"Add Exception" button missing on SSL Error pages

Talk about code development, features, specific bugs, enhancements, patches, and similar things.
Forum rules
Please keep everything here strictly on-topic.
This board is meant for Pale Moon source code development related subjects only like code snippets, patches, specific bugs, git, the repositories, etc.

This is not for tech support! Please do not post tech support questions in the "Development" board!
Please make sure not to use this board for support questions. Please post issues with specific websites, extensions, etc. in the relevant boards for those topics.

Please keep things on-topic as this forum will be used for reference for Pale Moon development. Expect topics that aren't relevant as such to be moved or deleted.
Kumba

"Add Exception" button missing on SSL Error pages

Unread post by Kumba » 2015-12-15, 18:38

So this has been driving me nuts for the last few days. It seems in Pale Moon, as far as I can tell, the "I Understand the Risks" dropdown and "Add Exception" button is completely missing on SSL Error pages, at least those carrying the error of "ssl_error_bad_cert_domain". I've checked the problem domain in a recent copy of Seamonkey, and the corresponding bits are definitely showing up there, so this appears to be a Pale Moon-specific problem.

Furthermore, manually adding the exception via the Certificates dialog, Pale Moon is still refusing to allow me to access the site. And yes, I really want to go to this site. It's safe to do so, just the site admins are apparently lazy and are using wildcard SSL certificates that don't match the specific sub-domain. Seamonkey, on the otherhand, lets me go there just fine once I add the exception.

The problem domain in question is the mailing list archives for the uClibc project, located at:
https://lists.uclibc.org/pipermail/uclibc/

They're using a wildcard SSL certificate issued by the Oregon State University Open Source Lab (osuosl), so you get the expected mismatch of "lists.uclibc.org" != "*.osuosl.org". A similar problem happens on another uclibc.org subdomain, where they're apparently sharing an SSL certificate issued to *.buildroot.org, an associated open-source project that actually uses the uClibc package. I guess the uClibc maintainers just wanted SSL to work, and didn't bother to get the certificate part done right. So it's legit to visit that site, and I do know what I am doing, but I need to make the browser see things my way, somehow (and I'd rather not have to break out the tire iron to do so...).

As for why Pale Moon seems to be denying the exception, I think it's a bug, but I'm not going to rule out it being a pedantic security practice that has an associated about:config bit hiding somewhere. I did find this thread that forces the "Add Exception" button to appear (by setting browser.xul.error_pages.expert_bad_cert to true), but adding an exception that way has the same non-effect as adding it via the Certificates dialog. Something is preventing me from accessing SSL domains where an "ssl_error_bad_cert_domain" error gets raised.

I've attached two screenshots showing the differences:
Palemoon ssl_error_bad_cert_domain
Palemoon ssl_error_bad_cert_domain
Seamonkey ssl_error_bad_cert_domain
Seamonkey ssl_error_bad_cert_domain

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 31996
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: "Add Exception" button missing on SSL Error pages

Unread post by Moonchild » 2015-12-15, 22:31

Your display of the certificate error page is non-standard; it should look very similar to the SeaMonkey page. This may be caused by one of your extensions.

If I surf to that address, I get the attached page. As you can see it has all the normal fields and an exception button.

Please also understand that adding exceptions should at all times be a last-ditch measure and only be done if you fully trust (all) the servers involved. in this case, the certificate presented does not belong to the domain you are visiting -- that is bad.
Attachments
untrusted1.png
"You will observe with concern how long a useful truth may be known and exist before it is generally received and practiced on." -- Benjamin Franklin
"Compromise and collaboration lie at the heart of all great endeavours" -- Kassandra
Image

Kumba

Re: "Add Exception" button missing on SSL Error pages

Unread post by Kumba » 2015-12-15, 22:48

Moonchild wrote:Your display of the certificate error page is non-standard; it should look very similar to the SeaMonkey page. This may be caused by one of your extensions.

