Closed Bug 629558 Opened 13 years ago Closed 9 years ago

need way to disable intermediate SSL certificate cache to demonstrate SSL problems


(Core :: Security: PSM, enhancement)

Not set



Tracking Status
firefox41 --- fixed


(Reporter: GeertJan.deGroot, Assigned: arthur)


(Depends on 1 open bug, Blocks 1 open bug, )


(Whiteboard: [tor])


(1 file, 1 obsolete file)

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13
Build Identifier: 3.6.13 (cfm'ed with multiple versions)

SSL certificates are never signed by CA certifcate anymore these days. In many cases, a chain of intermediate certificates is used. The SSL protocol specifies that these intermediate certificates are sent along with the own SSL certificate. People tend to misconfigure this these days, only sending the end certificate, not the complete chain.

Firefox caches these intermediate certificates. If you've been at a web site that uses and supplies these intermediates, then you can access the offending website without a warning of any kind.
The problem is so widely spread that, should firefox remove the cache, the world would break so this is not an option.

People who browse to offending sites from a clean browser with clean certificate chain, get a warning they don't understand and get tought to 'click through' the serious security warning message. This is wrong.

I would like to have a knob added that would disable the SSL intermediate cache. Developers can set the knob, get the error, and hopefully are clued up enough to know where they failed. For end users, nothing changes.

I spoke to zzxc and he doesn't know about such a knob either.

Reproducible: Always

Steps to Reproduce:
1. Start browser with clean profile
2. Browse to web site with incomplete SSL cert chain
3. Observe the SSL warning
4. Observe that, once the browser has obtained the certificate earlier, the browser no longer sends a warning.
Actual Results:  
Broswer produces warning when it shouldn't and not produce warning when it does.

Expected Results:  
verify the complete cert chain as supplied, or at least have an option to do this
NSS has a bunch of environment variables it uses to control various settings, but I don't know if there's a complete list or if this type of thing is on there.
Group: core-security
Component: Security → Security: PSM
Ever confirmed: true
QA Contact: toolkit → psm
It's PSM which caches intermediates.

There is currently no environemnt variable to influence that.
We need a proper consensus on the SSL handling. Currently it is too mixed. How can we have here the attitude of "the world would break" [if we don't continue accept invalid SSL certificates] when we are saying the issue is the website is setup incorrectly? Philosophically this is counter to why SSL exists. 

Then we go to other bugs such as Bug 435013 or Bug 385471 where "The issue itself is a bug in the device" and there should be no workaround in Firefox to **allow the website to function or be viewed** 

So on one end we are accepting broken SSL certificates WITHOUT EVEN PROMPTING OR WARNING THE USER and on the other end we are making it hard or almost impossible for users to access sites with "invalid SSL certificates"
I have been running into this issue for years, and would love to see it fixed. I just ran into it again. It makes it so the only way I can properly test a new SSL certificate setup is a fresh profile, and that profile can only be used once.
Rather than a pref to show a big error page, how about a small note in the Larry panel? (Bug 711816)

You can always create a new profile if you really want a bit error page.
Start with a new (empty) firefox profile, and switch to private browsing mode.

In this mode, Firefox doesn't remember intermediate CA certs.

Restart Firefox the empty firefox profile and private browsing mode for each site that you want to test.
Whiteboard: [tor]
Here's a patch that exposes a pref, 'security.nocertdb' to hold the intermediate certificate store in memory only. This patch is used in Tor Browser to avoid writing a user's browsing history to disk.
Attachment #8617659 - Flags: review?(dkeeler)
Comment on attachment 8617659 [details] [diff] [review]

Review of attachment 8617659 [details] [diff] [review]:

In terms of addressing the issue of debugging a server that might not be sending the appropriate intermediates, this patch is only slightly better than simply using a new profile (since you have to set the pref and restart Firefox). However, since it also addresses a use-case for Tor, it does seem like an overall improvement.

The commit message will have to be modified a bit. The "From:" field may or may not work (I think using a "User:" field is more common for mozilla-central). Also, the format of the summary should be "bug [number] - [description of changes] r=[reviewer]".

r=me with comments addressed.

::: security/manager/ssl/nsNSSComponent.cpp
@@ +743,4 @@
>  static const bool FALSE_START_ENABLED_DEFAULT = true;
>  static const bool NPN_ENABLED_DEFAULT = true;
>  static const bool ALPN_ENABLED_DEFAULT = false;
> +static const bool SECURITY_NOCERTDB_DEFAULT = false;

Since we're only accessing the preference once, this isn't necessary.

@@ +1016,2 @@
>      // First try to initialize the NSS DB in read/write mode.
>      SECStatus init_rv = ::mozilla::psm::InitializeNSS(profileStr.get(), false);

Please also fix this bug where we re-declare init_rv and thus always call NSS_NoDB_Init.
Attachment #8617659 - Flags: review?(dkeeler) → review+
Thanks for the review. Here's the patch with requested changes made.

Try results:
Attachment #8617659 - Attachment is obsolete: true
Keywords: checkin-needed
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla41
Depends on: 1216882
Assignee: nobody → arthuredelstein
Blocks: meta_tor
You need to log in before you can comment on or make changes to this bug.