-
Bug
-
Resolution: Unresolved
-
Critical
-
None
-
rhel-7-els, rhel-8.10.z, rhel-9.8
-
Yes
-
Critical
-
rhel-display-applications
-
6
-
False
-
False
-
-
None
-
None
-
None
-
None
-
Unspecified
-
Unspecified
-
Unspecified
-
-
x86_64
-
None
What were you trying to do that didn't work?
Customer wants to use Firefox tccess an HTTPS server with certificate is issued by a local CA.
What is the impact of this issue to you?
Users can not access the server unless they add a security exception.
Please provide the package NVR for which the bug is seen:
RHEL 7.9 ELS
firefox-140.6.0-1.el7_9.x86_64
How reproducible is this bug?:
Always
Steps to reproduce
1. Ensure that "files" has precedence in host name search # cp -p /etc/nsswitch.conf /etc/nsswitch.conf~ # sed -i -e '/^hosts:/{s/\<files\>//g;s/:/: files /;s/ */ /g}' /etc/nsswitch.conf 2. Add an entry for "www.example.com" to /etc/hosts # cp -p /etc/hosts /etc/hosts~ # echo 127.0.0.1 www.example.com >> /etc/hosts 3. Confirm that it works # ping -q -c 1 www.example.com PING www.example.com (127.0.0.1) 56(84) bytes of data. --- www.example.com ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.065/0.065/0.065/0.000 ms 4. Create root CA key & certificate (10 years life time) # openssl req -newkey rsa:4096 -passout pass:redhat -keyout example-ca.key -subj '/CN=Example CA' -out example-ca.csr # printf '%s\n' [ca_ext] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints=critical,CA:true keyUsage=critical,digitalSignature,keyCertSign,cRLSign > example-ca.ext # openssl x509 -req -days 1825 -in example-ca.csr -extfile example-ca.ext -extensions ca_ext -signkey example-ca.key -passin pass:redhat -out example-ca.crt 5. Create intermediate CA key & certificate (5 years life time) # openssl req -newkey rsa:4096 -passout pass:redhat -keyout example-ca-int.key -subj '/CN=Example Intermediate CA' -out example-ca-int.csr # printf '%s\n' [ca_ext] subjectKeyIdentifier=hash authorityKeyIdentifier=keyid:always,issuer basicConstraints=critical,CA:true keyUsage=critical,digitalSignature,keyCertSign,cRLSign > example-ca-int.ext # openssl x509 -req -days 1825 -in example-ca-int.csr -extfile example-ca-int.ext -extensions ca_ext -CA example-ca.crt -CAkey example-ca.key -passin pass:redhat -CAcreateserial -out example-ca-int.crt 6. Add the root CA certificate to the system trust store # cp example-ca.crt /etc/pki/ca-trust/source/anchors/ # update-ca-trust 7. Confirm that the certificate was added to the system trust store # trust list | fgrep -i example label: Example CA 8. Use the intermediate CA to create the HTTPS server certificate From https://support.mozilla.org/en-US/questions/1379667: Firefox from 101.0 onward no longer use certificate CN (Common Name) for matching domain name to certificate and have migrated to only using SAN (Subject Alternate Name) so if you self sign for internal devices you’ll need to regenerate. # openssl req -newkey rsa:4096 -nodes -keyout server.key -subj '/CN=example.com' -out server.csr # printf '%s\n' [san_ext] 'subjectAltName=DNS:*.example.com' > server.ext # openssl x509 -req -days 365 -in server.csr -extfile server.ext -extensions san_ext -CA example-ca-int.crt -CAkey example-ca-int.key -passin pass:redhat -CAcreateserial -out server.crt 