How can I display self signed certificate sites in FF33? (sec_error_ca_cert_invalid)
Hello,
I am using FF33 on Win7. I've noticed that in recent versions, FF no longer allows me to view sites with self-signed certificates. In previous version, there was an option to add an exception, but now it simply states that I need to contact the owner of the website (See actual error message below). Unfortunately, many of our internal sites and equipment (routers, etc) use self signed and will never be otherwise. How can I view these sites? As I'm not willing to downgrade for fear of security vulnerabilities in older code, my only work around as of now, is to use another browser. Please advise. Thanks!
Error message: Secure Connection Failed
An error occurred during a connection to infoblox.vistaone.local. Issuer certificate is invalid. (Error code: sec_error_ca_cert_invalid) The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
All Replies (6)
hello, self-signed certificates are not gone for good - however there is now a stricter error handling in place. the self-signed certificates for your internal sites might have to be reissued with the proper setup, also see: https://developer.mozilla.org/en-US/docs/Mozilla/Security/x509_Certificates#Error_Codes_in_Firefox_2
Thank you philipp for your reply. I understand your point, but reissuing the certificates is not going to be a practical solution. Some of our customers have hundreds of networks devices using self-signed certificates that won't meet the new security checks. I think they will simply choose another browser that allows for an override of the security checks rather than update the certificates on all of those devices. Is there no way to override the security check in FF33?
There is a Firefox 33.1 version on the way that might fix this issue, so check that out is a few days.
Bug 1042889 - mozilla::pkix, cannot override sec_error_ca_cert_invalid with version 1 certificate, and other scenarios (with or without pkix)
apparently the fix is already present in the current firefox 31.2.0 extended support release: https://www.mozilla.org/en-US/firefox/organizations/all/
Thank you Cor-el for that info. I'll look for the 33.1 release and see if that fixes the issue. @philipp, that is good to know that the extended support release 31.2.0 has a fix. However, we are not using the ESR versions and stick to the GA releases. Also, I'm not just concerned about our company, but all of our customers who have purchase appliances from us that use self-signed certificates for management. I obviously cannot control their environments. But at least I can now recommend the ESR 31.2.0 release instead of just recommending to use another browser. Thanks for your help!
It only works in Firefox 31.2.0 if SSL3 is enabled (security.tls.version.min = 0 ;default).