GeertJan.deGroot@xs4all.nl Reporter
	Description • 13 years ago

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.13) Gecko/20101206 Ubuntu/10.04 (lucid) Firefox/3.6.13
Build Identifier: 3.6.13 (cfm'ed with multiple versions)

SSL certificates are never signed by CA certifcate anymore these days. In many cases, a chain of intermediate certificates is used. The SSL protocol specifies that these intermediate certificates are sent along with the own SSL certificate. People tend to misconfigure this these days, only sending the end certificate, not the complete chain.

Firefox caches these intermediate certificates. If you've been at a web site that uses and supplies these intermediates, then you can access the offending website without a warning of any kind.
The problem is so widely spread that, should firefox remove the cache, the world would break so this is not an option.

People who browse to offending sites from a clean browser with clean certificate chain, get a warning they don't understand and get tought to 'click through' the serious security warning message. This is wrong.

I would like to have a knob added that would disable the SSL intermediate cache. Developers can set the knob, get the error, and hopefully are clued up enough to know where they failed. For end users, nothing changes.

I spoke to zzxc and he doesn't know about such a knob either.


Reproducible: Always

Steps to Reproduce:
1. Start browser with clean profile
2. Browse to web site with incomplete SSL cert chain
3. Observe the SSL warning
4. Observe that, once the browser has obtained the certificate earlier, the browser no longer sends a warning.
Actual Results:  
Broswer produces warning when it shouldn't and not produce warning when it does.

Expected Results:  
verify the complete cert chain as supplied, or at least have an option to do this

	Daniel Veditz [:dveditz]
	Comment 1 • 13 years ago

NSS has a bunch of environment variables it uses to control various settings, but I don't know if there's a complete list or if this type of thing is on there.

	Kai Engert (:KaiE:)
	Comment 2 • 13 years ago

It's PSM which caches intermediates.

There is currently no environemnt variable to influence that.

	Andreas van dem Helge
	Comment 3 • 12 years ago

We need a proper consensus on the SSL handling. Currently it is too mixed. How can we have here the attitude of "the world would break" [if we don't continue accept invalid SSL certificates] when we are saying the issue is the website is setup incorrectly? Philosophically this is counter to why SSL exists. 

Then we go to other bugs such as Bug 435013 or Bug 385471 where "The issue itself is a bug in the device" and there should be no workaround in Firefox to **allow the website to function or be viewed** 

So on one end we are accepting broken SSL certificates WITHOUT EVEN PROMPTING OR WARNING THE USER and on the other end we are making it hard or almost impossible for users to access sites with "invalid SSL certificates"

	Nathan G. Grennan
	Comment 4 • 12 years ago

I have been running into this issue for years, and would love to see it fixed. I just ran into it again. It makes it so the only way I can properly test a new SSL certificate setup is a fresh profile, and that profile can only be used once.

	Jesse Ruderman
	Comment 5 • 11 years ago

Rather than a pref to show a big error page, how about a small note in the Larry panel? (Bug 711816)

You can always create a new profile if you really want a bit error page.

	Kai Engert (:KaiE:)
	Comment 6 • 11 years ago

Start with a new (empty) firefox profile, and switch to private browsing mode.

In this mode, Firefox doesn't remember intermediate CA certs.

Restart Firefox the empty firefox profile and private browsing mode for each site that you want to test.

	Arthur Edelstein [:arthur] Assignee
	Comment 8 • 9 years ago

Here's a patch that exposes a pref, 'security.nocertdb' to hold the intermediate certificate store in memory only. This patch is used in Tor Browser to avoid writing a user's browsing history to disk.

	Dana Keeler (she/her) (use needinfo) [:keeler] (on leave)
	Comment 9 • 9 years ago

Comment on attachment 8617659 [details] [diff] [review]
0001-Expose-pref-to-make-Intermediate-Cert-Store-memory-o.patch

Review of attachment 8617659 [details] [diff] [review]:
-----------------------------------------------------------------

In terms of addressing the issue of debugging a server that might not be sending the appropriate intermediates, this patch is only slightly better than simply using a new profile (since you have to set the pref and restart Firefox). However, since it also addresses a use-case for Tor, it does seem like an overall improvement.

The commit message will have to be modified a bit. The "From:" field may or may not work (I think using a "User:" field is more common for mozilla-central). Also, the format of the summary should be "bug [number] - [description of changes] r=[reviewer]".

r=me with comments addressed.

::: security/manager/ssl/nsNSSComponent.cpp
@@ +743,4 @@
>  static const bool FALSE_START_ENABLED_DEFAULT = true;
>  static const bool NPN_ENABLED_DEFAULT = true;
>  static const bool ALPN_ENABLED_DEFAULT = false;
> +static const bool SECURITY_NOCERTDB_DEFAULT = false;

Since we're only accessing the preference once, this isn't necessary.

@@ +1016,2 @@
>      // First try to initialize the NSS DB in read/write mode.
>      SECStatus init_rv = ::mozilla::psm::InitializeNSS(profileStr.get(), false);

Please also fix this bug where we re-declare init_rv and thus always call NSS_NoDB_Init.

	Arthur Edelstein [:arthur] Assignee
	Comment 10 • 9 years ago

Thanks for the review. Here's the patch with requested changes made.

Try results: https://treeherder.mozilla.org/#/jobs?repo=try&revision=454834a255f6

	Pulsebot
	Comment 11 • 9 years ago

https://hg.mozilla.org/integration/mozilla-inbound/rev/5d47d1ff7e56

	Wes Kocher (:KWierso) (Not reading bugmail; email directly if needed)
	Comment 12 • 9 years ago

https://hg.mozilla.org/mozilla-central/rev/5d47d1ff7e56