1020424 – Cannot add exception for expired cert

Bug 1020424 - Cannot add exception for expired cert

Summary: Cannot add exception for expired cert

Keywords:
Status:	CLOSED DUPLICATE of bug 770682
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firefox
Sub Component:
Version:	20
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Martin Stransky
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2013-10-17 16:02 UTC by Mike McLean
Modified:	2016-01-05 12:58 UTC (History)
CC List:	6 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2014-01-07 16:59:59 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Mike McLean 2013-10-17 16:02:33 UTC

1) visit an https site with expired cert
2) untrusted dialog pops up, tech details says:

some-server.com uses an invalid security certificate. The certificate expired on 10/17/2013 11:41 AM. The current time is 10/17/2013 11:59 AM. (Error code: sec_error_expired_certificate)

3) click "add exception"
4) popup claims certificate is "valid" and "verified" and refuses to add an exception

Comment 1 Martin Stransky 2013-10-18 10:47:22 UTC

Can you post the server name here? I saw it when the server does not have reverse DNS entry (IP to domain translation).

Comment 3 Steve 2013-11-08 13:10:04 UTC

In my case, tech details says:

************ uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for ************ (Error code: sec_error_cert_signature_algorithm_disabled)


then, in about:config, when i set security.enable_md5_signatures;false to true,

it says:

(Error code: sec_error_ca_cert_invalid)


finally, when i add an exception, firefox displays:

The connection was reset


Downgrading firefox and xulrunner to version 21 (?), solves the problem.

firefox-25.0-3.fc19.x86_64
xulrunner-25.0-2.fc19.x86_64

Comment 4 Steve 2013-11-14 18:24:48 UTC

Ok, here is a workaround that works for me:

Starting Firefox in terminal with NSS_SSL_CBC_RANDOM_IV=0, solves the problem.

"NSS_SSL_CBC_RANDOM_IV=0 firefox"

Please see here: https://bugzilla.redhat.com/show_bug.cgi?id=890931
Or google -> NSS_SSL_CBC_RANDOM_IV=0

Comment 5 Martin Stransky 2014-01-06 14:37:36 UTC

Kay, Any idea about this one? Thanks!

Comment 6 Kai Engert (:kaie) (inactive account) 2014-01-07 16:57:07 UTC

Martyn, I'll look into it.

Comment 7 Kai Engert (:kaie) (inactive account) 2014-01-07 16:59:59 UTC

I believe this is a duplicate of bug 770682.

If you can demonstrate a current site to reproduce this issue, please add a comment with a link to the site, reopen the bug, and I'll look into it right away. Thanks

*** This bug has been marked as a duplicate of bug 770682 ***

Comment 8 Stefan Becker 2014-01-07 17:04:39 UTC

(In reply to Kai Engert (:kaie) from comment #7)
> I believe this is a duplicate of bug 770682.

This bug is about firefox, that bug is about a similar problem with SIPE. I'll remove the duplicate assignment.

Comment 9 Kai Engert (:kaie) (inactive account) 2014-01-07 17:22:05 UTC

Stefan, both software used the same underlying NSS crypto library that implements the functionality (certificate validation) that you were using. The quoted environment variable isn't a property of Firefox, it's a property of that library.

Note You need to log in before you can comment on or make changes to this bug.