 PDT (History)
2 users (show)
See Also:
Crash Signature:
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Description User image Wolfgang Rosenauer [:wolfiR] 2009-06-24 02:51:19 PDT
The following is a bit hard to describe but I saw an example where Firefox' was completely locked when visiting a simple webpage (basically the webpage is also broken I think but FF should handle it better IMHO).

That is happening at least with FF3.5rc2

How to reproduce:
- visit
- you'll get a certificate warning as the CA is apparently not in NSS
- choose to add an exception for this certificate/site (temporary is enough)
- proceed to the site
- you will get more certificate warnings since the site refers to other hosts
  using the same certificate but you cannot add exceptions for them
- once the site is (more or less) loaded it will show a JS alert about not being able to load important JavaScript and you can't get rid of it anymore

Result: Your Firefox session became unusable because of the modal JS alert
Comment 1 User image Jo Hermans 2009-06-24 04:41:00 PDT
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1) Gecko/20090616 Firefox/3.5

works for me perfectly : no temporary exception was needed

I tested with a deleted cert8.db file, so that only built-in certificates would be used. The chain of certificates used by added the UTN-USERFirst=Hardware certificate (under AddTrust, serial number 26:21:1B:F5:2A:EB:51:B0:0B:FA:9F:DD:8D:36:DA:9E), while there is a similar named certificate (built-in) under The USERTRUST network, serial number 44:BE:0C:8B:50:00:24:B4:11:D3:36:2A:FE:65:0A:FD) I don't know if this is normal or not.
Comment 2 User image Wolfgang Rosenauer [:wolfiR] 2009-06-24 04:59:47 PDT
Oh, right. Checking with a fresh profile worked for me too.
The "AddTrust External CA Root" is marked as non-trusted for me but I can only partly remember why. There was an issue with that CA at some point:

Ok, still the main issue is not about this particular certificate but to reproduce it, it should be enough to uncheck the trust bits.

Note You need to log in before you can comment on or make changes to this bug.