Blogging Techstacks

Here's an interesting workaround to a problem I had been having that has been causing me ssl connection headaches in Firefox for years. Here is a description of the problem:

I try to connect to an SSL encrypted page in Firefox and that page generates a certificate warning. What should normally occur (and it used to work) is that you'd get greeted with the "Untrusted Connection" page where you have various buttons to view the certificate, confirm the security exception, or cancel. The problem I've been experiencing is that the Confirm Security Exception button remains disabled and would also show an error message: sec_error_expired_issuer_certificate. There was nothing I could do to get Firefox to accept the cert—not even importing the certificate manually.

I'm not going to claim that this is the fix for all instances but in my case, the ssl warning for the BigIP Admin Console I was failing to connect to was generated for three separate reasons:

1. The ssl certificate was self-signed
2. The ssl certificate was expired
3. I was connecting to the host using its IP address instead of the hostname—the hostname being the common name of the certificate.

However, this wasn't the only set of circumstances where I was having the problem as I was also experiencing it simply connecting to a site using a self-signed cert, (valid date, valid common name).

So, if this happens to be happening to you, the first thing to try is Restart with Add-Ons Disabled, if you can, then try connecting again. Assuming you are then able to successfully connect and the Confirm Security Exception button works, the problem seems to be related to one of your installed Add-Ons.

In my case, the problem was the HTTPFox add-on option labeled "Automatically start watching when browser starts". During a recent round of the testing of various cache-control headers on a new site we were putting up, I enabled this option to save me a few steps in the testing process. As soon as I cleared this Autostart option, I was able to connect to ssl sites that generate warnings.

If you are viewing your Firefox about:config settings page, filter on "httpfox". If set to start automatically when firefox starts, you will find the following configuration setting: user_pref("extensions.httpfox.StartAtBrowserStart", true);. Setting the value to "false" has the same effect as clearing the checkbox but once you restart the browser, user_pref("extensions.httpfox.StartAtBrowserStart", false); will no longer appear in your about:config.

I just wanted to post a short note about it but it looks as if Firefox 4 went gold today. All of a sudden, there is a TwitterParty and a Real Time Firefox 4 Download stats site up and running.  Head over to the main Mozilla site to grab your own or if you're running a beta or release candidate, you should be upgraded real soon!  Congratulations to the Firefox team!

Every time I think I have a fairly good understanding of how SSL works, something weird comes along to knock that understanding back a few notches.  Case in point:  Certificate Chains.  IBM has a nice, short article called "How Certificate Chains Work" that describes what they are so I'm linking to that in order to save some space for this post.  

With almost any type of certificate one purchases from Verisign today, and I use Verisign as an example because I am a Verisign certificate user, two intermediate certificates sit between the root certificate and the server certificate: a Primary Intermediate and a Secondary Intermediate.  The Primary Intermediate is the same regardless of the type of server certificate that was purchased.  The Secondary Intermediate varies according to the type of server certificate purchased.  If you purchased one of their SecureSite with EV certificates, the secondary intermediate is different from the one that is issued along with their SecureSite certificates but the Primary Intermediate is the same. 

Browsers have a feature in that they, I thought, displayed the full certificate chain, also known as the certification path.  They would display the certificate hierarchy, so you can see the root, the intermediate(s) and the server cert.  Problem is, they seem to have stopped doing this.  Take Safari 5, which is displaying the certification path for the Extended Validation cert securing www.verisign,com:

Safari 5 shows the Primary Intermediate as if it is the root certificate, followed by the secondary intermediate, followed by the server cert.  What's missing is the actual root cert as this is supposed to be a 4 way chain.  

Firefox 3.6.13 exhibits the same behavior.  Before you think, "Oh, this must be a Mac thing...", Firefox 3.6.13 running on Ubuntu 10.10 shows the same thing, too.  So then I thought, well, maybe this is what is supposed to happen but two peculiar additional discoveries are the cause of my confusion.

Safari 3 shows the full certification path:

I found in my System Roots keychain that Apple has imported the Class 3 Public Primary Certification Authority - G5 cert, (the Primary Intermediate).  Perhaps that is why it is displaying a 4 way chain as a 3 way chain?  Well, that's what me and a buddy thought before connecting to one of my sites secured with a non EV cert but still utilizing the same 4-way chain.  In that case, all four certs in the certification path are displayed in Safari 5 (portions of the image redacted to protect the innocent):

So...what's going on browser makers?  I'm assuming that there is a bug somewhere but where??  Is my understanding of how this should be working the bug?