If I surf to that address, I get the attached page. As you can see it has all the normal fields and an exception button.
I checked the page by running PM in safe mode. Still was missing the button. That should at least eliminate the extensions as being a cause, which then suggests something in the local user profile must be doing it. Anything you know of that might be worth checking first? I'm not above spinning up a second, blank profile to vet things, but if there's some kind of about:config setting I should poke at first, that'd save me some time.
Moonchild wrote:Please also understand that adding exceptions should at all times be a last-ditch measure and only be done if you fully trust (all) the servers involved. in this case, the certificate presented does not belong to the domain you are visiting -- that is bad.
Yeah, I know, but I'm fairly confident that this particular site just has a silly misconfiguration about it (as I alluded to in my original post).

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 31996
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: "Add Exception" button missing on SSL Error pages

Unread post by Moonchild » 2015-12-15, 22:55

Posting the output of Help -> troubleshooting information (as text) might help provide some insight into what the problem is.
"You will observe with concern how long a useful truth may be known and exist before it is generally received and practiced on." -- Benjamin Franklin
"Compromise and collaboration lie at the heart of all great endeavours" -- Kassandra
Image

Kumba

Re: "Add Exception" button missing on SSL Error pages

Unread post by Kumba » 2015-12-15, 23:28

Moonchild wrote:Posting the output of Help -> troubleshooting information (as text) might help provide some insight into what the problem is.
Here's everything, though I removed the "print.printer_*" items, because they don't apply, and I minimize certain bits of information on public forums.

Code: Select all

Application Basics
------------------

Name: Pale Moon
Version: 25.8.1
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:25.8) Gecko/20151126 Firefox/31.9 PaleMoon/25.8.1

Extensions
----------

Name: Adblock Latitude
Version: 3.0.3.1
Enabled: true
ID: {016acf6d-e5c0-4768-9376-3763d1ad1978}

Name: Adblock Plus Pop-up Addon
Version: 0.9.2.1-signed
Enabled: true
ID: adblockpopups@jessehakanen.net

Name: Calomel SSL Validation
Version: 0.78
Enabled: true
ID: calomelsslvalidation@calomel.org

Name: checkCompatibility
Version: 1.3.1-signed
Enabled: true
ID: check-compatibility@dactyl.googlecode.com

Name: Cookie Monster
Version: 1.2.0.1-signed
Enabled: true
ID: {45d8ff86-d909-11db-9705-005056c00008}

Name: DNS Cache
Version: 1.8.1.1-signed
Enabled: true
ID: dnscache@dominik.jungowski

Name: Element Hiding Helper for Adblock Plus
Version: 1.3.2.1-signed
Enabled: true
ID: elemhidehelper@adblockplus.org

Name: Flashblock
Version: 1.5.18.1-signed
Enabled: true
ID: {3d7eb24f-2740-49df-8937-200b1cc08f8a}

Name: FoxClocks (Pseudo-static)
Version: 3.4.14-pm
Enabled: true
ID: {91228860-d602-45c4-9376-3763d1ad1978}

Name: Ghostery
Version: 5.4.4.1-signed
Enabled: true
ID: firefox@ghostery.com

Name: Google search link fix
Version: 1.4.9.1-signed
Enabled: true
ID: jid0-XWJxt5VvCXkKzQK99PhZqAn7Xbg@jetpack

Name: IE Tab 2 (FF 3.6+)
Version: 5.12.12.1
Enabled: true
ID: {1BC9BA34-1EED-42ca-A505-6D2F1A935BBB}

Name: Leet Key
Version: 1.4.3.1-signed.1-signed
Enabled: true
ID: {3335F91D-2AEF-4097-B831-C96C60349822}

Name: NoScript
Version: 2.7
Enabled: true
ID: {73a6fe31-595d-460b-a920-fcc0f8843232}

