wtest / httpfox

Automatically exported from code.google.com/p/httpfox
GNU General Public License v2.0
0 stars 0 forks source link

Cannot add security exception for invalid server certificate #63

Open GoogleCodeExporter opened 8 years ago

GoogleCodeExporter commented 8 years ago
Context: I ran into this when testing an internal test server that was
using a certificate for a different hostname. The certificate was
self-signed. So this is really a corner case. Also, I can work around it by
just stopping HttpFox (i.e., without restarting the browser).

What steps will reproduce the problem?
Setup:
   * Firefox 3.0.10 (happens on Linux and Windows XP, possibly other platforms)
   * HttpFox version 0.8.4 is installed
      * HttpFox is either started or the option "Automatically start
watching when browser starts" is checked.
   * In about:config, these settings are left at their default values:
      * browser.xul.error_pages.enabled (true)
      * browser.xul.error_pages.expert_bad_cert (false)
1. Go to the server, and get the standard "Secure Connection Failed" error
message (Error code: sec_error_untrusted_issuer). There should be an "Or
you can add an exception link" at the end of the message.
2. Click the "Or you can add an exception" link. This displays the buttons
"Get me out of here!" and "Add Exception".
3. Click the "Add Exception" button. This opens a new "Add Security
Exception" dialog box.
4. In the dialog box, click the "Get Certificate" button to get the
certificate for the server, so that you can add an exception.

Here is what happens:
i) In the dialog box, the Certificate Status section displays:

============== Certificate Status ==========================
Checking Information
Attempting to identify the site.
=============================================================

ii) An alert box opens. The alert box displays the message (in plain text):

================= Alert =======================
[the test server name is here] uses an invalid security certificate.

The certificate is not trusted because it is self signed.
The certificate is only valid for <a id="cert_domain_link" title="[the test
server name is here]">(null)</a>

(Error code: sec_error_untrusted_issuer)

                                 OK
===============================================

iii) When you click OK to dismiss the alert box (which has no other
buttons), back in the "Add Security Exception" dialog box, the Certificate
Status section changes to display:

============== Certificate Status ==========================
No Information Available
Unable to obtain identification status for the given site.
=============================================================

iv) The "Confirm Security Exception" button is disabled. The only thing
that you can do from here is click the "Cancel" button to close the "Add
Security Exception" dialog box.

What is the expected output? What do you see instead?
If HttpFox is stopped, at step (4), item (ii) above, no alert box appears.
Instead, the "Certificate Status" section displays the messages:

============== Certificate Status ==========================
This site attempts to identify itself with invalid information. [View button]

Wrong Site
Certificate belongs to a different site, which could indicate an identity
theft.

Unknown Identity
Certificate is not trusted, because it hasn't been verified by a recognized
authority.
=============================================================

The "Confirm Security Exception" button is enabled.

What version of the product are you using? On what operating system?
0.8.4 on Linux and Windows XP

Please provide any additional information below.
It looks like there was another defect about HttpFox dropping SSL
connections to servers with invalid certificates (Issue 51), but it looks
like that was fixed. I'm not sure if this is related.

I can work around this problem by stopping HttpFox to accept the
certificate for the test server and then starting HttpFox again (no need to
restart the browser), so it's not really a problem.  But it was pretty
confusing (and I couldn't figure out what was causing it), so I thought I
should note it down somewhere. Hope this is OK. Sorry this is kind of long.

Original issue reported on code.google.com by dyoshin...@gmail.com on 28 Jun 2009 at 10:09

GoogleCodeExporter commented 8 years ago

Original comment by pappkame...@gmail.com on 24 Apr 2010 at 8:52

GoogleCodeExporter commented 8 years ago
It took me some months to understand that when I couldn't add an exception it 
was when I was using HttpFox, and not because of some change in FF or badly 
formed self signed certificates.
Then it'd better if it worked :-)

Original comment by olivier....@resoneo.com on 29 Jul 2011 at 1:18

GoogleCodeExporter commented 8 years ago
Any idea when this will be fixed? I like HttpFox very much and I have this 
situation every day because we are testing apps with a reverse proxy using 
HTTPS. How much do I have to donate? :- )

Original comment by Friedric...@gmail.com on 8 Sep 2011 at 9:26

GoogleCodeExporter commented 8 years ago
In the meantime you could look at Charles Proxy or Fiddler2, I'm almost sure 
they can handle these situations 

Original comment by ovit.res...@gmail.com on 8 Sep 2011 at 9:48

GoogleCodeExporter commented 8 years ago
After removing the HttpFox it is working for me, now I am able to add 
certificates.

Original comment by vvudayki...@gmail.com on 29 Jul 2014 at 7:00