為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Connection untrusted for Twitter even after addition of security exception

  • 5 回覆
  • 4 有這個問題
  • 8 次檢視
  • 最近回覆由 Daneelro3

more options

I use Firefox on my office computer behind a company firewall and a server re-issuing security certificates for secure sites. Like for many other users, normally this only leads to the annoyance of having to add security exceptions for https sites manually. However, for Twitter.com, even that won't work. First I got the connection not trusted message with "The certificate is not trusted because no issuer chain was provided". Then I enabled browser.xul.error_pages.expert_bad_cert, but all that happened was that the error message reloaded.

I tried deleting the certificate, the cookie, cache, history, the cert8.db file, and also tried it in secure mode with all addons disabled, still no luck. I had no such problem with IE9 on the same computer or Firefox on my home computer (Windows XP) or on my Android tablet.

I use Firefox on my office computer behind a company firewall and a server re-issuing security certificates for secure sites. Like for many other users, normally this only leads to the annoyance of having to add security exceptions for https sites manually. However, for Twitter.com, even that won't work. First I got the connection not trusted message with "The certificate is not trusted because no issuer chain was provided". Then I enabled browser.xul.error_pages.expert_bad_cert, but all that happened was that the error message reloaded. I tried deleting the certificate, the cookie, cache, history, the cert8.db file, and also tried it in secure mode with all addons disabled, still no luck. I had no such problem with IE9 on the same computer or Firefox on my home computer (Windows XP) or on my Android tablet.

由 Daneelro3 於 修改

被選擇的解決方法

The Mozilla Security thread from a year ago does indeed look exactly like my issue, it's a shame apparently nothing happened on the improved support for MitM proxies.

At first I could load Twitter after disabling network.stricttransportsecurity.preloadlist and creating an exception. I'm confused about certutil: do I have to compile that from source code or what?

[EDITED 2x] However, I found a different way that worked! Following the comment on the Mozilla Security thread, I looked up how to import the certificate from the operating system's root certificate database. So I

  1. ran mmc from the Windows command line,
  2. strated the certification manager (File > Add/Remove Snap-in..., highlight Certificates, click Add, click OK),
  3. looked at the Trusted Root Certification Authorities and found the company server that issued my intermediate certificates,
  4. exported the certificate,
  5. opened the Firefox certification manager and imported the certificate under Authorities (not under Websites!),
  6. enabled network.stricttransportsecurity.preloadlist again.

Now I don't have to manually override for any new https sites and Twitter loads normally, too.

Thanks for leading me to the solution!

從原來的回覆中察看解決方案 👍 0

所有回覆 (5)

more options

Hi Daneelro3,

Thank you for your question, I understand that there is difficulty with creating a certificate that is not allowing Twitter, I have asked the security irc channel for more information for troubleshooting this and will be back shortly with more information.

more options

Twitter uses HSTS. It would prevent adding an override. If so, what needs to happen there is for the root certificate the company is using to be installed and trusted in the certificate db. I hope this helps.

由 guigs 於 修改

more options

Thank you for looking into this!

I'm only barely familiar with the whole certificates and SSL business, so some questions on your suggestion for clarification:

  1. Is this something I can do on my computer, or something that would have to be done on the company server?
  2. Is the root certificate you speak of Twitter's or my company's?
  3. Can you give (or link to) step-by-step instructions on this certificate installation?

Also, why does this happen with Firefox but not IE9? Does Mozilla view this as a security loophole in IE9?

more options

Daneelro3,

I am not sure, I think it just has different features for certificates.

  1. The certificate would be local to the certificate db in Firefox. I believe you can find that in key3.db. The tool you can use is the certificate database tool linked here: https://developer.mozilla.org/en-US/d.../NSS_Tools_certutil Its "man page" is here: https://developer.mozilla.org/en-US/d.../NSS_tools_:_certutil
  2. It is your certificate, not Twitter's certificate.
  3. I am not entirely sure of the steps, but I am happy to take a hack at it.
 See if the NoScript Firefox extension works as well, this was said to support the redirection nature of the HTTPS that is a result of HSTS.(I think) You might be interested in the RFC about it http://tools.ietf.org/html/draft-hodges-strict-transport-sec-02 see "Server Implementation Advice" and "UA Implementation Advice" in section 9.

And this is the issue http://mozilla.6506.n7.nabble.com/HSTS-preload-list-td271152.html

Previous work around: And then I found this: https://support.mozilla.org/en-US/que.../942924 manually changing the timeout, but I do not think this is secure. There is not a very secure way of doing this.

So in conclusion: (after talking to the #security channel :-) )HSTS is set by Twitter's servers doesn't allow users to override connections that are invalid, bot untrusted and invalid. Starting a new profile and disable HSTS preload list (which is not a wise security decision) the about:config is "network.stricttransportsecurity.preloadlist"

You could also: could use a hsts preload disabled profile, install his own CA, then MITM using a cert from that CA. Or to add the add the certificate that issued the MITM certificate to the trust db with the tool mentioned above. geekboy 11:35 the pref to toggle is network.stricttransportsecurity.preloadlist I think I asked

more options

選擇的解決方法

The Mozilla Security thread from a year ago does indeed look exactly like my issue, it's a shame apparently nothing happened on the improved support for MitM proxies.

At first I could load Twitter after disabling network.stricttransportsecurity.preloadlist and creating an exception. I'm confused about certutil: do I have to compile that from source code or what?

[EDITED 2x] However, I found a different way that worked! Following the comment on the Mozilla Security thread, I looked up how to import the certificate from the operating system's root certificate database. So I

  1. ran mmc from the Windows command line,
  2. strated the certification manager (File > Add/Remove Snap-in..., highlight Certificates, click Add, click OK),
  3. looked at the Trusted Root Certification Authorities and found the company server that issued my intermediate certificates,
  4. exported the certificate,
  5. opened the Firefox certification manager and imported the certificate under Authorities (not under Websites!),
  6. enabled network.stricttransportsecurity.preloadlist again.

Now I don't have to manually override for any new https sites and Twitter loads normally, too.

Thanks for leading me to the solution!

由 Daneelro3 於 修改