Name: OverbiteFF
Version: 3.0.1627.1-signed
Enabled: true
ID: overbiteff@floodgap.com

Name: Oxygen KDE Options
Version: 4.0 BETA3
Enabled: true
ID: {c2a3f51e-2920-4eab-9008-1bcb44d21d57}

Name: Pale Moon Commander
Version: 1.7.3
Enabled: true
ID: commander@palemoon.org

Name: Remove It Permanently
Version: 1.0.6.10.1-signed
Enabled: true
ID: {1dbc4a33-ea62-4330-966c-7bdad3455322}

Name: RequestPolicy
Version: 1.0.beta8.2
Enabled: true
ID: requestpolicy@requestpolicy.com

Name: ScrapBook
Version: 1.5.11.1-signed
Enabled: true
ID: {53A03D43-5363-4669-8190-99061B2DEBA5}

Name: Session Manager
Version: 0.8.1.7
Enabled: true
ID: {1280606b-2510-4fe0-97ef-9b5a22eafe30}

Name: User Agent Switcher
Version: 0.7.3.1-signed
Enabled: true
ID: {e968fc70-8f95-4ab9-9e79-304de2a71ee1}

Name: YouTube Center
Version: 2.1.1
Enabled: true
ID: jid1-cwbvBTE216jjpg@jetpack

Name: Greasemonkey
Version: 1.15.1-signed
Enabled: false
ID: {e4a8a97b-f2ed-450b-b12d-ee082ba24781}

Name: SQLite Manager
Version: 0.8.3.1-signed
Enabled: false
ID: SQLiteManager@mrinalkant.blogspot.com

