When going to the above URL I get a dialog box with the following message: lists.mplayerhq.hu:443 uses an invalid security certificate. The certificate is not trusted because it is self signed. (Error code: sec_error_untrusted_issuer I see no way to bypass this. firefox-3.0-0.44.cvs20080315.fc9 xulrunner-1.9-0.44.cvs20080315.fc9
I went into the advanced preferences, tried to add an exception for the site in question, and got the same problem. When I enter the URL into the 'Add Security Exception' dialog and click 'Get Certificate', I get the same error dialog, and it says "Unable to obtain identification status for the given site".
Weird. On another machine, the same package gives me a 'page load error' page (not a dialog) which starts with the same text, but also has an 'Or you can add an exception...' link which brings up the security manager... which then actually works.
binary search on prefs.js shows that the problem happens when using a proxy (squid).
Not reproducable with firefox 3beta4. Watch the following funnies ...
Hm. What proxy were you using?
And you were definitely using it for SSL, not just http?
Created attachment 298526 [details] screencast of how it does work this is how it works
... and yes I don't like it either -- however, the current state is much better than it was before; that link in the dialog is a result of much fight in bugzilla.mozilla.org ;-) (not mine, though).
Your screencast matches what I see (apart from the language, obviously) when I don't use a proxy -- or when I use a proxy only for HTTP but not SSL. But when I use a proxy (squid on Fedora 8), I just get the dialog box instead.
Oh, now I get it -- finally. My granny always told me that Wednesday is a bad day, and you see -- my brain switched off. OK, I see that proxy is an essential part of your problem. OK, let's reopen it and I will test it (probably tomorrow though, now I am at home)
Actually, ... My Firefox (firefox-3.0-0.44.cvs20080315.fc9.x86_64) has Network Connection set up to "Use system settings" which is using squid on http://localhost:3128. And I have just managed to repeat the process shown in the screencast above. This is /var/log/squid/access.log generated during the tryout: 1206089014.176 1692 127.0.0.1 TCP_MISS/200 702 CONNECT lists.mplayerhq.hu:443 - DIRECT/213.144.138.186 - 1206089017.402 68 127.0.0.1 TCP_MISS/200 702 CONNECT lists.mplayerhq.hu:443 - DIRECT/213.144.138.186 - 1206089025.204 72 127.0.0.1 TCP_MISS/200 702 CONNECT lists.mplayerhq.hu:443 - DIRECT/213.144.138.186 - 1206089027.207 74 127.0.0.1 TCP_MISS/301 342 GET http://lists.mplayerhq.hu/mailman/listinfo - DIRECT/213.144.138.186 - 1206089033.096 5378 127.0.0.1 TCP_MISS/200 803 CONNECT lists.mplayerhq.hu:443 - DIRECT/213.144.138.186 - 1206089033.098 6119 127.0.0.1 TCP_MISS/200 17912 CONNECT lists.mplayerhq.hu:443 - DIRECT/213.144.138.186 - and this is the particular piece of /var/log/squid/store.log 1206089027.207 RELEASE -1 FFFFFFFF 44413EF33322FF0BB5233C2F780D88AF 301 1206089027 -1 -1 unknown 0/0 GET http://lists.mplayerhq.hu/mailman/listinfo
Using squid on localhost, I can reproduce your behaviour. Perhaps it needs to be the F8 version of squid?
I can not reproduce this bug. I am always able to add an exception. Once I do, I'm able to connect. I've installed squid and in firefox I configured both http and ssl proxy to connect to 127.0.0.1 3128. Works fine for me.
Where in the OS do I set "system proxy settings"? Note I'm logging into that machine remotely, so if you could tell me which command I must execute to configure the system's proxy setting, it would help me a lot.
gconftool-2 -R /system/proxy
Is this really a F9 blocker? I'm punting over to Target.
Sorry, there is no bug, at least none that I can reproduce. I configured a system proxy using gnome-control-center. I configured firefox to use the system proxy. I verified the proxy is required, by stopping squid, and trying to surf the web (then I got an error message, as expected). I verified the proxy is used by looking at squid/access.log I tried to use a proxy on the localhost, worked fine. I tried to use a proxy on a remote machine. On the local machine, I used iptables to block access to hostname lists.mplayerhq.hu. I used telnet to SSL port 443 verify the iptables rule works. With squid started, I used Firefox to connect to the site. I got the error page about an invalid page, as expected. I used the "add exception" button and dialog and was successfully able to add it. Then I was able to connect to the site. Sorry, I can't reproduce.
cacert is also broken. I have the cacert root certificates installed: http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt When I go to https://cats.cacert.org/ I get an 'ssl_error_handshake_failure_alert' error, and no option to make an exception. This is with no proxy.
When I remove the CAcert root certs, I get to make an exception. But with them installed, I can't (and shouldn't it just work without any problems?)
ok, I'll test the new report
David, I indeed can reproduce your problem. I can reproduce it with the firefox/nss contained in rawhide, and I can reproduce it with the most recent upstream sources, too. I think it's a separate issue from the one originally reported in this bug. I might close this bug and open a new one.
David, you said, if you remove the root certs, then you are able to add an exception. But, once you have the added the exception, are you then able to connect? In my testing, I still get the handshake alert error message, which seems to suggest that the server is bad. In addition I've just tested with Firefox 2. I get an error message with code -12227, which means the same thing. Are you really able to open that web site?
Created attachment 302198 [details] screenshot with cacert root cert installed
Created attachment 302199 [details] screenshot without cacert root cert installed
David, yes, these screenshots are exactly what I get, too. David, please tell me, are you able to connect to this server using *any* software? If yes, can you please name product and version? The handshake_failure_alert means that client and server are unable to agree on a protocol. This does not look like a new behavior in FF3. Firefox 2 and 1.5 show exactly the same behavior (reject connection with error message). This problem is not limited to Firefox, as far as I can tell. I tried konqueror, and it gives me "An error occurred while loading https://cats.cacert.org: Could not connect to host cats.cacert.org." When I use a low level tool from NSS it tells me: SSL peer was unable to negotiate an acceptable set of security parameters.
Created attachment 302208 [details] two failure modes Hm, true. I hadn't gone through the process of adding the exception, so assumed it was another manifestation of the original problem reported above. When I add the exception, I end up with the same error; it still doesn't work. I now have CAcert-provided certificates for some of my own machines, including https://pentafluge.infradead.org, and those seem to work fine -- even when I'm using a proxy. Interestingly, when using a proxy and not having the CAcert root cert installed I can connect to pentafluge.infradead.org but not to clueless.aaisp.net.uk. For the former I get a page reporting 'sec_error_unknown_issuer' and the option to make an exception. For the latter I get a dialog reporting 'sec_error_untrusted_issuer'. And no way to proceed. Demonstrated in attached screenshot.
Aha, cats.cacert.org requires a client certificate. If I _have_ a client certificate, it pops up a dialog box telling me "This site has requested that you identify yourself with a certificate", and lets me choose the certificate to use. When I didn't have a client cert installed, it just failed. Shouldn't it have been more helpful? (so yes, that is a separate bug from the original one).
Kai, am I right in thinking that you've managed to reproduce the failure with https://lists.mplayerhq.hu/ when operating via squid?
No, it always worked for me with the mplayer site.