[opensuse] other firefox behaviour
Hi, I followed with interest the thread of Per. Last week I observed something else that surprised me. With openvpn I also use keys&certificates on client and servers. And no matter what you use on the client, it is the the peer at the other end, that decides if it will accepts the connection or not based on: - ca-trust-chain - revocation list - validity (date-range) of the certificate. With firefox I saw something different behaviour: I tried to go to a ssl-server, with client-cert-authentication enabled. Much to my surprise, the client directly refused, saying that my cert expired two weeks ago. tcpdump on either side proved that no data was sent along the line A warning should be OK, but a plain refusal by firefox feels like big brother is taking control. It may ask several layers deep about security-exception, and whether i am very-very-very-sure about it. But in the end it should have been MY decision, not firefox. Or am I that mistaken? Hans -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
El 05/11/14 a las 05:03, Hans Witvliet escribió:
Hi,
I followed with interest the thread of Per. Last week I observed something else that surprised me.
With openvpn I also use keys&certificates on client and servers. And no matter what you use on the client, it is the the peer at the other end, that decides if it will accepts the connection or not based on: - ca-trust-chain - revocation list - validity (date-range) of the certificate.
With firefox I saw something different behaviour: I tried to go to a ssl-server, with client-cert-authentication enabled. Much to my surprise, the client directly refused, saying that my cert expired two weeks ago. tcpdump on either side proved that no data was sent along the line
A warning should be OK, but a plain refusal by firefox feels like big brother is taking control. Or am I that mistaken?
Yes, you are mistaken.. client knowing certificate is expired and failing right away is the expected behaviour..why the client should even bother trying an operation that MUST fail ? All this are unfortunate side effects of clients being too lenient or plain reckless in the past and users getting accustomed to that. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 2014-11-05 at 09:59 -0300, Cristian Rodríguez wrote:
El 05/11/14 a las 05:03, Hans Witvliet escribió:
Hi,
I followed with interest the thread of Per. Last week I observed something else that surprised me.
With openvpn I also use keys&certificates on client and servers. And no matter what you use on the client, it is the the peer at the other end, that decides if it will accepts the connection or not based on: - ca-trust-chain - revocation list - validity (date-range) of the certificate.
With firefox I saw something different behaviour: I tried to go to a ssl-server, with client-cert-authentication enabled. Much to my surprise, the client directly refused, saying that my cert expired two weeks ago. tcpdump on either side proved that no data was sent along the line
A warning should be OK, but a plain refusal by firefox feels like big brother is taking control. Or am I that mistaken?
Yes, you are mistaken.. client knowing certificate is expired and failing right away is the expected behaviour..why the client should even bother trying an operation that MUST fail ?
All this are unfortunate side effects of clients being too lenient or plain reckless in the past and users getting accustomed to that.
So, the car you drive in, is not capable of exceeding 50Kmph within city-limits, and is also limited on the motorways? "Should not" is something different than "can not" It is up to the receiving end to decide what to accept and what not. I know the user and it is my apache-server. The cert was accidentally issued for a period of just 3 months and cannot be updated, because it is on a smartcard (fixed) -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (2)
-
Cristian Rodríguez
-
Hans Witvliet