Re: telling firefox 91 to always accept self signed certificate.

To: debian-user@lists.debian.org
Subject: Re: telling firefox 91 to always accept self signed certificate.
From: "Alexander V. Makartsev" <avbetev@gmail.com>
Date: Sun, 2 Jan 2022 17:40:44 +0500
Message-id: <[🔎] 4101ee4b-e2d4-1701-79b0-d05fd1460be7@gmail.com>
In-reply-to: <[🔎] alpine.DEB.2.21.2201021016430.2492@einstein.home.woodall.me.uk>
References: <[🔎] alpine.DEB.2.21.2201021016430.2492@einstein.home.woodall.me.uk>

On 02.01.2022 15:47, Tim Woodall wrote:

I have a buster install where firefox-esr has just been updated. I
cannot work out how to tell it to always accept self-signed (and
expired) certificates without a warning.

I had a permanent exception set under about:preferences#privacy
ViewCertificates but that didn't seem to be working. And attempting to
add another exception changed the existing "permanent" exception to
temporary with no option to check the "add permanent exception" box.

This is not the only way to add an exception, but I think it is the bestway.You have to go to "Servers" tab and put exact URL and also port for theconnection.

    Ex: https://my-nas.lan:443/

Also if your server will redirect connection to another port you have toadd it also.

    Ex: https://my-nas.lan:5001/

Exceptions added this way will work as long as host:port and downloadedcertificate matches the exception.If they don't, your Firefox profile could be corrupted, so test it on abrand new profile, created with profile manager:

    $ firefox --ProfileManager

I don't care about "security" for this connection. It's an IPMI console
that is only accessible on the same (trusted) physical lan and remote
access is only possible via a vpn.

I cannot find anything in about:config that seems to help this.

Doing this via "about:config" (if that even possible) would leave yourbrowser vulnerable for connections on the Internet, other than yourlocal trusted servers.There is also another way to add an exception like this. You can addserver's self-signed certificate to 'ca-certificates' on your system asa trusted certificate authority.This way browser should still display "not trusted connection" icon, butwithout warning page and confirming an exception.

And the real solution for this problem would be to spin-off your owncertificate authority using 'Easy-RSA', add your CA certificate astrusted on your systems and/or browser, and create and replaceclient-server authentication certificates on your network hosts.This way might be harder and longer to do, but it is a proper solutionthat is scalable and manageable.As a bonus, you can use same CA to defend your WiFi networks with"Enterprise" level of protection, not just "WPA*-PSK".

Or create and manage certificates for OpenVPN hosts-clients.

--
With kindest regards, Alexander.

⢀⣴⠾⠻⢶⣦⠀
⣾⠁⢠⠒⠀⣿⡁ Debian - The universal operating system
⢿⡄⠘⠷⠚⠋⠀ https://www.debian.org
⠈⠳⣄⠀⠀⠀⠀

Reply to:

References:
- telling firefox 91 to always accept self signed certificate.
  - From: Tim Woodall <debianuser@woodall.me.uk>

Prev by Date: Re: Debian on Dell PowerEdge C6220?
Next by Date: Re: Hyper-typematic and Firefox responsiveness in Weston.
Previous by thread: telling firefox 91 to always accept self signed certificate.
Next by thread: telegram-desktop not working with firejail
Index(es):
- Date
- Thread