ابحث في الدعم

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Distribute Exception set via cert_override.txt company wide

  • 8 ردود
  • 1 has this problem
  • 1 view
  • آخر ردّ كتبه Mike Kaply

more options

Hey everyone,

I'm currently working for a company where we need to distribute a set of exceptions for 4 internal websites. For many reasons the firefox currently does not trust the certificate that has been issued and users will receive the prompt "Warning: Potential Security Risk Ahead" and the user can click on "Advanced" -> "Accept the risk and continue" Now this is something we would like to prevent from happening.

The obvious solution would be to have a proper certificate in place but that is the long term solution and we need a quick workaround with the same result -> access the page without the prompt. The prompt is gone once we set the exception and copy the "Cert_override.txt" to the user profile. Now I have a script that I could use to copy the file to all profiles but that would be the absolute last thing I would want to do.

So my question is: is there any way to set an exception system wide instead of on a user profile basis? We are not using the Firefox ADMX templates but just a mozilla.cfg. Reading about the ADMX templates it also doesn't look like it would be possible via a policy, is that correct? Do you guys have any suggestions as to what we can do here?

Any helpful hints would be appreciated.

Thank you.

Hey everyone, I'm currently working for a company where we need to distribute a set of exceptions for 4 internal websites. For many reasons the firefox currently does not trust the certificate that has been issued and users will receive the prompt "Warning: Potential Security Risk Ahead" and the user can click on "Advanced" -> "Accept the risk and continue" Now this is something we would like to prevent from happening. The obvious solution would be to have a proper certificate in place but that is the long term solution and we need a quick workaround with the same result -> access the page without the prompt. The prompt is gone once we set the exception and copy the "Cert_override.txt" to the user profile. Now I have a script that I could use to copy the file to all profiles but that would be the absolute last thing I would want to do. ''' So my question is: is there any way to set an exception system wide instead of on a user profile basis?''' We are not using the Firefox ADMX templates but just a mozilla.cfg. Reading about the ADMX templates it also doesn't look like it would be possible via a policy, is that correct? Do you guys have any suggestions as to what we can do here? Any helpful hints would be appreciated. Thank you.

الحل المُختار

Hi,

Mike was able to solve this issue through the XML Http request. Here is the solution(not sure if there is a better way to post code here, hope this works):

Cu.importGlobalProperties(["XMLHttpRequest", "URL"]);

let overrides = ["self-signed.badssl.com"]

let setOverrides; try {

 setOverrides = getPref("setOverrides").split(",");

} catch (e) {} if (setOverrides != overrides) {

 Services.obs.addObserver(function observer() {
   let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
     Ci.nsICertOverrideService
   );
   for (var i=0; i < overrides.length; i++) {
     let xhr = new XMLHttpRequest();
     try {        
       xhr.open("GET", "https://" + overrides[i]);
       xhr.onerror = function() {
         if (xhr.channel && xhr.channel.securityInfo) {
           let secInfo = xhr.channel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
           let cert = secInfo ? secInfo.serverCert : null;
           if (cert) {
             let url = new URL(xhr.responseURL);
             let flags = 0;
             flags |= overrideService.ERROR_UNTRUSTED;
             overrideService.rememberValidityOverride(
             url.hostname,
             443,
             cert,
             flags,
             false);
           }
         }
       }
       xhr.send(null);
     } catch (ex) {}
   }
   pref("setOverrides", overrides.join(","));
   Services.obs.removeObserver(observer, "final-ui-startup");
 }, "final-ui-startup");

}


You can add multiple domains as well.

All credits go to Mike, thank you again!

Read this answer in context 👍 0

All Replies (8)

more options

If you're using mozilla.cfg, you can do this.

My best pointer to how to do this would be to look at how the CCK2 does it:

https://github.com/mkaply/cck2wizard/blob/master/cck2/modules/CCK2.jsm#L761

You bascially have to do an XMLHttprequest to the site and intercept the request.

more options

Hey Mike,

thanks a lot for the suggestion! To be honest though I don't fully understand how I would implement it. I think you already pointed out the correct line of code but unfortunately I don't really get how and where I would implement a XMLHttprequest, In a file? I looked through this article here: https://developer.mozilla.org/en-US/docs/Web/API/XMLHttpRequest however I'm still not sure how to proceed.

Thanks again!

more options

That's fine. What do your autoconfig files like today? Would you be willing to send one to mkaply at mozilla.com and I'll add the code for you?

more options

Hey Mike,

that is a very generous offer I would happily take you up on it. Though my lack of Firefox configuration knowledge now comes to the surface. By autoconfig file you mean the policies.js? I had a quick read here: https://support.mozilla.org/en-US/kb/customizing-firefox-using-autoconfig and it doesn't even seem like we have the autoconfig.js in place. We do however seem to have a lot of configurations listed in the autoconfig article within the "Mozilla.cfg" so do you want me to provide you with that file? In case that is true I would have to remove some preference containing internal URLS but I think I'd be able to provide you with the file. The policies.js as well as local-settings.js both seem to point to the mozilla.cfg

Local-settings.js: pref("general.config.obscure_value", 0); pref("general.config.filename", "mozilla.cfg");

policies.js: pref("general.config.obscure_value", 0); pref("general.config.filename", "mozilla.cfg");

Thats all the content of those files.

My apologies for the lack of knowledge in that regard.

Thanks again!

more options

Actually I need the mozilla.cfg file. It might have sensitive info in it, so you might want to email it to me.

more options

Hey Mike,

i have sent you the file via mail.

Thanks a lot!

more options

الحل المُختار

Hi,

Mike was able to solve this issue through the XML Http request. Here is the solution(not sure if there is a better way to post code here, hope this works):

Cu.importGlobalProperties(["XMLHttpRequest", "URL"]);

let overrides = ["self-signed.badssl.com"]

let setOverrides; try {

 setOverrides = getPref("setOverrides").split(",");

} catch (e) {} if (setOverrides != overrides) {

 Services.obs.addObserver(function observer() {
   let overrideService = Cc["@mozilla.org/security/certoverride;1"].getService(
     Ci.nsICertOverrideService
   );
   for (var i=0; i < overrides.length; i++) {
     let xhr = new XMLHttpRequest();
     try {        
       xhr.open("GET", "https://" + overrides[i]);
       xhr.onerror = function() {
         if (xhr.channel && xhr.channel.securityInfo) {
           let secInfo = xhr.channel.securityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
           let cert = secInfo ? secInfo.serverCert : null;
           if (cert) {
             let url = new URL(xhr.responseURL);
             let flags = 0;
             flags |= overrideService.ERROR_UNTRUSTED;
             overrideService.rememberValidityOverride(
             url.hostname,
             443,
             cert,
             flags,
             false);
           }
         }
       }
       xhr.send(null);
     } catch (ex) {}
   }
   pref("setOverrides", overrides.join(","));
   Services.obs.removeObserver(observer, "final-ui-startup");
 }, "final-ui-startup");

}


You can add multiple domains as well.

All credits go to Mike, thank you again!

more options

Note this solution was for Firefox 69 ESR. I didn't test if it works on current Firefox (but it should).

Might need small changes when ESR 78 comes out.