Bug 453103 - Firefox 3 does not handle self-signed wildcard certificates properly
Firefox 3 does not handle self-signed wildcard certificates properly
Product: Fedora
Classification: Fedora
Component: firefox (Show other bugs)
All Linux
medium Severity low
: ---
: ---
Assigned To: Gecko Maintainer
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-06-27 06:35 EDT by Nigel Jones
Modified: 2008-06-27 08:21 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-06-27 08:21:14 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Nigel Jones 2008-06-27 06:35:47 EDT
Description of problem:
Firefox 3 is doing some really weird voodoo with self-signed wildcard SSL

Now before the 'self-signed is a bad idea' lecture, I already know this, but
they are really useful for testing before you get the real thing.

Now the problem is, for testing a new concept setup of the Fedora Project
website I created a self-signed wild card SSL certificate,
'*.publictest10.fedoraproject.org' which is perfectly valid in every respect. 
When I go to 'https://be.publictest10.fedoraproject.org' the normal blocking
screen comes up:

"be.publictest10.fedoraproject.org uses an invalid security certificate.

The certificate is not trusted because it is self signed."

I click on the 'Add Exemption' button, get the certificate, verify it, notice it
has CN=*.publictest10.fedoraproject.org, and confirm the exception.

I THEN goto say https://bf.publictest10.fedoraproject.org and I get the _exact_
same message as when I first went to https://be...

Going to Edit->Preferences->Advanced->Encryption->View Certificates->Servers I
now have two entries, none of which have a 'Certificate Name' (which strikes me
as odd) and only appear to apply to one server host name each.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
Actual results:

Expected results:
One prompt per wild-card certificate, it's the same CN and everything.

Additional info:
I'm pretty certain this is a regression, I no longer have a machine with an
earlier version of Firefox to test with though.

If it's not a regression and actually 'hasn't been thought off' then my 
additional comments are:
There is A LOT of blank space on that dialog, may be if the cert is a wildcard
cert a Yellow box could appear basically saying 'Adding this exemption will
apply to all addresses matching "*.certdomain.tld"'.

But honestly, it's REALLY annoying for testing, and I know it's not something
that most every day users are going to be exposed to but sometimes internally or
for testing, a self-signed SSL certificate is all you need.
Comment 1 Kai Engert (:kaie) 2008-06-27 08:21:14 EDT
The new behaviour in firefox 3 is intentional.

Each SSL cert exception is bound to a single hostname+port combination.

If you really must, the solution is to add one exception for each hostname you
require to connect to.

Note You need to log in before you can comment on or make changes to this bug.