Open Bug 545606 Opened 12 years ago Updated 4 years ago

Need to distinguish "Exception already exists" from "Valid Certificate"

Categories

(Core :: Security: PSM, enhancement, P3)

enhancement

Tracking

()

People

(Reporter: matt, Unassigned)

References

Details

(Keywords: uiwanted, Whiteboard: [psm-backlog])

Attachments

(2 files)

User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2) Gecko/20100210 Fedora/3.6.1-1.matt1.fc12 Namoroka/3.6
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.3a2pre) Gecko/20100209 Minefield/3.7a2pre

After adding a security exception for a site, if I go back into the Certificate Manager and try to add another exception for the same site, the "Add Security Exception" dialog shows:

"Valid Certificate

This site provides valid verified identification.  There is no need to add an exception."

This is not accurate.  The dialog should say something like the following:

"Exception Already Exists

You have already added a security exception for this site, and its identification has not changed since then."

Reproducible: Always

Steps to Reproduce:
1. Add a security exception for https://stepmaniam2.com .
2. Go to the Certificate Manager -> Servers tab -> Add Exception.
3. Enter https://stepmaniam2.com and press "Get Certificate".
Actual Results:  
The dialog says "Valid Certificate".

Expected Results:  
The dialog should say "Exception Already Exists" or similar.
Assignee: kaie → nobody
Whiteboard: [psm-cert-exceptions]
Do you see this also in Firefox 4 or newer?
Whiteboard: [psm-cert-exceptions] → [psm-cert-exceptions][bugday-2011-05-27]
Ah, wrong bug. This probably still exists.
Severity: normal → enhancement
This is a feature request to add better wording to the dialog.
Keywords: uiwanted
OS: Linux → All
Hardware: x86_64 → All
Version: unspecified → Trunk
Duplicate of this bug: 659736
Ignore comment 1 and comment 2, they were posted here wrongly (they should cancel each other). This is not Bug 659736.
This bug does not argue whether the dialog decided incorrectly the cert is valid/exempted. The dialog decision is correct, just the reason for it is worded wrongly.
firefox 7.0.1 (fr) linux ubuntu
Here I have the same problem with SuSE 12.1 and firefox 9.0.1. I added the dialog example screenshot. Dialod are in Italian but shows the "erroneus" behaviour of Firefox.
The selfsigned certificate is also expired because it belong to an UTM appliance (gibraltar).The dialog show "the certificate is valid so it isn't necessary to import" but I cannot browse the site
Duplicate of this bug: 720164
To be clear, this bug seems to bite when the untrusted SSL certificate of a site you already have an exception for is upgraded.

1. Have a site with an untrusted certificate (e.g. a gadget with a HTTPS admin page)
2. The site certificate is signed by an internal CA which is not known to the browser
3. Access the gadget, get the expected error "The certificate is not trusted because no issuer chain was provided" (code sec_error_unknown_issuer)
4. Create and confirm an exception to allow access to the site
5. internal CA cert expires
6. site administrator generates new CA cert and signs new site certificate (same domain name, same private key)
7. Try to access the gadget, get the same error "The certificate is not trusted because no issuer chain was provided" (code sec_error_unknown_issuer) as expected
8. Click "Add Exception"
9. The "Add Security Exception" dialog shows: 
"Valid Certificate

This site provides valid verified identification.  There is no need to add an exception." and the "Confirm Security Exception" button is greyed out, so you cannot set the new exception.
10. As a result is is _impossible_ to access the gadget from Firefox - you cannot get past the certificate error. Using a different, newly installed browser (rekonq) you are able to add the exception and connect to the gadget fine.
Using a brand new Firefox profile you can access the site (after first adding the exception), so it is definitely to do with stored exceptions.

Deleting all references to the domain in Edit > Preferences > Encryption > View Certificates does not fix the problem. Deleting cert8.db from the user profile doesn't either.

To get access to the sites which are locked out by this bug, the following seems to work:
1. Exit Firefox
2. Navigate into the profile directory
3. Move the following files to somewhere out of the way (in case you need them back):
cert8.db
cert_override.txt
Cache
OfflineCache
4. re-start Firefox 10.0.1. You will have to re-add all your exceptions, but it will now be possible to do so.
Whiteboard: [psm-cert-exceptions][bugday-2011-05-27] → [psm-cert-exceptions][bugday-2011-05-27][psm-backlog]
Priority: -- → P3
Whiteboard: [psm-cert-exceptions][bugday-2011-05-27][psm-backlog] → [psm-backlog]
You need to log in before you can comment on or make changes to this bug.