Open Bug 647976 Opened 13 years ago Updated 1 year ago

Certificate validation does not use Login or System keyrings


(Firefox :: Security, defect)

4.0 Branch





(Reporter: kplaakso, Unassigned)


User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_6_7; en-us) AppleWebKit/533.20.25 (KHTML, like Gecko) Version/5.0.4 Safari/533.20.27
Build Identifier: 20110318052756

FF4 uses only the unmodifiable System Roots keyring on OSX. However, it should also use the keyrings System (all users for this Mac) and Login (this user). Now the user cannot add a new root cert which FF4 would use to certify remote servers with SSL.

Reproducible: Always

Steps to Reproduce:
1. Find a server which has a certificate which was signed using a self-signed CA certificate
2. Add the CA sertificate to Login or System keyring
3. Go to the site using https

Actual Results:  
FF4 gives the "unsecure web site, add exception" page. 

Expected Results:  
Server connection is accepted based on the CA certificate in the Login or System keyring.

This bug is especially painful when using FF4 with Selenium webdriver, since a new, blank profile is used by default, and the CA cert cannot be added to FF4 certificate store before launching.
N.B.: This worked in FF3.
Version: unspecified → 4.0 Branch
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.