On 08/28/2013 10:41 AM, Dietrich Clauss wrote: > 0. clean user, rm -r ~/.mozilla > 1. Set up a https server which uses a self-signed certificate, lets call > it 'srv' > 2. Start iceweasel, watch https://srv > 3. iceweasel shows warning "untrusted connection" > 4. Click on "Understand the risk", "Add exception", "confirm exception" > 5. Exception gets stored permanently, iceweasel shows the content of > https://srv > 6. Go to edit/preferences/advanced/encryption/view_certs > 7. Search the cert of https://srv and "delete or distrust" it
It sounds to me like you might be choosing to remove the certificate
from your list of "Authorities" instead of from your list of "Servers".
Take a look at the tabs on the top of the "Certificate Manager" dialog box.
By choosing to "delete or distrust" the self-signed certificate from
your list of root Certificate Authorities ("CAs"), you're simply saying
that that certificate can't be used to certify *other* web sites (which
should already be the case by default, take a look at the settings shown
when you click the "Edit Trust..." button from the "Authorities" tab of
the Certificate Manager -- they should all be unchecked).
I suspect you want to remove the certificate from the "Servers" tab, not
the "Authorities" tab -- the remote server is not an authority, and is
not being treated as such; it's being treated as a network peer, and
telling iceweasel to not treat it as an authority isn't asking for
anything to change.
Does this make sense? This is possibly extra-confusing because some
tools used for making self-signed certificates (e.g. "openssl req")
automatically include the "CA:TRUE" X.509 certificate extension for
self-signed certs, even though that's not technically needed for
anything but an actual CA certificate (i.e. one that will certify the
keys of other CAs or end entities).
hth,
--dkg
signature.asc
Description: OpenPGP digital signature
