Closed Bug 688822 Opened 10 years ago Closed 6 years ago
SSL Certificate warning confirm exception button does not do anything
sub.example.com is a domain hosted on WHM/cPanel. cPanel provides a control panel accessed via https://sub.domain.com:2083 with a self-signed certificate. sub.domain.com also has a valid SSL certificate from a CA recognized by Firefox. Using Firefox, user visits https://sub.domain.com:2083 and accesses cPanel after usual certificate warning, adding exception, permanently storing and confirming the exception. This works as long as user does not visit the actual site https://sub.domain.com. Once the domain itself is visited https://sub.domain.com:2083 does not work anymore and access to cPanel control panel is not possible. The usual certificate warning is given, but "Confirm exception" button does not do anything. These are the steps followed to repeat the problem 1- Create a new profile, no add-ons 2- Visit https://sub.domain.com:2083 (cPanel, cert warning) 3- Add exception 4- Confirm exception, permanently store 5- cPanel control panel is displayed 6- Visit https://sub.domain.com (actual site with valid SSL cert) 7- Repeat steps 2-4, "Confirm exception" does nothing, staying in "This Connection is Untrusted" page 9- Remove stored exceptions from "Options...> Servers and Authorities 10- Delete cert8.db and cert_override.txt in the profile 11- Restart and try step 7, with the same result. This does not happen in Internet Explorer 8,9 or Chrome 13,14
Can you provide a minimized testcase or URL which reproduces this bug?
Also, is the certification self-signed? If so, this is likely a duplicate of bug 552976.
It turns out that this is due to caching by a downstream proxy.
Status: UNCONFIRMED → RESOLVED
Closed: 10 years ago
Resolution: --- → INVALID
oops, no. after access to actual domain, the problem is still there. Here is the URL you can try. 1- Visit https://shop.baileyguitars.co.uk:2083 -> cert warning, perm. store and confirm exception. cPanel login page displays. 2- Visit https://shop.baileyguitars.co.uk 3- Try step 1 again. "Confirm exception" button does not do anything
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
I just tried your steps in comment 4 in Firefox 8.0b1 and I cannot reproduce this bug. 1) Visit https://shop.baileyguitars.co.uk:2083 Connection is Untrusted page because... "The certificate is not trusted because it is self-signed" "The certificate is only valid for vps.comptayr.co.uk" "Error code: sec_error_untrusted_issuer" 2) "I Understand the Risks" > "Add Exception" > "Confirm Security Exception" and check "Permanently store this exception" cPanel login page appears 3) Visit https://shop.baileyguitars.co.uk Page loads with a BLUE site identity background displaying the following identity info: "You are connected to baileyguitars.co.uk which is run by (unknown) Verified by Starfield Technologies Inc." 4) Click the BACK button Popup notification displaying the same information in step 1. 5) Visit https://shop.baileyguitars.co.uk:2083 Connection Untrusted page displays with the same information as step 1. However, this time the "I Understand the Risks" section is non-existent.
Thomas, would you kindly use our mozregression tool to see if this is a regression? http://harthur.github.com/mozregression/
Tested with STR in comment#5. Regression window(cached m-c hourly), Works: http://hg.mozilla.org/mozilla-central/rev/46f402c75824 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b5pre) Gecko/20100824 Minefield/4.0b5pre ID:20100824084651 Fails: http://hg.mozilla.org/mozilla-central/rev/a90640c20652 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b5pre) Gecko/20100824 Minefield/4.0b5pre ID:20100824110352 Pushlog: http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=46f402c75824&tochange=a90640c20652 Triggered By: 5dc3c2d2dd4f Sid Stamm — Bug 495115 - Implement Strict-Transport-Security to allow sites to specify HTTPS-only connections, r=kaie+honzab+bjarne, a=betaN+
Component: Security → Security: PSM
Priority: -- → P1
Product: Firefox → Core
QA Contact: firefox → psm
This might be related to bug 660749, but it sounds sufficiently different to keep it as a separate bug.
Depends on: CVE-2011-0082
Given comment 8 this is almost certainly bug 1092243.
Status: NEW → RESOLVED
Closed: 10 years ago → 6 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1092243
You need to log in before you can comment on or make changes to this bug.