Bug#721153: iceweasel: unable to remove an ssl cert exception

2013-09-04 Thread Dietrich Clauss 
Daniel Kahn Gillmor schrieb:
 On 08/28/2013 10:41 AM, Dietrich Clauss wrote:
  0. clean user, rm -r ~/.mozilla
  1. Set up a https server which uses a self-signed certificate, lets call
 it 'srv'
  2. Start iceweasel, watch https://srv
  3. iceweasel shows warning untrusted connection
  4. Click on Understand the risk, Add exception, confirm exception
  5. Exception gets stored permanently, iceweasel shows the content of
 https://srv
  6. Go to edit/preferences/advanced/encryption/view_certs
  7. Search the cert of https://srv and delete or distrust it
 
 It sounds to me like you might be choosing to remove the certificate
 from your list of Authorities instead of from your list of Servers.
  Take a look at the tabs on the top of the Certificate Manager dialog box.
 
 By choosing to delete or distrust the self-signed certificate from
 your list of root Certificate Authorities (CAs), you're simply saying
 that that certificate can't be used to certify *other* web sites (which
 should already be the case by default, take a look at the settings shown
 when you click the Edit Trust... button from the Authorities tab of
 the Certificate Manager -- they should all be unchecked).
 
 I suspect you want to remove the certificate from the Servers tab, not
 the Authorities tab -- the remote server is not an authority, and is
 not being treated as such; it's being treated as a network peer, and
 telling iceweasel to not treat it as an authority isn't asking for
 anything to change.
 
 Does this make sense?  This is possibly extra-confusing because some
 tools used for making self-signed certificates (e.g. openssl req)
 automatically include the CA:TRUE X.509 certificate extension for
 self-signed certs, even though that's not technically needed for
 anything but an actual CA certificate (i.e. one that will certify the
 keys of other CAs or end entities).

That's correct, thanks for the explanation.

My fault.  This bug report can be closed.


signature.asc
Description: Digital signature

Bug#721153: iceweasel: unable to remove an ssl cert exception

2013-09-03 Thread Daniel Kahn Gillmor 
On 08/28/2013 10:41 AM, Dietrich Clauss wrote:
 0. clean user, rm -r ~/.mozilla
 1. Set up a https server which uses a self-signed certificate, lets call
it 'srv'
 2. Start iceweasel, watch https://srv
 3. iceweasel shows warning untrusted connection
 4. Click on Understand the risk, Add exception, confirm exception
 5. Exception gets stored permanently, iceweasel shows the content of
https://srv
 6. Go to edit/preferences/advanced/encryption/view_certs
 7. Search the cert of https://srv and delete or distrust it

It sounds to me like you might be choosing to remove the certificate
from your list of Authorities instead of from your list of Servers.
 Take a look at the tabs on the top of the Certificate Manager dialog box.

By choosing to delete or distrust the self-signed certificate from
your list of root Certificate Authorities (CAs), you're simply saying
that that certificate can't be used to certify *other* web sites (which
should already be the case by default, take a look at the settings shown
when you click the Edit Trust... button from the Authorities tab of
the Certificate Manager -- they should all be unchecked).

I suspect you want to remove the certificate from the Servers tab, not
the Authorities tab -- the remote server is not an authority, and is
not being treated as such; it's being treated as a network peer, and
telling iceweasel to not treat it as an authority isn't asking for
anything to change.

Does this make sense?  This is possibly extra-confusing because some
tools used for making self-signed certificates (e.g. openssl req)
automatically include the CA:TRUE X.509 certificate extension for
self-signed certs, even though that's not technically needed for
anything but an actual CA certificate (i.e. one that will certify the
keys of other CAs or end entities).

hth,

--dkg



signature.asc
Description: OpenPGP digital signature

Bug#721153: iceweasel: unable to remove an ssl cert exception

2013-08-28 Thread Dietrich Clauss 
Package: iceweasel
Version: 17.0.8esr-2
Severity: important

Dear Maintainer,

when storing a security exception permanently and removing it later, the
cert will disappear from the list but it still gets accepted.

To reproduce:

0. clean user, rm -r ~/.mozilla
1. Set up a https server which uses a self-signed certificate, lets call
   it 'srv'
2. Start iceweasel, watch https://srv
3. iceweasel shows warning untrusted connection
4. Click on Understand the risk, Add exception, confirm exception
5. Exception gets stored permanently, iceweasel shows the content of
   https://srv
6. Go to edit/preferences/advanced/encryption/view_certs
7. Search the cert of https://srv and delete or distrust it
8. Try to watch https://srv again.  Iceweasel should now 
   show the untrusted connection warning again, but it doesn't.  Try
   to refresh the page, clean the cache or restart the browser.  The
   warning won't reappear.
9. Go to edit/preferences/advanced/encryption/view_certs again and look
   for the cert of https://srv.  It isn't there.

This may be related to bug #627552, but it also happens if the site is
not loaded from cache.

BTW: The info below was inserted by reportbug, which wasn't invoked from
within the clean user environment.  The extensions BetterPrivacy and
WebDeveloper were not active.  However, I could also reproduce the
problem when these extensions are active.

-- Package-specific info:

-- Extensions information
Name: Adblock Plus
Location: 
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
Package: xul-ext-adblock-plus
Status: enabled

Name: BetterPrivacy
Location: ${PROFILE_EXTENSIONS}/{d40f5e7b-d2cf-4856-b441-cc613eeffbe3}
Status: enabled

Name: Default theme
Location: /usr/lib/iceweasel/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: Deutsch (DE) Language Pack locale
Location: /usr/lib/iceweasel/extensions/langpack...@iceweasel.mozilla.org.xpi
Package: iceweasel-l10n-de
Status: enabled

Name: Web Developer
Location: ${PROFILE_EXTENSIONS}/{c45c406e-ab73-11d8-be73-000a95be3b12}.xpi
Status: enabled

-- Plugins information
Name: DivX® Web Player
Location: /usr/lib/mozilla/plugins/libtotem-mully-plugin.so
Package: totem-mozilla
Status: enabled

Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled

Name: QuickTime Plug-in 7.6.6
Location: /usr/lib/mozilla/plugins/libtotem-narrowspace-plugin.so
Package: totem-mozilla
Status: enabled

Name: Shockwave Flash
Location: /usr/lib/flashplugin-nonfree/libflashplayer.so
Status: enabled

Name: Skype Buttons for Kopete
Location: /usr/lib/mozilla/plugins/skypebuttons.so
Package: kopete
Status: enabled

Name: VLC Multimedia Plugin (compatible Totem 3.0.1)
Location: /usr/lib/mozilla/plugins/libtotem-cone-plugin.so
Package: totem-mozilla
Status: enabled

Name: Windows Media Player Plug-in 10 (compatible; Totem)
Location: /usr/lib/mozilla/plugins/libtotem-gmp-plugin.so
Package: totem-mozilla
Status: enabled

Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled


-- Addons package information
ii  gnome-shell3.4.2-12 amd64graphical shell for the GNOME des
ii  iceweasel  17.0.8esr-2  amd64Web browser based on Firefox
ii  iceweasel-l10n 1:17.0.8esr- all  German language package for Icewe
ii  kopete 4:4.8.4-3amd64instant messaging and chat applic
ii  rhythmbox-plug 2.99.1-3 amd64plugins for rhythmbox music playe
ii  totem-mozilla  3.0.1-9  amd64Totem Mozilla plugin
ii  xul-ext-adbloc 2.2.3-1  all  Advertisement blocking extension 

-- System Information:
Debian Release: jessie/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable'), (400, 'unstable'), (1, 
'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 3.10-2-amd64 (SMP w/4 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iceweasel depends on:
ii  debianutils 4.4
ii  fontconfig  2.10.2-2
ii  libc6   2.17-92
ii  libgdk-pixbuf2.0-0  2.28.2-1
ii  libglib2.0-02.36.3-3
ii  libgtk2.0-0 2.24.20-1
ii  libnspr42:4.10-1
ii  libnspr4-0d 2:4.10-1
ii  libsqlite3-03.7.17-1
ii  libstdc++6  4.8.1-2
ii  procps  1:3.3.4-2
ii  xulrunner-17.0  17.0.8esr-2

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
ii  fonts-stix [otf-stix]  1.1.0-1
ii  libgssapi-krb5-2   1.10.1+dfsg-6.1
pn  mozplugger none

Versions of packages xulrunner-17.0 depends on:
ii  libasound21.0.27.1-2
ii  libatk1.0-0   2.8.0-2
ii  libbz2-1.01.0.6-4
ii  libc6 2.17-92
ii  libcairo2