Closed
Bug 1248536
Opened 9 years ago
Closed 8 years ago
Adding of permanent exception for SSL-Certificate served via https://[IP]/ not possible
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1116625
People
(Reporter: roman.fiedler, Unassigned)
Details
Attachments
(1 file)
(deleted),
image/png
|
Details |
User Agent: Mozilla/5.0 (X11; Linux i686; rv:47.0) Gecko/20100101 Firefox/47.0
Build ID: 20160131030347
Steps to reproduce:
Connect to a site with https://[IP]:[Port]/ and SSL certificate issues from private CA (which is available in the CA store - not clear if this adds to the issue)
No options to add permanent exception
It is quite annoying, that this does not work: Management network gateway binds lot of SSL endpoints to one jump-IP, all with internal CA certificates. DNS-Name for cert would point to public IP of the system, so access via IP to get to mgmt access necessary.
Actual results:
Only options to add temporary exception, via preferences no way to import the certificate and make it valid for this IP/Port.
Expected results:
Allow adding of permanent exception: even through menues, preferences, ... would be OK (no fast click for stupid users) but any possibility to add those entries would be required.
With current implementation, users are just trained to click "add temporary exception" for any connection, that is not pure standard - without checking the certificate after some days. Hence not really suitable for daily work.
Current workaround: Use IE
Roman, in the bottom-left corner of the "Add Security Exception" dialog is a checkbox labeled "Permanently store this exception". Is this not what you're seeing? Or is the dialog not working as expected?
Component: Security: UI → Security: PSM
Flags: needinfo?(roman.fiedler)
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → INCOMPLETE
Reporter | ||
Comment 2•8 years ago
|
||
Yes, the checkbox and the label is here but the label is grey and the checkbox cannot be selected. There is no indication of reason, why it cannot be selected.
The message on the page before (the one with the "add exception" button) only says:
[IP] uses an invalid security certificate.
The certificate is not valid for the name [IP].
Error code: SSL_ERROR_BAD_CERT_DOMAIN
Status: RESOLVED → UNCONFIRMED
Resolution: INCOMPLETE → ---
Flags: needinfo?(roman.fiedler)
Is this in a private browsing window? Or do you have history configured to never remember history and/or clear history when you close Firefox?
(Also, if you keep the needinfo box checked when you submit a comment, it tells the person who asked you for the information that you've responded. This has the additional benefit that they can use the needinfo functionality again to ask for further information if necessary.)
Flags: needinfo?(roman.fiedler)
Reporter | ||
Comment 4•8 years ago
|
||
* No, not a private browsing window.
* History is cleared, but the SSL certificate will never make it to the history (as permanent exception checkbox cannot be selected")
* Clear the needinfo request for ..." checked
* Need more information from ... checked, filled - hope your username is correct, my GUI tells me, that you have 2 profiles with just 1 letter difference.
New information:
* It also happens with a normal https://[name]/ site where the certificate was issued for another subject, no SAN but custom root CA (working for other correct certs) plus intermediate CA.(In reply to
Flags: needinfo?(roman.fiedler) → needinfo?(dkeeler)
(In reply to Roman Fiedler from comment #4)
...
> * History is cleared, but the SSL certificate will never make it to the
> history (as permanent exception checkbox cannot be selected")
Hmmm - it looks like there's a slight difference between how the exception dialog behaves for "never remember history" vs. "clear history when Firefox closes" - can you post a screenshot of the privacy tab of preferences?
Also, do you have any add-ons installed?
> * Need more information from ... checked, filled - hope your username is
> correct, my GUI tells me, that you have 2 profiles with just 1 letter
> difference.
Yep - you got the right one.
Flags: needinfo?(dkeeler) → needinfo?(roman.fiedler)
Reporter | ||
Comment 6•8 years ago
|
||
(In reply to David Keeler [:keeler] (use needinfo?) from comment #5)
> (In reply to Roman Fiedler from comment #4)
> ...
> > * History is cleared, but the SSL certificate will never make it to the
> > history (as permanent exception checkbox cannot be selected")
>
> Hmmm - it looks like there's a slight difference between how the exception
> dialog behaves for "never remember history" vs. "clear history when Firefox
> closes" - can you post a screenshot of the privacy tab of preferences?
See attachment.
> Also, do you have any add-ons installed?
about:addons
Tamper Data
about:plugins
OpenH264 Video Codec provided by Cisco Systems, Inc.
I will try with addons disabled after restarting.
Reporter | ||
Comment 7•8 years ago
|
||
Reporter | ||
Comment 8•8 years ago
|
||
Deactivation of addon did not change the behaviour.
Flags: needinfo?(roman.fiedler) → needinfo?(dkeeler)
Thanks for the detailed information, Roman. It looks like this is the same as bug 1116625. Essentially, when Firefox has been configured to never remember history, it assumes the user never wants to permanently save a certificate error override since that essentially saves a little bit of history (the file backing that feature keeps track of the hostname the override is for). Hence, the checkbox is disabled. My idea in that bug was to add a little mouseover text that explains the situation, but it hasn't been implemented yet.
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago → 8 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•