If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

can't store untrusted cert exception when FIPS enabled and unauthenticated

UNCONFIRMED
Unassigned

Status

()

Firefox
Security
UNCONFIRMED
7 years ago
7 years ago

People

(Reporter: Jared Jennings, Unassigned)

Tracking

3.6 Branch
x86_64
Linux
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

7 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110421 Red Hat/3.6-1.el5_6 Firefox/3.6.17
Build Identifier: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.17) Gecko/20110421 Red Hat/3.6-1.el5_6 Firefox/3.6.17

When FIPS mode is enabled, and I haven't typed my Master Password yet, and I visit an untrusted site, and tell Firefox that I understand the risks, to add an exception and to save this exception permanently, when I click the "Confirm" button, nothing happens. 

Reproducible: Always

Steps to Reproduce:
1. Enable the security module's FIPS mode.
2. Log out of the Software Security Device (FIPS), if necessary.
2. Visit an untrusted secure site: e.g., use HTTPS to connect to a site with a self-signed certificate.
3. On the "Untrusted Connection" page, expand the "I understand the risks" section.
4. Click "Add Exception..."
5. Click "Get Certificate."
6. Make sure "Store this exception permanently" is checked.
7. Click "Confirm Security Exception."

Actual Results:  
The button clicks, but nothing happens. The security exception dialog box does not close, and the site I'm trying to trust doesn't load. If, after performing the steps, I look in the list of site certificates, the certificate for the site I'm trying to trust is not there.

Expected Results:  
The button clicks, the box closes, and the site I'm trying to trust loads. If I look in the list of site certificates, I see my newly trusted site's certificate in the list.

If, instead of step 6 above, I uncheck "Store this exception permanently," the box closes and the site loads. Of course, the certificate is not added to the list of trusted site certificates (Preferences/Advanced/Encryption/View Certificates/Servers).

If, instead of step 2 above, I log into the software security device instead of logging out, everything works as expected.
Can a security developer provide feedback here? Is this expected/designed?
(Reporter)

Comment 2

7 years ago
On a second reading, I need to revise my Expected Results:

The button clicks, another box pops up asking for my master password, and after I have provided that, the box closes, the site loads, etc.
Mozilla/5.0 (X11; Linux x86_64; rv:6.0a1) Gecko/20110511 Firefox/6.0a1

I've tried to reproduce this bug using the latest Nightly and am unable to reproduce it using the steps you provided. Here is what I did:

1) Preferences > Security > Master Password > set a master password
2) Preferences > Advanced > Security Devices > Enable FIPS
3) Select "FIPS 140 Cryptographic" from "Modules and Devices"
4) Click "Log Out" > OK, then close Preferences
5) Navigate to https://breitbart.tv (prompted for master password)
6) Enter my master password and click OK (Untrusted Connection error page loads)
7) Expand "I Understand the Risks" and click Add Exception
8) Click "Get Certificate", check "Permanently store...", and click "Confirm"

Final Result: 
Page loads

Can you please verify the same results using the latest nighty:
ftp://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla-central/

Updated

7 years ago
Version: unspecified → 3.6 Branch
You need to log in before you can comment on or make changes to this bug.