Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 453103 - Firefox 3 does not handle self-signed wildcard certificates properly
Summary: Firefox 3 does not handle self-signed wildcard certificates properly
Keywords:
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 9
Hardware: All
OS: Linux
medium
low
Target Milestone: ---
Assignee: Gecko Maintainer
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2008-06-27 10:35 UTC by Nigel Jones
Modified: 2008-06-27 12:21 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2008-06-27 12:21:14 UTC


Attachments (Terms of Use)

Description Nigel Jones 2008-06-27 10:35:47 UTC
Description of problem:
Firefox 3 is doing some really weird voodoo with self-signed wildcard SSL
certificates.

Now before the 'self-signed is a bad idea' lecture, I already know this, but
they are really useful for testing before you get the real thing.

Now the problem is, for testing a new concept setup of the Fedora Project
website I created a self-signed wild card SSL certificate,
'*.publictest10.fedoraproject.org' which is perfectly valid in every respect. 
When I go to 'https://be.publictest10.fedoraproject.org' the normal blocking
screen comes up:

"be.publictest10.fedoraproject.org uses an invalid security certificate.

The certificate is not trusted because it is self signed."

I click on the 'Add Exemption' button, get the certificate, verify it, notice it
has CN=*.publictest10.fedoraproject.org, and confirm the exception.

I THEN goto say https://bf.publictest10.fedoraproject.org and I get the _exact_
same message as when I first went to https://be...

Going to Edit->Preferences->Advanced->Encryption->View Certificates->Servers I
now have two entries, none of which have a 'Certificate Name' (which strikes me
as odd) and only appear to apply to one server host name each.

Version-Release number of selected component (if applicable):
firefox-3.0-1.fc9.x86_64

How reproducible:
Always

Steps to Reproduce:
Above
  
Actual results:
Above

Expected results:
One prompt per wild-card certificate, it's the same CN and everything.

Additional info:
I'm pretty certain this is a regression, I no longer have a machine with an
earlier version of Firefox to test with though.

If it's not a regression and actually 'hasn't been thought off' then my 
additional comments are:
There is A LOT of blank space on that dialog, may be if the cert is a wildcard
cert a Yellow box could appear basically saying 'Adding this exemption will
apply to all addresses matching "*.certdomain.tld"'.

But honestly, it's REALLY annoying for testing, and I know it's not something
that most every day users are going to be exposed to but sometimes internally or
for testing, a self-signed SSL certificate is all you need.

Comment 1 Kai Engert (:kaie) (inactive account) 2008-06-27 12:21:14 UTC
The new behaviour in firefox 3 is intentional.

Each SSL cert exception is bound to a single hostname+port combination.

If you really must, the solution is to add one exception for each hostname you
require to connect to.



Note You need to log in before you can comment on or make changes to this bug.