453103 – Firefox 3 does not handle self-signed wildcard certificates properly

Bug 453103 - Firefox 3 does not handle self-signed wildcard certificates properly

Summary: Firefox 3 does not handle self-signed wildcard certificates properly

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firefox
Sub Component:
Version:	9
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	low
Target Milestone:	---
Assignee:	Gecko Maintainer
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2008-06-27 10:35 UTC by Nigel Jones
Modified:	2008-06-27 12:21 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2008-06-27 12:21:14 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Nigel Jones 2008-06-27 10:35:47 UTC

Description of problem:
Firefox 3 is doing some really weird voodoo with self-signed wildcard SSL
certificates.

Now before the 'self-signed is a bad idea' lecture, I already know this, but
they are really useful for testing before you get the real thing.

Now the problem is, for testing a new concept setup of the Fedora Project
website I created a self-signed wild card SSL certificate,
'*.publictest10.fedoraproject.org' which is perfectly valid in every respect. 
When I go to 'https://be.publictest10.fedoraproject.org' the normal blocking
screen comes up:

"be.publictest10.fedoraproject.org uses an invalid security certificate.

The certificate is not trusted because it is self signed."

I click on the 'Add Exemption' button, get the certificate, verify it, notice it
has CN=*.publictest10.fedoraproject.org, and confirm the exception.

I THEN goto say https://bf.publictest10.fedoraproject.org and I get the _exact_
same message as when I first went to https://be...

Going to Edit->Preferences->Advanced->Encryption->View Certificates->Servers I
now have two entries, none of which have a 'Certificate Name' (which strikes me
as odd) and only appear to apply to one server host name each.

Version-Release number of selected component (if applicable):
firefox-3.0-1.fc9.x86_64

How reproducible:
Always

Steps to Reproduce:
Above
  
Actual results:
Above

Expected results:
One prompt per wild-card certificate, it's the same CN and everything.

Additional info:
I'm pretty certain this is a regression, I no longer have a machine with an
earlier version of Firefox to test with though.

If it's not a regression and actually 'hasn't been thought off' then my 
additional comments are:
There is A LOT of blank space on that dialog, may be if the cert is a wildcard
cert a Yellow box could appear basically saying 'Adding this exemption will
apply to all addresses matching "*.certdomain.tld"'.

But honestly, it's REALLY annoying for testing, and I know it's not something
that most every day users are going to be exposed to but sometimes internally or
for testing, a self-signed SSL certificate is all you need.

Comment 1 Kai Engert (:kaie) (inactive account) 2008-06-27 12:21:14 UTC

The new behaviour in firefox 3 is intentional.

Each SSL cert exception is bound to a single hostname+port combination.

If you really must, the solution is to add one exception for each hostname you
require to connect to.

Note You need to log in before you can comment on or make changes to this bug.