Daniel Kahn Gillmor schrieb: > On 08/28/2013 10:41 AM, Dietrich Clauss wrote: > > 0. clean user, rm -r ~/.mozilla > > 1. Set up a https server which uses a self-signed certificate, lets call > > it 'srv' > > 2. Start iceweasel, watch https://srv > > 3. iceweasel shows warning "untrusted connection" > > 4. Click on "Understand the risk", "Add exception", "confirm exception" > > 5. Exception gets stored permanently, iceweasel shows the content of > > https://srv > > 6. Go to edit/preferences/advanced/encryption/view_certs > > 7. Search the cert of https://srv and "delete or distrust" it > > It sounds to me like you might be choosing to remove the certificate > from your list of "Authorities" instead of from your list of "Servers". > Take a look at the tabs on the top of the "Certificate Manager" dialog box. > > By choosing to "delete or distrust" the self-signed certificate from > your list of root Certificate Authorities ("CAs"), you're simply saying > that that certificate can't be used to certify *other* web sites (which > should already be the case by default, take a look at the settings shown > when you click the "Edit Trust..." button from the "Authorities" tab of > the Certificate Manager -- they should all be unchecked). > > I suspect you want to remove the certificate from the "Servers" tab, not > the "Authorities" tab -- the remote server is not an authority, and is > not being treated as such; it's being treated as a network peer, and > telling iceweasel to not treat it as an authority isn't asking for > anything to change. > > Does this make sense? This is possibly extra-confusing because some > tools used for making self-signed certificates (e.g. "openssl req") > automatically include the "CA:TRUE" X.509 certificate extension for > self-signed certs, even though that's not technically needed for > anything but an actual CA certificate (i.e. one that will certify the > keys of other CAs or end entities).
That's correct, thanks for the explanation. My fault. This bug report can be closed.
signature.asc
Description: Digital signature
