Bug#721153: iceweasel: unable to remove an ssl cert exception
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Tue Sep 3 20:41:20 UTC 2013
On 08/28/2013 10:41 AM, Dietrich Clauss wrote:
> 0. clean user, rm -r ~/.mozilla
> 1. Set up a https server which uses a self-signed certificate, lets call
> it 'srv'
> 2. Start iceweasel, watch https://srv
> 3. iceweasel shows warning "untrusted connection"
> 4. Click on "Understand the risk", "Add exception", "confirm exception"
> 5. Exception gets stored permanently, iceweasel shows the content of
> https://srv
> 6. Go to edit/preferences/advanced/encryption/view_certs
> 7. Search the cert of https://srv and "delete or distrust" it
It sounds to me like you might be choosing to remove the certificate
from your list of "Authorities" instead of from your list of "Servers".
Take a look at the tabs on the top of the "Certificate Manager" dialog box.
By choosing to "delete or distrust" the self-signed certificate from
your list of root Certificate Authorities ("CAs"), you're simply saying
that that certificate can't be used to certify *other* web sites (which
should already be the case by default, take a look at the settings shown
when you click the "Edit Trust..." button from the "Authorities" tab of
the Certificate Manager -- they should all be unchecked).
I suspect you want to remove the certificate from the "Servers" tab, not
the "Authorities" tab -- the remote server is not an authority, and is
not being treated as such; it's being treated as a network peer, and
telling iceweasel to not treat it as an authority isn't asking for
anything to change.
Does this make sense? This is possibly extra-confusing because some
tools used for making self-signed certificates (e.g. "openssl req")
automatically include the "CA:TRUE" X.509 certificate extension for
self-signed certs, even though that's not technically needed for
anything but an actual CA certificate (i.e. one that will certify the
keys of other CAs or end entities).
hth,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1027 bytes
Desc: OpenPGP digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20130903/d081e835/attachment.sig>
More information about the pkg-mozilla-maintainers
mailing list