Open Bug 433770 Opened 17 years ago Updated 2 years ago

check out correct behavior of cert expiration handling with proxies

Categories

(Core :: General, defect)

x86
macOS
defect

Tracking

()

People

(Reporter: chofmann, Unassigned)

Details

I installed the Charles Proxy to do some controlled bandwidth testing, and I'm seeing a lot of "expired certificate" dialogs in places like bugzilla where I wouldn't expect them. I think these are the rough steps to reproduce. Download and Install Charles http://www.charlesproxy.com/download.php Install the Charles Firefox Extension http://www.charlesproxy.com/charles.xpi make sure the proxy is turned on. then try and log in or submit a bug or bug comment on bugzilla. doing this I see a bunch of dialogs and pages about expired certs and the need to make exceptions. I'm guessing there is some extra complexity to deal with when going though the proxy, but if there is any way to make that experience better we should try and do it.. not sure what component is best for this bug so I landed it in core general. feel free to move it.
From http://www.charlesproxy.com/wiki/ssl_debugging : > Charles can be used as a man-in-the-middle HTTPS proxy, enabling you to view in > plain text the communication between web browser and SSL web server. > Charles does this by becoming a man-in-the-middle. Instead of your browser > seeing the server’s certificate, Charles dynamically generates a certificate > for the server and signs it with its own root certificate (the Charles CA > Certificate). Charles receives the server’s certificate, while your browser > receives Charles’s certificate. Therefore you will see a security warning, > indicating that the root authority is not trusted. If you add the Charles CA > Certificate to your trusted certificates you will no longer see any warnings - > see below for how to do this. So yeah - I suspect the expiry notices and things you're seeing are actually for Charles proxy's cert, which it is inserting into the SSL handshake instead of bugzilla's or others.
looks like it comes back with Secure Connection Failed bugzilla.mozilla.org uses an invalid security certificate. The certificate is not trusted because it was issued by an invalid CA certificate. (Error code: sec_error_ca_cert_invalid) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Then the additional information indicates that "no cert" is available
> while your browser receives Charles’s certificate. I guess the message page above is what made me confused. I wonder if there is a way for the browser to detect that it was the Charles cert I needed, not the bugzilla cert as the message page indicated in the message "bugzilla.mozilla.org uses an invalid security certificate."
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.