How can I make Firefox ignore certificate issuer errors?

0

I'm browsing from behind a Firewall using this weird proxy server, which essentially acts like a man-in-the-middle and switches up the SSL certificate of the server with its own. So the certificates regard the site I'm after, but are supposedly issued by "FooBar inc." (that's the organization I'm in).

This means that essentially every single page which FF tries to get - it believes it encounters an error, about how the sufficient type in not set, and I get:

Warning: Potential Security Issue Ahead

etc. etc.

SECURITY_ERROR_UNKNOWN_ISSUER

I tried exporting the certificate and importing it, as suggested here - but this didn't work. Trying to import the .crt I got a message saying that this was not a valid issuer.

What can I do?

Note: I'm using CentOS 8.

einpoklum

Posted 2019-12-04T09:48:52.797

Reputation: 5 032

Try in about:config to set network.stricttransportsecurity.preloadlist to false. – harrymc – 2019-12-04T10:32:10.590

I'll try that, but - what is it supposed to do, exactly? – einpoklum – 2019-12-04T11:47:05.867

If you use the PC on this network routinely, install the CA certficate of the UTM firewall in the "Trusted Root Certificate Authorities" in CertMgr in Windows, or to the CA store chain in Linux. A UTM firewall can be configured with either a CA that transparently scans and re-encrypts all TLS/SSL packets, or an ICA signed by the firewall's CA. If it's the latter, the ICA-CA chain cert will need to be added in Linux, and for Windows, the ICA would also need to be added to "Intermediate Certificate Authorities" in Certmgr. – JW0914 – 2019-12-04T12:17:18.050

@JW0914: Can you give a link to information on how to do that? Especially in Linux? – einpoklum – 2019-12-04T12:29:17.620

I would just google "<distro name> add CA to system CA store". You can determine whether the transparent proxy's cert is a CA or ICA by looking at the "Issuer" section of the cert details... if it's the firewall's CA, it will likely be self-signed, but if it's an ICA, there will be an Issuer in that section, and if this is the case, you'll likely need request from the IT dept the CA's cert in order to have the CoT [Chain of Trust] be complete. The first section will provide a general explanation of what's occurring with the traffic.

– JW0914 – 2019-12-04T12:41:47.700

Answers

0

What I did eventually is fire up Chromium. It essentially has the same issue, but - it was willing to let me export the Certificate Authority information. And luckily, Firefox was willing to import that information into its set of trusted Certificate Authorities - and the problem is now solved.

(Ok, not really, because I have to blindly trust websites, but at least usability-wise.)

einpoklum

Posted 2019-12-04T09:48:52.797

Reputation: 5 032

Asked: 2019-12-04T09:48:52.797

Viewed: 152 times

Active: 2019-12-04T11:46:36.647