Bug 453103

Summary: Firefox 3 does not handle self-signed wildcard certificates properly
Product: [Fedora] Fedora Reporter: Nigel Jones <dev>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED NOTABUG QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: medium    
Version: 9CC: walters
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-06-27 12:21:14 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Nigel Jones 2008-06-27 10:35:47 UTC 
Description of problem:
Firefox 3 is doing some really weird voodoo with self-signed wildcard SSL
certificates.

Now before the 'self-signed is a bad idea' lecture, I already know this, but
they are really useful for testing before you get the real thing.

Now the problem is, for testing a new concept setup of the Fedora Project
website I created a self-signed wild card SSL certificate,
'*.publictest10.fedoraproject.org' which is perfectly valid in every respect. 
When I go to 'https://be.publictest10.fedoraproject.org' the normal blocking
screen comes up:

"be.publictest10.fedoraproject.org uses an invalid security certificate.

The certificate is not trusted because it is self signed."

I click on the 'Add Exemption' button, get the certificate, verify it, notice it
has CN=*.publictest10.fedoraproject.org, and confirm the exception.

I THEN goto say https://bf.publictest10.fedoraproject.org and I get the _exact_
same message as when I first went to https://be...

Going to Edit->Preferences->Advanced->Encryption->View Certificates->Servers I
now have two entries, none of which have a 'Certificate Name' (which strikes me
as odd) and only appear to apply to one server host name each.

Version-Release number of selected component (if applicable):
firefox-3.0-1.fc9.x86_64

How reproducible:
Always

Steps to Reproduce:
Above
  
Actual results:
Above

Expected results:
One prompt per wild-card certificate, it's the same CN and everything.

Additional info:
I'm pretty certain this is a regression, I no longer have a machine with an
earlier version of Firefox to test with though.

If it's not a regression and actually 'hasn't been thought off' then my 
additional comments are:
There is A LOT of blank space on that dialog, may be if the cert is a wildcard
cert a Yellow box could appear basically saying 'Adding this exemption will
apply to all addresses matching "*.certdomain.tld"'.

But honestly, it's REALLY annoying for testing, and I know it's not something
that most every day users are going to be exposed to but sometimes internally or
for testing, a self-signed SSL certificate is all you need.
Comment 1 Kai Engert (:kaie) (inactive account) 2008-06-27 12:21:14 UTC 
The new behaviour in firefox 3 is intentional.

Each SSL cert exception is bound to a single hostname+port combination.

If you really must, the solution is to add one exception for each hostname you
require to connect to.