Important Modified Preferences
------------------------------

accessibility.typeaheadfind.flashBar: 0
browser.cache.disk.capacity: 0
browser.cache.disk.enable: false
browser.cache.disk.smart_size.enabled: false
browser.cache.disk.smart_size.first_run: false
browser.cache.disk.smart_size.use_old_max: false
browser.cache.disk.smart_size_cached_value: 634880
browser.cache.disk_cache_ssl: false
browser.cache.memory.capacity: 131072
browser.cache.offline.enable: false
browser.display.background_color: #ffffff
browser.fixup.alternate.enabled: false
browser.history_expire_days.mirror: 180
browser.places.createdSmartBookmarks: true
browser.places.importBookmarksHTML: false
browser.places.importDefaults: false
browser.places.leftPaneFolderId: 195
browser.places.migratePostDataAnnotations: false
browser.places.smartBookmarksVersion: 4
browser.places.updateRecentTagsUri: false
browser.search.suggest.enabled: false
browser.search.update: false
browser.sessionstore.interval: 300000
browser.sessionstore.max_tabs_undo: 16
browser.sessionstore.max_windows_undo: 4
browser.startup.homepage: about:blank
browser.startup.homepage_override.buildID: 20151126053751
browser.startup.homepage_override.mstone: 25.8.1
browser.urlbar.rss: false
dom.disable_window_open_feature.close: true
dom.disable_window_open_feature.menubar: true
dom.disable_window_open_feature.minimizable: true
dom.disable_window_open_feature.scrollbars: true
dom.disable_window_open_feature.titlebar: true
dom.disable_window_open_feature.toolbar: true
dom.event.clipboardevents.enabled: false
dom.event.contextmenu.enabled: false
dom.ipc.plugins.enabled.npietab2.dll: true
dom.max_chrome_script_run_time: 40
dom.max_script_run_time: 0
dom.mozApps.used: true
dom.storage.default_quota: 4096
dom.storage.enabled: false
dom.w3c_touch_events.expose: false
extensions.checkCompatibility: false
extensions.checkCompatibility.10.0: false
extensions.checkCompatibility.11.0: false
extensions.checkCompatibility.12.0: false
extensions.checkCompatibility.13.0: false
extensions.checkCompatibility.14.0: false
extensions.checkCompatibility.15.0: false
extensions.checkCompatibility.16.0: false
extensions.checkCompatibility.17.0: false
extensions.checkCompatibility.18.0: false
extensions.checkCompatibility.19.0: false
extensions.checkCompatibility.20.0: false
extensions.checkCompatibility.24.0: false
extensions.checkCompatibility.25.0: false
extensions.checkCompatibility.26.0: false
extensions.checkCompatibility.27.0: false
extensions.checkCompatibility.28.0: false
extensions.checkCompatibility.29.0: false
extensions.checkCompatibility.30.0: false
extensions.checkCompatibility.31.0: false
extensions.checkCompatibility.9.0: false
extensions.lastAppVersion: 25.8.1
font.internaluseonly.changed: true
font.name.monospace.x-western: Consolas
font.name.serif.x-western: Arial
general.useragent.extra.microsoftdotnet: ( .NET CLR 3.5.30729; .NET4.0E)
gfx.color_management.mode: 1
gfx.direct3d.last_used_feature_level_idx: 0
gfx.direct3d.prefer_10_1: true
gfx.font_rendering.cleartype.always_use_for_content: true
keyword.enabled: false
layers.acceleration.force-enabled: true
mousewheel.horizscroll.withnokey.action: 4
network.buffer.cache.count: 32
network.cookie.cookieBehavior: 1
network.cookie.prefsMigrated: true
network.cookie.thirdparty.sessionOnly: true
network.dns.disableIPv6: true
network.dns.disablePrefetchFromHTTPS: true
network.http.max-connections: 64
network.http.max-persistent-connections-per-proxy: 24
network.http.max-persistent-connections-per-server: 32
network.http.pipelining.max-optimistic-requests: 6
network.http.pipelining.maxrequests: 12
network.http.referer.trimmingPolicy: 2
network.http.referer.XOriginPolicy: 1
network.http.sendRefererHeader: 0
network.http.sendSecureXSiteReferrer: false
network.http.speculative-parallel-limit: 0
network.websocket.extensions.stream-deflate: true
places.database.lastMaintenance: 1450097971
places.history.expiration.transient_current_max_pages: 104858
places.history.expiration.transient_optimal_database_size: 167772160
places.last_vacuum: 1269512815
plugin.importedState: true
plugin.state.java: 0
plugin.state.npdeployjava: 0
plugins.hide_infobar_for_outdated_plugin: true
plugins.load_appdir_plugins: true
privacy.clearOnShutdown.cookies: false
privacy.clearOnShutdown.extensions-dta: true
privacy.cpd.cache: false
privacy.cpd.downloads: false
privacy.cpd.extensions-betterprivacy: true
privacy.cpd.extensions-sessionmanager: false
privacy.cpd.formdata: false
privacy.cpd.history: false
privacy.cpd.sessions: false
privacy.cpd.siteprefs: false
privacy.donottrackheader.enabled: true
privacy.item.extensions-dta: true
privacy.sanitize.migrateFx3Prefs: true
privacy.sanitize.timeSpan: 2
security.disable_button.openCertManager: false
security.disable_button.openDeviceManager: false
security.OCSP.disable_button.managecrl: false
security.OCSP.enabled: 0
security.ssl.enable_false_start: true
security.ssl3.dhe_dss_aes_128_sha: false
security.ssl3.dhe_dss_aes_256_sha: false
security.ssl3.dhe_rsa_camellia_128_sha: false
security.ssl3.dhe_rsa_camellia_256_sha: false
security.ssl3.dhe_rsa_des_ede3_sha: false
security.ssl3.ecdhe_ecdsa_aes_128_gcm_sha256: false
security.ssl3.ecdhe_ecdsa_aes_128_sha: false
security.ssl3.ecdhe_rsa_aes_128_gcm_sha256: false
security.ssl3.ecdhe_rsa_des_ede3_sha: false
security.ssl3.rsa_aes_128_sha: false
security.ssl3.rsa_camellia_128_sha: false
security.ssl3.rsa_camellia_256_sha: false
security.warn_viewing_mixed: false
storage.vacuum.last.index: 1
storage.vacuum.last.places.sqlite: 1448529661
webgl.disabled: true
webgl.disable-extensions: true

