Thanks again, Chris. I've solved the problem and this sheds some light. I found the cert in the Mac OS X Keychain app and exported it from there. It exported with a different embedded CN for issuer and subject. The original raw cert I imported into Firefox seemed to have arbitrary free text in the CN which evidently was making it ineffective.
The cert was installed into Mac OS X keychain by a package, but IT told me the package did not change or provide parameters, so I don't know how the cert got the right CN when installing into OS X. Either way, the cert exported from Mac OS X keychain did have correct CN and then worked like a charm when imported into Firefox. So I'd agree Firefox is not being too strict (in this scenario anyway - I had previous issues a few months ago where Chrome worked and Firefox didn't) but Firefox does have the additional step to install certs in it's own certificate database instead of referring to the OS. In our case this additional step was hard enough to prevent Firefox from working for several days. I guess if there were any Firefox users in our organisation before it seems unlikely there are any left now. I wonder if this is the second issue that is harming Firefox market share. As I said I had issues previously where Chrome became organisation preferred because it "worked". I managed to find a workaround for Firefox but other users wouldn't have bothered. Unfortunately I don't have a breakdown on the causes of that issue. I guess market share shouldn't necessarily be a driver for the Firefox strategy, but we need market share to ensure vitality and *long term operational continuity*. It doesn't matter how good Firefox is if it's not being used (or doesn't "work" from an industry perspective). To remove unnecessary impediments to Firefox use and adoption wouldn't it make sense to configure Firefox to use the OS cert store by default, and allow an option to use internal cert database? I know there's code costs but if people are not using Firefox there's no Firefox. Even now our IT has a working cert I'm not sure they have a way to automatically install into Firefox for all users. I presume enterprises normally don't. So now that this "issue" has slaughtered any remaining Firefox users we may have had left from the previous issue, even though we now have a solution, we'll probably not regain any market share here, unless I find a user and personally install a cert for him/her. IT support may also be fed up to the extent we won't have a Firefox install on new laptop images. This is the picture we have in our organisation. It's been devastating. I'm not sure how much this is replicated globally but I'm communicating back here as properly as I can because I've caught hints that similar concerns have been raised on forums and I want to do what I can to ensure that Mozilla is not insulated from the true picture out in the community. Thanks for all your attention. On 15 September 2015 at 04:44, Chris Palmer <[email protected]> wrote: > On Sun, Sep 13, 2015 at 2:56 PM, AnilG <[email protected]> wrote: > > Thanks Chris, I'll follow up with IT on this question. >> > > You can check yourself if the chain you see chains up to the right root. > In Chrome, click on the lock icon in the location bar, click the Connection > Tab, and then click "Certificate information". This opens the Certificate > Viewer. There, click the Details Tab and inspect the Certificate Hierarchy > and each certificate's Certificate Fields. The root certificate should > match the certificate your IT department gave you. > > Sounds like something basic but perhaps not so obvious if the IT preferred >> (and test) browser (Chrome) is more permissive? But surely this is so basic >> that (even) Chrome can't pretend a site is secured if there's no link to >> the root certificate? >> > > Chrome is not known for being permissive about certificate checking. :) > And no, it's (I hope) very unlikely that Chrome is calling a certificate OK > even without being able to chain to a root in your machine's root > certificate store. You can verify that by following the steps above. > > Also, what does Safari do? > > I'm also following this up on evangelism@moz. I've got the impression >> that there's global dissatisfaction with FF being "too strict" and it >> *seems* like it's harder to get FF to "work" for IT? Or perhaps they just >> know Chrome and not FF? >> > > I also would not blame Firefox for being "too strict" here. Firefox' > certificate validation policies are in line with industry norms. You > shouldn't want any browser to blindly allow you to visit sites that should > be secure but can't be validated as such due to a problem with the > certificate chain. > > Keep in mind, your deployment scenario (enterprise MITM — presumably > predicated on 'anti-virus' or 'data loss prevention') is identical to an > actual attack, except that the IT department owns the computer and > therefore it is OK for them to install this new root certificate. But no > browser can 'know' that, except by seeing and using the certificate. So the > good browser fails closed. > > >> For me I'm currently working in Chrome because I *can't* work in FF. It's >> been days now so this probably means I'm the last guy in my organisation >> still hanging on to FF. I'm worried that this may be a global issue cutting >> FF out of commercial (firewalled) use. >> > > That is unlikely. Firefox is fine for these uses, and I'm sure it will > turn out to be a glitch in the deployment or configuration. > _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
