Red Hat Bugzilla – Bug 453103
Firefox 3 does not handle self-signed wildcard certificates properly
Last modified: 2008-06-27 08:21:14 EDT
Description of problem:
Firefox 3 is doing some really weird voodoo with self-signed wildcard SSL
Now before the 'self-signed is a bad idea' lecture, I already know this, but
they are really useful for testing before you get the real thing.
Now the problem is, for testing a new concept setup of the Fedora Project
website I created a self-signed wild card SSL certificate,
'*.publictest10.fedoraproject.org' which is perfectly valid in every respect.
When I go to 'https://be.publictest10.fedoraproject.org' the normal blocking
screen comes up:
"be.publictest10.fedoraproject.org uses an invalid security certificate.
The certificate is not trusted because it is self signed."
I click on the 'Add Exemption' button, get the certificate, verify it, notice it
has CN=*.publictest10.fedoraproject.org, and confirm the exception.
I THEN goto say https://bf.publictest10.fedoraproject.org and I get the _exact_
same message as when I first went to https://be...
Going to Edit->Preferences->Advanced->Encryption->View Certificates->Servers I
now have two entries, none of which have a 'Certificate Name' (which strikes me
as odd) and only appear to apply to one server host name each.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
One prompt per wild-card certificate, it's the same CN and everything.
I'm pretty certain this is a regression, I no longer have a machine with an
earlier version of Firefox to test with though.
If it's not a regression and actually 'hasn't been thought off' then my
additional comments are:
There is A LOT of blank space on that dialog, may be if the cert is a wildcard
cert a Yellow box could appear basically saying 'Adding this exemption will
apply to all addresses matching "*.certdomain.tld"'.
But honestly, it's REALLY annoying for testing, and I know it's not something
that most every day users are going to be exposed to but sometimes internally or
for testing, a self-signed SSL certificate is all you need.
The new behaviour in firefox 3 is intentional.
Each SSL cert exception is bound to a single hostname+port combination.
If you really must, the solution is to add one exception for each hostname you
require to connect to.