Thanks Chris, I'll follow up with IT on this question. Sounds like something basic but perhaps not so obvious if the IT preferred (and test) browser (Chrome) is more permissive? But surely this is so basic that (even) Chrome can't pretend a site is secured if there's no link to the root certificate?
IT provided a package to install the cert in the OS for Chrome. I'm thinking now maybe the installer did something additional with the cert when installing it, like set up it's "applicability" in some way? Are there some fields I can check? I'm going to ask my IT that as well. I'll also see if I can find the cert that works for Chrome in the OS file structure (OS X 10.8.5) and see if there's a plist or something that gives clues. I'm also following this up on evangelism@moz. I've got the impression that there's global dissatisfaction with FF being "too strict" and it *seems* like it's harder to get FF to "work" for IT? Or perhaps they just know Chrome and not FF? For me I'm currently working in Chrome because I *can't* work in FF. It's been days now so this probably means I'm the last guy in my organisation still hanging on to FF. I'm worried that this may be a global issue cutting FF out of commercial (firewalled) use. On Saturday, 12 September 2015 03:26:07 UTC+10, Chris Palmer wrote: > On Thu, Sep 10, 2015 at 3:21 PM, AnilG wrote: > > Thanks Chris, I appreciate any help I can get. I'm trying to help IT get > > this fixed so we can keep FF. > > > > I already, and now again on your advice, imported to Firefox Authorities > > Certificates the same certificate that was circulated by IT in a package, > > which is presumably the OS installed certificate that enables Chrome to > > work. Same error continues. I've passed on your advice to my ticket but > > don't yet have a response from my IT. > > > > Can you clarify how to install or required particulars of this > > certificate? It's sitting their in "Authorities" list but the cert seems to > > have little information in it's fields. Perhaps it's inadequately > > constituted? The CN is a slightly lengthy piece of arbitrary free text with > > no O or OU in the issued to, and no OU and the CN replicated in the O for > > the issued by section. Otherwise it's PKCS #1 SHA-256 With RSA Encryption > > with validity dates and a few other fields including a CRL distribution > > point with a local URI marked Not Critical.? > > > > Have you verified that the proxy issues its MITM certs *from that > particular issuing certificate*? _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