Graphics
--------

Adapter Description: AMD Radeon HD 6900 Series
Adapter Drivers: aticfx64 aticfx64 aticfx64 aticfx32 aticfx32 aticfx32 atiumd64 atidxx64 atidxx64 atiumdag atidxx32 atidxx32 atiumdva atiumd6a atitmm64
Adapter RAM: 2048
ClearType Parameters: Gamma: 2200 Pixel Structure: RGB ClearType Level: 50 Enhanced Contrast: 50
Device ID: 0x6719
Direct2D Enabled: true
DirectWrite Enabled: true (6.2.9200.17461)
Driver Date: 11-20-2014
Driver Version: 14.501.1003.0
GPU #2 Active: false
GPU Accelerated Windows: 2/2 Direct3D 10
Vendor ID: 0x1002
windowLayerManagerRemote: false
AzureCanvasBackend: direct2d
AzureContentBackend: direct2d
AzureFallbackCanvasBackend: cairo

JavaScript
----------

Incremental GC: true

Accessibility
-------------

Activated: false
Prevent Accessibility: 1

Library Versions
----------------

NSPR
Expected minimum version: 4.10.10
Version in use: 4.10.10

NSS
Expected minimum version: 3.19.4 Basic ECC
Version in use: 3.19.4 Basic ECC

NSSSMIME
Expected minimum version: 3.19.4 Basic ECC
Version in use: 3.19.4 Basic ECC

NSSSSL
Expected minimum version: 3.19.4 Basic ECC
Version in use: 3.19.4 Basic ECC

NSSUTIL
Expected minimum version: 3.19.4
Version in use: 3.19.4

Kumba

Re: "Add Exception" button missing on SSL Error pages

Unread post by Kumba » 2015-12-15, 23:31

The other thing, pretty much everything in Firefox's UI is written in javascript or XUL/XML these days, so I figured the base text of the "Untrusted Connection" page was encoded somewhere. But a raw string search in both the Pale Moon install folder and my profile folder turn up no matches. I was hoping to look at the page source for that and see if maybe something stuck out that'd explain why the "I know what I'm doing" bits were hidden. Is this page buried deep within the code base instead?

Kumba

Re: "Add Exception" button missing on SSL Error pages

Unread post by Kumba » 2015-12-16, 00:10

Kumba wrote:The other thing, pretty much everything in Firefox's UI is written in javascript or XUL/XML these days, so I figured the base text of the "Untrusted Connection" page was encoded somewhere. But a raw string search in both the Pale Moon install folder and my profile folder turn up no matches. I was hoping to look at the page source for that and see if maybe something stuck out that'd explain why the "I know what I'm doing" bits were hidden. Is this page buried deep within the code base instead?
Half-answered this question. Checked Firefox 38's source, and it seems this bit of text is in the browser/locales/en-US/chrome/browser/aboutCertError.dtd file, and my guess is that gets compiled into the massive ~28MB xul.dll.

But I did learn about "about:certerror", which is the source template used for certificate error pages. That one has the "I Understand the Risks" button on it, and per that page's source code, a few possible conditions stand out:

Code: Select all

if (getCSSClass() == "expertBadCert") {
  toggle('technicalContent');
  toggle('expertContent');
}
This seems to be what's hiding the buttons, because in my user prefs, "browser.xul.error_pages.expert_bad_cert" is set to "false". But, in Seamonkey, the same exact setting is also set to false, yet I can see the technicalContent and expertContent buttons just fine.

