Bug 1020424

Summary: Cannot add exception for expired cert
Product: [Fedora] Fedora Reporter: Mike McLean <mikem>
Component: firefoxAssignee: Martin Stransky <stransky>
Status: CLOSED DUPLICATE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 20CC: chemobejk, gecko-bugs-nobody, kengert, mikem, randomrnd, stransky
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-01-07 16:59:59 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Mike McLean 2013-10-17 16:02:33 UTC 
1) visit an https site with expired cert
2) untrusted dialog pops up, tech details says:

some-server.com uses an invalid security certificate. The certificate expired on 10/17/2013 11:41 AM. The current time is 10/17/2013 11:59 AM. (Error code: sec_error_expired_certificate)

3) click "add exception"
4) popup claims certificate is "valid" and "verified" and refuses to add an exception
Comment 1 Martin Stransky 2013-10-18 10:47:22 UTC 
Can you post the server name here? I saw it when the server does not have reverse DNS entry (IP to domain translation).
Comment 3 Steve 2013-11-08 13:10:04 UTC 
In my case, tech details says:

************ uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for ************ (Error code: sec_error_cert_signature_algorithm_disabled)


then, in about:config, when i set security.enable_md5_signatures;false to true,

it says:

(Error code: sec_error_ca_cert_invalid)


finally, when i add an exception, firefox displays:

The connection was reset


Downgrading firefox and xulrunner to version 21 (?), solves the problem.

firefox-25.0-3.fc19.x86_64
xulrunner-25.0-2.fc19.x86_64
Comment 4 Steve 2013-11-14 18:24:48 UTC 
Ok, here is a workaround that works for me:

Starting Firefox in terminal with NSS_SSL_CBC_RANDOM_IV=0, solves the problem.

"NSS_SSL_CBC_RANDOM_IV=0 firefox"

Please see here: https://bugzilla.redhat.com/show_bug.cgi?id=890931
Or google -> NSS_SSL_CBC_RANDOM_IV=0
Comment 5 Martin Stransky 2014-01-06 14:37:36 UTC 
Kay, Any idea about this one? Thanks!
Comment 6 Kai Engert (:kaie) (inactive account) 2014-01-07 16:57:07 UTC 
Martyn, I'll look into it.
Comment 7 Kai Engert (:kaie) (inactive account) 2014-01-07 16:59:59 UTC 
I believe this is a duplicate of bug 770682.

If you can demonstrate a current site to reproduce this issue, please add a comment with a link to the site, reopen the bug, and I'll look into it right away. Thanks

*** This bug has been marked as a duplicate of bug 770682 ***
Comment 8 Stefan Becker 2014-01-07 17:04:39 UTC 
(In reply to Kai Engert (:kaie) from comment #7)
> I believe this is a duplicate of bug 770682.

This bug is about firefox, that bug is about a similar problem with SIPE. I'll remove the duplicate assignment.
Comment 9 Kai Engert (:kaie) (inactive account) 2014-01-07 17:22:05 UTC 
Stefan, both software used the same underlying NSS crypto library that implements the functionality (certificate validation) that you were using. The quoted environment variable isn't a property of Firefox, it's a property of that library.