Closed Bug 688822 Opened 13 years ago Closed 8 years ago

SSL Certificate warning confirm exception button does not do anything

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1092243

People

(Reporter: barnett.thomas, Unassigned)

References

(Depends on 1 open bug,
URL
)

Details

(Keywords: regression, Whiteboard: [psm-cert-exceptions][psm-roadblock])

Attachments

(1 file)

Screenshot: Broken Error Page
(deleted), image/png
Details 
sub.example.com is a domain hosted on WHM/cPanel. cPanel provides a control panel accessed via https://sub.domain.com:2083 with a self-signed certificate.

sub.domain.com also has a valid SSL certificate from a CA recognized by Firefox.

Using Firefox, user visits https://sub.domain.com:2083 and accesses cPanel after usual certificate warning, adding exception, permanently storing and confirming the exception. 

This works as long as user does not visit the actual site https://sub.domain.com. Once the domain itself is visited https://sub.domain.com:2083 does not work anymore and access to cPanel control panel is not possible. The usual certificate warning is given, but "Confirm exception" button does not do anything.

These are the steps followed to repeat the problem
1- Create a new profile, no add-ons
2- Visit https://sub.domain.com:2083 (cPanel, cert warning)
3- Add exception
4- Confirm exception, permanently store
5- cPanel control panel is displayed
6- Visit https://sub.domain.com (actual site with valid SSL cert)
7- Repeat steps 2-4, "Confirm exception" does nothing, staying in "This Connection is Untrusted" page
9- Remove stored exceptions from "Options...> Servers and Authorities
10- Delete cert8.db and cert_override.txt in the profile
11- Restart and try step 7, with the same result.

This does not happen in Internet Explorer 8,9 or Chrome 13,14
Can you provide a minimized testcase or URL which reproduces this bug?
Keywords: testcase-wanted
Also, is the certification self-signed? If so, this is likely a duplicate of bug 552976.
It turns out that this is due to caching by a downstream proxy.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
oops, no. after access to actual domain, the problem is still there.

Here is the URL you can try.

1- Visit https://shop.baileyguitars.co.uk:2083 -> cert warning, perm. store and confirm exception. cPanel login page displays.
2- Visit https://shop.baileyguitars.co.uk
3- Try step 1 again. "Confirm exception"  button does not do anything
Status: RESOLVED → UNCONFIRMED
Resolution: INVALID → ---
I just tried your steps in comment 4 in Firefox 8.0b1 and I cannot reproduce this bug.

1) Visit https://shop.baileyguitars.co.uk:2083 

Connection is Untrusted page because...
"The certificate is not trusted because it is self-signed"
"The certificate is only valid for vps.comptayr.co.uk"
"Error code: sec_error_untrusted_issuer"

2) "I Understand the Risks" > "Add Exception" > "Confirm Security Exception" and check "Permanently store this exception"

cPanel login page appears

3) Visit https://shop.baileyguitars.co.uk

Page loads with a BLUE site identity background displaying the following identity info:
"You are connected to baileyguitars.co.uk which is run by (unknown) Verified by Starfield Technologies Inc."

4) Click the BACK button

Popup notification displaying the same information in step 1.

5) Visit https://shop.baileyguitars.co.uk:2083 

Connection Untrusted page displays with the same information as step 1. However, this time the "I Understand the Risks" section is non-existent.
URL: https://shop.baileyguitars.co.uk:2083
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: testcase-wanted
OS: Windows 7 → All
Hardware: x86 → All
Version: 6 Branch → unspecified
Attached image Screenshot: Broken Error Page (deleted) — 

    
    

    
  
Thomas, would you kindly use our mozregression tool to see if this is a regression?

http://harthur.github.com/mozregression/
Keywords: regressionwindow-wanted

    
    

    
  
Tested with STR in comment#5.

Regression window(cached m-c hourly),
Works:
http://hg.mozilla.org/mozilla-central/rev/46f402c75824
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b5pre) Gecko/20100824 Minefield/4.0b5pre ID:20100824084651
Fails:
http://hg.mozilla.org/mozilla-central/rev/a90640c20652
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:2.0b5pre) Gecko/20100824 Minefield/4.0b5pre ID:20100824110352
Pushlog:
http://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=46f402c75824&tochange=a90640c20652

Triggered By:
5dc3c2d2dd4f	Sid Stamm — Bug 495115 - Implement Strict-Transport-Security to allow sites to specify HTTPS-only connections, r=kaie+honzab+bjarne, a=betaN+
Blocks: 495115

    
  
Component: Security → Security: PSM
Priority: -- → P1
Product: Firefox → Core
QA Contact: firefox → psm
Whiteboard: [psm-cert-exceptions][psm-roadblock]

    
    

    
  
This might be related to bug 660749, but it sounds sufficiently different to keep it as a separate bug.
Depends on: CVE-2011-0082

    
    

    
  
Given comment 8 this is almost certainly bug 1092243.
Status: NEW → RESOLVED
Closed: 13 years ago8 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: