Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores aren't accessed by Firefox.

2017-08-09 Thread David Keeler 
On 08/09/2017 05:26 AM, Lance Spencer wrote:
> Thanks for the reply. I'm trying to understand the process better with
> FireFox and the Microsoft certificate stores, and this is helping.
> 
> I know my
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
> registry key holds my "Root" certificates for the sites I'm going to. (This
> location also corresponds to the Certificates (Local Computer)\Trusted Root
> Certificates\Certificates container in certmgr.msc.)
> 
> I tried the setting " logging.pipnss":"Debug" and it didn't produce any
> output from "cmd.exe" or "Powershell".
> 
> So for my understanding, does the "security.enterprise_roots.enabled"
> setting only allow for pulling the "root" certs from the Microsoft cert
> stores? 

Correct - the implementation only imports trusted root certificates.

> We have another mechanism that populates the Microsoft Trusted Roots and
> Intermediate CAs containers with all our required Root & Intermediate CA
> certs. All of the CA certificates that Firefox would need to access would
> already be in the Microsoft certificate stores. As far as I am aware of,
> there is no ability for the site that is being accessed, to provide
> Intermediate CA certs during the TLS handshake.

The TLS specification requires that servers send a list of certificates
starting from the server's certificate and chaining to a trusted
self-signed root certificate (which may be omitted), so it's not
surprising you're running into compatibility issues by not including
intermediate certificates. See
https://tools.ietf.org/html/rfc5246#section-7.4.2 ("certificate_list")

Hope this helps,
David

> Will Firefox still only look at "Root" CA certs?
> 
> Sincerely,
> 
> Lance Spencer
> Juno Technologies
> lance.spen...@junotech.com
> Cell: (757)846-5834
> 
> 
> -Original Message-
> From: Enterprise [mailto:enterprise-boun...@mozilla.org] On Behalf Of David
> Keeler
> Sent: Tuesday, August 8, 2017 4:51 PM
> To: enterprise@mozilla.org
> Subject: Re: [Mozilla Enterprise] CAs already in Local Computer Cert Stores
> aren't accessed by Firefox.
> 
> Here are some things you could try:
> 
> * Add an about:config preference "logging.pipnss" with the string value
> "Debug". Then, set "security.enterprise_roots.enabled" to true and see what
> output you get in the console (not the browser console but an OS console -
> I'm not actually sure how to do this on Windows - run Firefox from
> powershell or cmd.exe?)
> 
> * Where are the certificates you're trying to use installed on Windows?
> Firefox examines CERT_SYSTEM_STORE_LOCAL_MACHINE,
> CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY, and
> CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE, which correspond to
> HKLM\SOFTWARE\Microsoft\SystemCertificates,
> HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates,
> and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates,
> respectively.
> 
> * Are the servers you're trying to access sending the appropriate
> intermediate certificates? Firefox doesn't import intermediates via this
> mechanism - they must be sent in the TLS handshake.
> 
> Hope this helps,
> David
> 
> On 08/08/2017 12:02 PM, Lance Spencer wrote:
>> I've tried to review many blogs/forum strings that discuss getting 
>> Firefox to use the local computer certificates stores on Windows. I 
>> didn't want to bother this group with this issue unless I at least 
>> tried to figure some things out for myself. So far I have been 
>> unsuccessful to get this to work.
>>
>>  
>>
>> We use an executable that installs CA certs in the Trusted Root and 
>> Intermediate certificate local computer certificate stores on Window
>> 7/10 workstations, as well as 2008/2012/2016 servers. We have domains 
>> that have anywhere from 200 to 3000 computers that need CA 
>> certificates to be updated on a regular basis. If FireFox could use 
>> those same certs, it'd be a lot less complicated to update the Firefox 
>> settings to use the appropriate root & intermediate CA certs.
>>
>>  
>>
>> We would like to leverage the security.enterprise_roots.enabled 
>> setting to allow the Firefox browser to use the CA certificates we 
>> place in the local computer certificate stores.
>>
>>  
>>
>> I've tried configuring a Windows 7 (64-bit) machine with Firefox ESR 
>> 52.3, to use the local computer certificate stores.
>> security.enterprise_roots.enabled=true. I've then tried to browse to 
>> HTTPS sites that require our workstations to have the sup

Re: [Mozilla Enterprise] Super slow pages after update from 45.9->52.1 ESR

2017-04-26 Thread David Keeler 
Firefox has a couple of tools that could be helpful in tracking down the
issue. The network monitor might illustrate if the problem is in the
network or not (Tools -> Web Developer -> Network). You could also try
the new Gecko profiler ( https://perf-html.io/ - here's a talk on how to
use it: https://air.mozilla.org/gecko-profiler-introduction/ ). It's a
bit more heavy-weight (and you can do more with it on more recent
versions of Firefox than 52), but it can help diagnose these sorts of
issues.

Cheers,
David

On 04/26/2017 04:50 PM, Jim Weill wrote:
> I tried bringing up a local wiki we have on a server internal to our
> network, and even that page took well over 30+ seconds to load.  We've
> been avoiding adding Chrome to our managed software list, but this
> experience has me re-considering it, honestly.
> 
> jim
> 
> 
> On 4/25/2017 6:38 PM, Stephanie Daugherty wrote:
>> Pages have also become a lot "heavier" with massive javascript
>> libraries, AJAX, higher resolution images, and the like. Given that
>> developers tend to have powerful machines, and testers may only test
>> with a few tabs open, a lot of this slips by. Web pages these days are
>> applications in their own right, and like any other application, as
>> more resources become available, instead of those resources making the
>> applications run faster, the developers use the resources to squeeze
>> more bloat into the applications.
>>
> 
> 
> ___
> Enterprise mailing list
> Enterprise@mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
> 
> To unsubscribe from this list, please visit
> https://mail.mozilla.org/listinfo/enterprise or send an email to
> enterprise-requ...@mozilla.org with a subject of "unsubscribe"



signature.asc
Description: OpenPGP digital signature
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

Re: [Mozilla Enterprise] CA:AddRootToFirefox Experimental Built-in Windows Support

2016-11-08 Thread David Keeler 
Hi Eric,

The wiki was slightly out of date and didn't specify the actual registry
locations searched, so I updated it.

In any case, it turns out that's not a location that's supported.
Firefox 49 searches HKLM\SOFTWARE\Microsoft\SystemCertificates and
Firefox 52 was updated to search
HKLM\SOFTWARE\Policies\Microsoft\SystemCertificates\Root\Certificates
and HKLM\SOFTWARE\Microsoft\EnterpriseCertificates\Root\Certificates as
well. (The feature isn't available in ESR 45 at all.)

Hope this helps,
David

On 11/08/2016 11:03 AM, eric_nich...@ord.uscourts.gov wrote:
> Regarding https://wiki.mozilla.org/CA:AddRootToFirefox "Experimental
> Built-in Windows Support"
> 
> I have tried setting "security.enterprise_roots.enabled" to truebut a
> site signed by the cert in
> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates
> is failing to be recognized as secure.
> 
> I have tried both ESR 45.4.0 and standard 49.0.2, toggling it on, off
> and on and restarting multiple times. Can anyone else confirm that it is
> working for them?
> 
> 
> ___
> Enterprise mailing list
> Enterprise@mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
> 
> To unsubscribe from this list, please visit 
> https://mail.mozilla.org/listinfo/enterprise or send an email to 
> enterprise-requ...@mozilla.org with a subject of "unsubscribe"
> 



signature.asc
Description: OpenPGP digital signature
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

Re: [Mozilla Enterprise] FireFox not working for HTTPS sites

2016-11-02 Thread David Keeler 
What error is Firefox displaying when users attempt to connect to https
sites?
Also, you might try adding a pref called
"security.enterprise_roots.enabled" and setting it to true (available in
a minimal capacity in 49, but it works much better in 52).

On 11/02/2016 01:12 PM, Pray, Roger wrote:
> We’ve had FireFox deployed in our Enterprise for quite a number of years
> now, however recently our security team has deployed some new feature
> functionality to confirm that all SSL packets don’t contain certain
> types of information, they are effectively doing a man in the middle
> attack on all outgoing and incoming SSL packets.
> 
>  
> 
> This has resulted in almost every HTTPS site – such as google – throwing
> invalid certificate errors.
> 
>  
> 
> I’ve tried to import our domain certificate into FireFox using CCK2 –
> and it appears to be in there as when I’ve manually done an import I get
> an error that it is already present.  But we still continue to get error
> messages when visiting these sites.
> 
>  
> 
> I am resisting pressure from my management team to do a mass uninstall
> of FireFox and just switch to Chrome, but with each failure to implement
> a work around, it gets harder and harder to do so.
> 
>  
> 
> Does anyone know of a solution that I can implement that will work with
> pre-existing profiles for 3000+ PCs.
> 
>  
> 
> Thanks.
> 
>  
> 
>  
> 
> 
> Please consider the environment before printing this e-mail.
> 
> 
> NOTICE OF CONFIDENTIALITY This electronic message, including
> attachments, is for the sole use of the named recipient and may contain
> confidential or privileged information protected by New York State, and
> Federal regulations. Any unauthorized review, use, disclosure, copying
> or distribution is strictly prohibited. If you are not the intended
> recipient or have received this communication in error please contact
> the sender or email.secur...@bassett.org and destroy all copies of the
> original message. Thank you.   ­­  
> 
> 
> ___
> Enterprise mailing list
> Enterprise@mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
> 
> To unsubscribe from this list, please visit 
> https://mail.mozilla.org/listinfo/enterprise or send an email to 
> enterprise-requ...@mozilla.org with a subject of "unsubscribe"
> 



signature.asc
Description: OpenPGP digital signature
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"

Re: [Mozilla Enterprise] Trusting Root CA's on Windows: which registry keys? (issue 1265113)

2016-10-13 Thread David Keeler 
The new functionality is a result of bug 1289865 [0] being fixed.
Barring the unexpected, these changes will ship in Firefox 52.

Thank you to everyone who has tested out and given feedback on this
feature, and thank you in particular to Bruno for investigating which
trust store identifiers to use.

As always, please let us know if this feature does not work as expected.

Cheers,
David

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=1289865

On 10/13/2016 04:32 AM, Michael Haase wrote:
> Hi Bruno,
>  
> I can confirm the same for my environment.
> FF 50b6 seems not to have the new routine, but with FF52a1 nightly it
> works on all tested machines now.
>  
> Michael
>  
> From: Bruno Marsal 
> 
> Just installed the nightly from few hours ago, set
> security.enterprise_roots.enabled and verified FF trusts certificates
> created by those stored in CERT_SYSTEM_STORE_LOCAL_MACHINE_ENTERPRISE
> and CERT_SYSTEM_STORE_LOCAL_MACHINE_GROUP_POLICY. It works!
> 
> Very happy this was implemented finally.
> 
> Bruno
> 
> 
> ___
> Enterprise mailing list
> Enterprise@mozilla.org
> https://mail.mozilla.org/listinfo/enterprise
> 
> To unsubscribe from this list, please visit 
> https://mail.mozilla.org/listinfo/enterprise or send an email to 
> enterprise-requ...@mozilla.org with a subject of "unsubscribe"
> 



signature.asc
Description: OpenPGP digital signature
___
Enterprise mailing list
Enterprise@mozilla.org
https://mail.mozilla.org/listinfo/enterprise

To unsubscribe from this list, please visit 
https://mail.mozilla.org/listinfo/enterprise or send an email to 
enterprise-requ...@mozilla.org with a subject of "unsubscribe"