為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Distribute Exception set via cert_override.txt company wide

  • 8 回覆
  • 1 有這個問題
  • 131 次檢視
  • 最近回覆由 Mike Kaply

more options

Hey everyone,

I'm currently working for a company where we need to distribute a set of exceptions for 4 internal websites. For many reasons the firefox currently does not trust the certificate that has been issued and users will receive the prompt "Warning: Potential Security Risk Ahead" and the user can click on "Advanced" -> "Accept the risk and continue" Now this is something we would like to prevent from happening.

The obvious solution would be to have a proper certificate in place but that is the long term solution and we need a quick workaround with the same result -> access the page without the prompt. The prompt is gone once we set the exception and copy the "Cert_override.txt" to the user profile. Now I have a script that I could use to copy the file to all profiles but that would be the absolute last thing I would want to do.

So my question is: is there any way to set an exception system wide instead of on a user profile basis? We are not using the Firefox ADMX templates but just a mozilla.cfg. Reading about the ADMX templates it also doesn't look like it would be possible via a policy, is that correct? Do you guys have any suggestions as to what we can do here?

Any helpful hints would be appreciated.

Thank you.

Hey everyone, I'm currently working for a company where we need to distribute a set of exceptions for 4 internal websites. For many reasons the firefox currently does not trust the certificate that has been issued and users will receive the prompt "Warning: Potential Security Risk Ahead" and the user can click on "Advanced" -> "Accept the risk and continue" Now this is something we would like to prevent from happening. The obvious solution would be to have a proper certificate in place but that is the long term solution and we need a quick workaround with the same result -> access the page without the prompt. The prompt is gone once we set the exception and copy the "Cert_override.txt" to the user profile. Now I have a script that I could use to copy the file to all profiles but that would be the absolute last thing I would want to do. ''' So my question is: is there any way to set an exception system wide instead of on a user profile basis?''' We are not using the Firefox ADMX templates but just a mozilla.cfg. Reading about the ADMX templates it also doesn't look like it would be possible via a policy, is that correct? Do you guys have any suggestions as to what we can do here? Any helpful hints would be appreciated. Thank you.

被選擇的解決方法

Hi,

Mike was able to solve this issue through the XML Http request. Here is the solution(not sure if there is a better way to post code here, hope this works):

Cu.importGlobalProperties(["XMLHttpRequest", "URL"]);

let overrides = ["self-signed.badssl.com"]

let setOverrides; try {

 setOverrides = getPref("setOverrides").split(",");

} catch (e) {} if (setOverrides != overrides) {

 Services.obs.addObserver(function observer() {
   let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
     Ci.nsICertOverrideService
   );
   for (var i=0; i < overrides.length; i++) {
     let xhr = new XMLHttpRequest();
     try {        
       xhr.open("GET", "https://" + overrides[i]);
       xhr.onerror = function() {
         if (xhr.channel && xhr.channel.securityInfo) {
           let secInfo = xhr.channel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
           let cert = secInfo ? secInfo.serverCert : null;
           if (cert) {
             let url = new URL(xhr.responseURL);
             let flags = 0;
             flags |= overrideService.ERROR_UNTRUSTED;
             overrideService.rememberValidityOverride(
             url.hostname,
             443,
             cert,
             flags,
             false);
           }
         }
       }
       xhr.send(null);
     } catch (ex) {}
   }
   pref("setOverrides", overrides.join(","));
   Services.obs.removeObserver(observer, "final-ui-startup");
 }, "final-ui-startup");

}


You can add multiple domains as well.

All credits go to Mike, thank you again!

從原來的回覆中察看解決方案 👍 0

所有回覆 (8)

more options

If you're using mozilla.cfg, you can do this.

My best pointer to how to do this would be to look at how the CCK2 does it:

https://github.com/mkaply/cck2wizard/blob/master/cck2/modules/CCK2.jsm#L761

You bascially have to do an XMLHttprequest to the site and intercept the request.

more options

Hey Mike,

thanks a lot for the suggestion! To be honest though I don't fully understand how I would implement it. I think you already pointed out the correct line of code but unfortunately I don't really get how and where I would implement a XMLHttprequest, In a file? I looked through this article here: https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest however I'm still not sure how to proceed.

Thanks again!

more options

That's fine. What do your autoconfig files like today? Would you be willing to send one to mkaply at mozilla.com and I'll add the code for you?

more options

Hey Mike,

that is a very generous offer I would happily take you up on it. Though my lack of Firefox configuration knowledge now comes to the surface. By autoconfig file you mean the policies.js? I had a quick read here: https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig and it doesn't even seem like we have the autoconfig.js in place. We do however seem to have a lot of configurations listed in the autoconfig article within the "Mozilla.cfg" so do you want me to provide you with that file? In case that is true I would have to remove some preference containing internal URLS but I think I'd be able to provide you with the file. The policies.js as well as local-settings.js both seem to point to the mozilla.cfg

Local-settings.js: pref("general.config.obscure_value", 0); pref("general.config.filename", "mozilla.cfg");

policies.js: pref("general.config.obscure_value", 0); pref("general.config.filename", "mozilla.cfg");

Thats all the content of those files.

My apologies for the lack of knowledge in that regard.

Thanks again!

more options

Actually I need the mozilla.cfg file. It might have sensitive info in it, so you might want to email it to me.

more options

Hey Mike,

i have sent you the file via mail.

Thanks a lot!

more options

選擇的解決方法

Hi,

Mike was able to solve this issue through the XML Http request. Here is the solution(not sure if there is a better way to post code here, hope this works):

Cu.importGlobalProperties(["XMLHttpRequest", "URL"]);

let overrides = ["self-signed.badssl.com"]

let setOverrides; try {

 setOverrides = getPref("setOverrides").split(",");

} catch (e) {} if (setOverrides != overrides) {

 Services.obs.addObserver(function observer() {
   let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
     Ci.nsICertOverrideService
   );
   for (var i=0; i < overrides.length; i++) {
     let xhr = new XMLHttpRequest();
     try {        
       xhr.open("GET", "https://" + overrides[i]);
       xhr.onerror = function() {
         if (xhr.channel && xhr.channel.securityInfo) {
           let secInfo = xhr.channel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
           let cert = secInfo ? secInfo.serverCert : null;
           if (cert) {
             let url = new URL(xhr.responseURL);
             let flags = 0;
             flags |= overrideService.ERROR_UNTRUSTED;
             overrideService.rememberValidityOverride(
             url.hostname,
             443,
             cert,
             flags,
             false);
           }
         }
       }
       xhr.send(null);
     } catch (ex) {}
   }
   pref("setOverrides", overrides.join(","));
   Services.obs.removeObserver(observer, "final-ui-startup");
 }, "final-ui-startup");

}


You can add multiple domains as well.

All credits go to Mike, thank you again!

more options

Note this solution was for Firefox 69 ESR. I didn't test if it works on current Firefox (but it should).

Might need small changes when ESR 78 comes out.