为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Connection untrusted for Twitter even after addition of security exception

  • 5 个回答
  • 4 人有此问题
  • 8 次查看
  • 最后回复者为 Daneelro3

more options

I use Firefox on my office computer behind a company firewall and a server re-issuing security certificates for secure sites. Like for many other users, normally this only leads to the annoyance of having to add security exceptions for https sites manually. However, for Twitter.com, even that won't work. First I got the connection not trusted message with "The certificate is not trusted because no issuer chain was provided". Then I enabled browser.xul.error_pages.expert_bad_cert, but all that happened was that the error message reloaded.

I tried deleting the certificate, the cookie, cache, history, the cert8.db file, and also tried it in secure mode with all addons disabled, still no luck. I had no such problem with IE9 on the same computer or Firefox on my home computer (Windows XP) or on my Android tablet.

I use Firefox on my office computer behind a company firewall and a server re-issuing security certificates for secure sites. Like for many other users, normally this only leads to the annoyance of having to add security exceptions for https sites manually. However, for Twitter.com, even that won't work. First I got the connection not trusted message with "The certificate is not trusted because no issuer chain was provided". Then I enabled browser.xul.error_pages.expert_bad_cert, but all that happened was that the error message reloaded. I tried deleting the certificate, the cookie, cache, history, the cert8.db file, and also tried it in secure mode with all addons disabled, still no luck. I had no such problem with IE9 on the same computer or Firefox on my home computer (Windows XP) or on my Android tablet.

由Daneelro3于修改

被采纳的解决方案

The Mozilla Security thread from a year ago does indeed look exactly like my issue, it's a shame apparently nothing happened on the improved support for MitM proxies.

At first I could load Twitter after disabling network.stricttransportsecurity.preloadlist and creating an exception. I'm confused about certutil: do I have to compile that from source code or what?

[EDITED 2x] However, I found a different way that worked! Following the comment on the Mozilla Security thread, I looked up how to import the certificate from the operating system's root certificate database. So I

  1. ran mmc from the Windows command line,
  2. strated the certification manager (File > Add/Remove Snap-in..., highlight Certificates, click Add, click OK),
  3. looked at the Trusted Root Certification Authorities and found the company server that issued my intermediate certificates,
  4. exported the certificate,
  5. opened the Firefox certification manager and imported the certificate under Authorities (not under Websites!),
  6. enabled network.stricttransportsecurity.preloadlist again.

Now I don't have to manually override for any new https sites and Twitter loads normally, too.

Thanks for leading me to the solution!

定位到答案原位置 👍 0

所有回复 (5)

more options

Hi Daneelro3,

Thank you for your question, I understand that there is difficulty with creating a certificate that is not allowing Twitter, I have asked the security irc channel for more information for troubleshooting this and will be back shortly with more information.

more options

Twitter uses HSTS. It would prevent adding an override. If so, what needs to happen there is for the root certificate the company is using to be installed and trusted in the certificate db. I hope this helps.

由guigs于修改

more options

Thank you for looking into this!

I'm only barely familiar with the whole certificates and SSL business, so some questions on your suggestion for clarification:

  1. Is this something I can do on my computer, or something that would have to be done on the company server?
  2. Is the root certificate you speak of Twitter's or my company's?
  3. Can you give (or link to) step-by-step instructions on this certificate installation?

Also, why does this happen with Firefox but not IE9? Does Mozilla view this as a security loophole in IE9?

more options

Daneelro3,

I am not sure, I think it just has different features for certificates.

  1. The certificate would be local to the certificate db in Firefox. I believe you can find that in key3.db. The tool you can use is the certificate database tool linked here: https://developer.mozilla.org/en-US/d.../NSS_Tools_certutil Its "man page" is here: https://developer.mozilla.org/en-US/d.../NSS_tools_:_certutil
  2. It is your certificate, not Twitter's certificate.
  3. I am not entirely sure of the steps, but I am happy to take a hack at it.
 See if the NoScript Firefox extension works as well, this was said to support the redirection nature of the HTTPS that is a result of HSTS.(I think) You might be interested in the RFC about it http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 see "Server Implementation Advice" and "UA Implementation Advice" in section 9.

And this is the issue http://mozilla.6506.n7.nabble.com/HSTS-preload-list-td271152.html

Previous work around: And then I found this: https://support.mozilla.org/en-US/que.../942924 manually changing the timeout, but I do not think this is secure. There is not a very secure way of doing this.

So in conclusion: (after talking to the #security channel :-) )HSTS is set by Twitter's servers doesn't allow users to override connections that are invalid, bot untrusted and invalid. Starting a new profile and disable HSTS preload list (which is not a wise security decision) the about:config is "network.stricttransportsecurity.preloadlist"

You could also: could use a hsts preload disabled profile, install his own CA, then MITM using a cert from that CA. Or to add the add the certificate that issued the MITM certificate to the trust db with the tool mentioned above. geekboy 11:35 the pref to toggle is network.stricttransportsecurity.preloadlist I think I asked

more options

选择的解决方案

The Mozilla Security thread from a year ago does indeed look exactly like my issue, it's a shame apparently nothing happened on the improved support for MitM proxies.

At first I could load Twitter after disabling network.stricttransportsecurity.preloadlist and creating an exception. I'm confused about certutil: do I have to compile that from source code or what?

[EDITED 2x] However, I found a different way that worked! Following the comment on the Mozilla Security thread, I looked up how to import the certificate from the operating system's root certificate database. So I

  1. ran mmc from the Windows command line,
  2. strated the certification manager (File > Add/Remove Snap-in..., highlight Certificates, click Add, click OK),
  3. looked at the Trusted Root Certification Authorities and found the company server that issued my intermediate certificates,
  4. exported the certificate,
  5. opened the Firefox certification manager and imported the certificate under Authorities (not under Websites!),
  6. enabled network.stricttransportsecurity.preloadlist again.

Now I don't have to manually override for any new https sites and Twitter loads normally, too.

Thanks for leading me to the solution!

由Daneelro3于修改