Bug#721153: iceweasel: unable to remove an ssl cert exception

Dietrich Clauss dc2 at clauss.dyndns.org
Wed Sep 4 09:28:18 UTC 2013


Daniel Kahn Gillmor schrieb:
> On 08/28/2013 10:41 AM, Dietrich Clauss wrote:
> > 0. clean user, rm -r ~/.mozilla
> > 1. Set up a https server which uses a self-signed certificate, lets call
> >    it 'srv'
> > 2. Start iceweasel, watch https://srv
> > 3. iceweasel shows warning "untrusted connection"
> > 4. Click on "Understand the risk", "Add exception", "confirm exception"
> > 5. Exception gets stored permanently, iceweasel shows the content of
> >    https://srv
> > 6. Go to edit/preferences/advanced/encryption/view_certs
> > 7. Search the cert of https://srv and "delete or distrust" it
> 
> It sounds to me like you might be choosing to remove the certificate
> from your list of "Authorities" instead of from your list of "Servers".
>  Take a look at the tabs on the top of the "Certificate Manager" dialog box.
> 
> By choosing to "delete or distrust" the self-signed certificate from
> your list of root Certificate Authorities ("CAs"), you're simply saying
> that that certificate can't be used to certify *other* web sites (which
> should already be the case by default, take a look at the settings shown
> when you click the "Edit Trust..." button from the "Authorities" tab of
> the Certificate Manager -- they should all be unchecked).
> 
> I suspect you want to remove the certificate from the "Servers" tab, not
> the "Authorities" tab -- the remote server is not an authority, and is
> not being treated as such; it's being treated as a network peer, and
> telling iceweasel to not treat it as an authority isn't asking for
> anything to change.
> 
> Does this make sense?  This is possibly extra-confusing because some
> tools used for making self-signed certificates (e.g. "openssl req")
> automatically include the "CA:TRUE" X.509 certificate extension for
> self-signed certs, even though that's not technically needed for
> anything but an actual CA certificate (i.e. one that will certify the
> keys of other CAs or end entities).

That's correct, thanks for the explanation.

My fault.  This bug report can be closed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20130904/6f5cb508/attachment.sig>


More information about the pkg-mozilla-maintainers mailing list