Code: Select all

// Disallow overrides if this is a Strict-Transport-Security
// host and the cert is bad (STS Spec section 7.3) or if the
// certerror is in a frame (bug 633691).
if (getCSSClass() == "badStsCert" || window != top)
  document.getElementById("expertContent").setAttribute("hidden", "true");
Another possibility, but I installed Live HTTP Headers in Seamonkey and checked the HTTP response header of the lists.uclibc.org site, and I am not getting the Strict-Transport-Security header sent back, so that rules this snippet of code out.

So I am somewhat stumped at the moment. My profile directory dates back to ~2008, and was an import from Firefox, so it is entirely possible there's some crusty old bit o' cruft that's hiding in there and causing this issue, but I'll be flummoxed as to what.

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 31996
Joined: 2011-08-28, 17:27
Location: Tranås, SE
Contact:

Re: "Add Exception" button missing on SSL Error pages

Unread post by Moonchild » 2015-12-16, 17:12

Well, looks like you explicitly disabled compatibility checking for your extensions, for one. That's really not something you should be doing, and you may be using incompatible versions as a result.

Have you tried using Pale Moon in safe mode? Start Pale Moon while holding SHIFT down and continue in Safe Mode (please not that if you want to retain a stored session if you normally use that, go to about:sessionrestore first thing, or it will be lost when you close out of safe mode). If it works there, then you should disable your add-ons and themes, and start working through them to find out what is causing the issue.

The expert options also don't show if the loaded document is not the top window (this is by design to prevent spoofing), so if some extension is "wrapping" this page into a frame, then that's by design.
"You will observe with concern how long a useful truth may be known and exist before it is generally received and practiced on." -- Benjamin Franklin
"Compromise and collaboration lie at the heart of all great endeavours" -- Kassandra
Image

Kumba

Re: "Add Exception" button missing on SSL Error pages

Unread post by Kumba » 2015-12-16, 17:49

Moonchild wrote:Well, looks like you explicitly disabled compatibility checking for your extensions, for one. That's really not something you should be doing, and you may be using incompatible versions as a result.
A holdover from when my profile was a Firefox profile. The constant extension checks, followed by force-disabling, of extensions, got really irritating. Call it one thing I'm thankful to PM for: reasonable, infrequent update schedules.

That said, I'm pretty cognizant of when an extension doesn't work 100% following an update, and usually take steps to remedy things, or disable the extension (in a rare case, I backed down a version or two of PM until the extension's author fixed things on their end). Hell, I ran Thunderbird for over a year with a broken extension that effectively caused my menu bar (file, edit, etc) to get cropped off at the top. But it was worth it to have the mailbox theme I wanted at the time. Such is life...

Moonchild wrote:Have you tried using Pale Moon in safe mode? Start Pale Moon while holding SHIFT down and continue in Safe Mode (please not that if you want to retain a stored session if you normally use that, go to about:sessionrestore first thing, or it will be lost when you close out of safe mode). If it works there, then you should disable your add-ons and themes, and start working through them to find out what is causing the issue.
Already tried Safe mode, and the problem was still present (I mentioned this above). So, not the extensions. I suspect something I've got set in user.prefs at this point. I'll probably have to create a blank profile to really verify (as I assume safe mode only disables extensions/plugins, but leaves about:config settings in place). If that still doesn't do it...well, I'll have to spin up the orbital cannons and nuke things from up there (it's the only way to be sure), then try again.

I double checked a Pale Moon install I have in a Windows VM instance, and that's showing the button just fine, and it's got pretty much the same exact extensions loaded. So that kinds points additional fingers at my user preferences.

Moonchild wrote:The expert options also don't show if the loaded document is not the top window (this is by design to prevent spoofing), so if some extension is "wrapping" this page into a frame, then that's by design.
A good point. I wonder if Ghostery may be a point of content here, as they throw a little purple bubble-box that lists the trackers they block, and I do believe that's done by some kind of floating frame or <div> layer. But safe mode should have proved if that was the case, though...

Locked