Open
Bug 545606
Opened 15 years ago
Updated 2 years ago
Need to distinguish "Exception already exists" from "Valid Certificate"
Categories
(Core :: Security: PSM, enhancement, P3)
Core
Security: PSM
Tracking
()
NEW
People
(Reporter: matt, Unassigned)
References
Details
(Keywords: uiwanted, Whiteboard: [psm-backlog])
Attachments
(2 files)
User-Agent: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2) Gecko/20100210 Fedora/3.6.1-1.matt1.fc12 Namoroka/3.6 Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.3a2pre) Gecko/20100209 Minefield/3.7a2pre After adding a security exception for a site, if I go back into the Certificate Manager and try to add another exception for the same site, the "Add Security Exception" dialog shows: "Valid Certificate This site provides valid verified identification. There is no need to add an exception." This is not accurate. The dialog should say something like the following: "Exception Already Exists You have already added a security exception for this site, and its identification has not changed since then." Reproducible: Always Steps to Reproduce: 1. Add a security exception for https://stepmaniam2.com . 2. Go to the Certificate Manager -> Servers tab -> Add Exception. 3. Enter https://stepmaniam2.com and press "Get Certificate". Actual Results: The dialog says "Valid Certificate". Expected Results: The dialog should say "Exception Already Exists" or similar.
Updated•15 years ago
|
Assignee: kaie → nobody
Whiteboard: [psm-cert-exceptions]
Do you see this also in Firefox 4 or newer?
Whiteboard: [psm-cert-exceptions] → [psm-cert-exceptions][bugday-2011-05-27]
Ah, wrong bug. This probably still exists.
Severity: normal → enhancement
This is a feature request to add better wording to the dialog.
Ignore comment 1 and comment 2, they were posted here wrongly (they should cancel each other). This is not Bug 659736. This bug does not argue whether the dialog decided incorrectly the cert is valid/exempted. The dialog decision is correct, just the reason for it is worded wrongly.
Comment 7•13 years ago
|
||
Here I have the same problem with SuSE 12.1 and firefox 9.0.1. I added the dialog example screenshot. Dialod are in Italian but shows the "erroneus" behaviour of Firefox. The selfsigned certificate is also expired because it belong to an UTM appliance (gibraltar).The dialog show "the certificate is valid so it isn't necessary to import" but I cannot browse the site
Comment 9•13 years ago
|
||
To be clear, this bug seems to bite when the untrusted SSL certificate of a site you already have an exception for is upgraded. 1. Have a site with an untrusted certificate (e.g. a gadget with a HTTPS admin page) 2. The site certificate is signed by an internal CA which is not known to the browser 3. Access the gadget, get the expected error "The certificate is not trusted because no issuer chain was provided" (code sec_error_unknown_issuer) 4. Create and confirm an exception to allow access to the site 5. internal CA cert expires 6. site administrator generates new CA cert and signs new site certificate (same domain name, same private key) 7. Try to access the gadget, get the same error "The certificate is not trusted because no issuer chain was provided" (code sec_error_unknown_issuer) as expected 8. Click "Add Exception" 9. The "Add Security Exception" dialog shows: "Valid Certificate This site provides valid verified identification. There is no need to add an exception." and the "Confirm Security Exception" button is greyed out, so you cannot set the new exception. 10. As a result is is _impossible_ to access the gadget from Firefox - you cannot get past the certificate error. Using a different, newly installed browser (rekonq) you are able to add the exception and connect to the gadget fine.
Comment 10•13 years ago
|
||
Using a brand new Firefox profile you can access the site (after first adding the exception), so it is definitely to do with stored exceptions. Deleting all references to the domain in Edit > Preferences > Encryption > View Certificates does not fix the problem. Deleting cert8.db from the user profile doesn't either. To get access to the sites which are locked out by this bug, the following seems to work: 1. Exit Firefox 2. Navigate into the profile directory 3. Move the following files to somewhere out of the way (in case you need them back): cert8.db cert_override.txt Cache OfflineCache 4. re-start Firefox 10.0.1. You will have to re-add all your exceptions, but it will now be possible to do so.
Updated•9 years ago
|
Whiteboard: [psm-cert-exceptions][bugday-2011-05-27] → [psm-cert-exceptions][bugday-2011-05-27][psm-backlog]
Updated•7 years ago
|
Priority: -- → P3
Whiteboard: [psm-cert-exceptions][bugday-2011-05-27][psm-backlog] → [psm-backlog]
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•