On Tue, Jul 22, 2014 at 3:01 AM, Hubert Kario <hka...@redhat.com> wrote:
>> I'm pretty sure Firefox merely remembers your decision to click >> through the warning, not that it pins the keys/certificates in the >> chain you clicked through on. >> >> Although I have proposed that for certain use-cases, its applicability >> is limited — will people know how to recover if the key(s) change(s)? > > No, I'm sure it remembers the certificate. > > I have setup a SNI-enabled server that returns one certificate for two > different virtual hosts. > > When the certificate was about to expire, I changed it to > a new one signed by a trusted CA, for the site for which the CN matched, > the Firefox didn't even bat an eye, for the site for which I had to waive > the mismatched CN in the past, I had to waive the certificate again. > > I can retests with self signed certificates, but I'd be very surprised > if it didn't work exactly the same. I just ran this test: 1. Generate a self-signed cert; configure Apache to use it; restart Apache. 2. Browse to the server with Firefox. Add Exception for the cert. 3. Quit Firefox; restart Firefox; browse to server again. Everything is good. 4. Generate a *new* self-signed cert; configure Apache to use it; restart Apache. 5. Quite Firefox; restart Firefox; browse to server again. Results: A. On first page-load after step (5), no certificate warning. (I assume a cached page was being shown.) B. Reload the page; now I get a cert warning as expected. But, crucially, this not a key pinning validation failure; just an unknown authority error. (Error code: sec_error_untrusted_issuer) C. I do the clicks to Add Exception, but it fails: In the Add Security Exception dialog, the [ ] Permanently store this exception checkbox is grayed out, and the [ Confirm Security Exception ] button is also grayed out. I can only click [ Cancel ]. I take it this is a Firefox UI bug...? Everything was working as I expected except (C). I think the button and the checkbox should be active and should work as normal. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
