Bug 1020424 - Cannot add exception for expired cert
Cannot add exception for expired cert
Status: CLOSED DUPLICATE of bug 770682
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Martin Stransky
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-10-17 12:02 EDT by Mike McLean
Modified: 2016-01-05 07:58 EST (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-01-07 11:59:59 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Mike McLean 2013-10-17 12:02:33 EDT
1) visit an https site with expired cert
2) untrusted dialog pops up, tech details says:

some-server.com uses an invalid security certificate. The certificate expired on 10/17/2013 11:41 AM. The current time is 10/17/2013 11:59 AM. (Error code: sec_error_expired_certificate)

3) click "add exception"
4) popup claims certificate is "valid" and "verified" and refuses to add an exception
Comment 1 Martin Stransky 2013-10-18 06:47:22 EDT
Can you post the server name here? I saw it when the server does not have reverse DNS entry (IP to domain translation).
Comment 3 Steve 2013-11-08 08:10:04 EST
In my case, tech details says:

************ uses an invalid security certificate. The certificate is not trusted because it is self-signed. The certificate is only valid for ************ (Error code: sec_error_cert_signature_algorithm_disabled)

then, in about:config, when i set security.enable_md5_signatures;false to true,

it says:

(Error code: sec_error_ca_cert_invalid)

finally, when i add an exception, firefox displays:

The connection was reset

Downgrading firefox and xulrunner to version 21 (?), solves the problem.

Comment 4 Steve 2013-11-14 13:24:48 EST
Ok, here is a workaround that works for me:

Starting Firefox in terminal with NSS_SSL_CBC_RANDOM_IV=0, solves the problem.


Please see here: https://bugzilla.redhat.com/show_bug.cgi?id=890931
Or google -> NSS_SSL_CBC_RANDOM_IV=0
Comment 5 Martin Stransky 2014-01-06 09:37:36 EST
Kay, Any idea about this one? Thanks!
Comment 6 Kai Engert (:kaie) 2014-01-07 11:57:07 EST
Martyn, I'll look into it.
Comment 7 Kai Engert (:kaie) 2014-01-07 11:59:59 EST
I believe this is a duplicate of bug 770682.

If you can demonstrate a current site to reproduce this issue, please add a comment with a link to the site, reopen the bug, and I'll look into it right away. Thanks

*** This bug has been marked as a duplicate of bug 770682 ***
Comment 8 Stefan Becker 2014-01-07 12:04:39 EST
(In reply to Kai Engert (:kaie) from comment #7)
> I believe this is a duplicate of bug 770682.

This bug is about firefox, that bug is about a similar problem with SIPE. I'll remove the duplicate assignment.
Comment 9 Kai Engert (:kaie) 2014-01-07 12:22:05 EST
Stefan, both software used the same underlying NSS crypto library that implements the functionality (certificate validation) that you were using. The quoted environment variable isn't a property of Firefox, it's a property of that library.

Note You need to log in before you can comment on or make changes to this bug.