9. Install and enable Apache HTTP server and the SSL module # yum install -y httpd mod_ssl 10. Configure the SSL module to use the server certificate we generated # cp server.key /etc/pki/tls/private/localhost.key # chmod 600 /etc/pki/tls/private/localhost.key # cp server.crt /etc/pki/tls/certs/localhost.crt # cp example-ca-int.crt /etc/pki/tls/certs/server-chain.crt # systemctl enable --now httpd # systemctl status httpd.service ● httpd.service - The Apache HTTP Server Loaded: loaded (/usr/lib/systemd/system/httpd.service; enabled; vendor preset: disabled) Active: active (running) since Mon 2026-02-09 11:04:03 -03; 54s ago Docs: man:httpd(8) man:apachectl(8) Main PID: 5564 (httpd) Status: "Total requests: 0; Current requests/sec: 0; Current traffic: 0 B/sec" Tasks: 6 CGroup: /system.slice/httpd.service ├─5564 /usr/sbin/httpd -DFOREGROUND ├─5565 /usr/sbin/httpd -DFOREGROUND ├─5566 /usr/sbin/httpd -DFOREGROUND ├─5567 /usr/sbin/httpd -DFOREGROUND ├─5568 /usr/sbin/httpd -DFOREGROUND └─5569 /usr/sbin/httpd -DFOREGROUND Feb 09 11:04:03 rhel-7-3.example.com systemd[1]: Starting The Apache HTTP Server... Feb 09 11:04:03 rhel-7-3.example.com systemd[1]: Started The Apache HTTP Server. # lsof -P -i :443 -i :80| sed 's/^/ /' COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME httpd 5564 root 4u IPv6 36100 0t0 TCP *:80 (LISTEN) httpd 5564 root 6u IPv6 36108 0t0 TCP *:443 (LISTEN) httpd 5565 apache 4u IPv6 36100 0t0 TCP *:80 (LISTEN) httpd 5565 apache 6u IPv6 36108 0t0 TCP *:443 (LISTEN) httpd 5566 apache 4u IPv6 36100 0t0 TCP *:80 (LISTEN) httpd 5566 apache 6u IPv6 36108 0t0 TCP *:443 (LISTEN) httpd 5567 apache 4u IPv6 36100 0t0 TCP *:80 (LISTEN) httpd 5567 apache 6u IPv6 36108 0t0 TCP *:443 (LISTEN) httpd 5568 apache 4u IPv6 36100 0t0 TCP *:80 (LISTEN) httpd 5568 apache 6u IPv6 36108 0t0 TCP *:443 (LISTEN) httpd 5569 apache 4u IPv6 36100 0t0 TCP *:80 (LISTEN) httpd 5569 apache 6u IPv6 36108 0t0 TCP *:443 (LISTEN) 11. Confirm that everything is OK # openssl s_client -showcerts -verify_hostname www.example.com -servername www.example.com -connect www.example.com:443 < /dev/null|&sed 's/^/ /' depth=2 CN = Example CA verify return:1 depth=1 CN = Example Intermediate CA verify return:1 depth=0 CN = example.com verify return:1 CONNECTED(00000003) --- Certificate chain 0 s:/CN=example.com i:/CN=Example Intermediate CA -----BEGIN CERTIFICATE----- MIIE1zCCAr+gAwIBAgIJAIk3/dYngWSOMA0GCSqGSIb3DQEBCwUAMCIxIDAeBgNV BAMMF0V4YW1wbGUgSW50ZXJtZWRpYXRlIENBMB4XDTI2MDIwOTEzNTczNVoXDTI3 MDIwOTEzNTczNVowFjEUMBIGA1UEAwwLZXhhbXBsZS5jb20wggIiMA0GCSqGSIb3 DQEBAQUAA4ICDwAwggIKAoICAQDKl7fUKLm0CnzPmXTJjwnnDhU52U77pqNFMIgG HLZpseyHDG6hwgnmmOxWBJd4aMdP5xIUmPGXKUzY+lUw3LlyLAmtAfUNzuu0+jNd H76qwLy7zD3GDTAi5yhLWpmunV1Eq0y5MyGwLp6J9b7EKP35/46ygFTu9JgYhkf5 3ZqrXxyma8MpxKEhkjMs3QQrWqIDT/Z/j1FycnXQiZzUQm+sgkn5xWk6JSGImVuy zAhZhdhYaMDSQOA7aAklGOTcw3pJ4dLPi82NZrfhJaLh+uWFEpUevpQx/Nryq0QI 0I2grS21FjuDc8x0IKbH3fPwM2z2e8P62CAiXh/cBT1erMsQaKIqsym2zhwcAMua scgkpabVKyY1NyrrykgNzXzrU/vTGMA5IsKWeeXZueqq3FwBNsB5tEPZ4A1f2aCF fQP9DlIHTwrmLNBYNVznOxdqwW3F/F4Zvy+UA+AeD8yzHgffFJv3QSdoF8CPuFqG OFpqNn0FIHICWwGwpiyat4bVAjN71QAMN7V+UBgRQazEC+XU5Kj2MkALtS/slOiv 5jdgCo1Ti09j7Ce1cqKpUkkRGcc7+Wfzc+f7DePskGcI/m88WDxg0jRcdeC0nlIU 7OQ2kdTWgJ5ahaSppXcTGvk7nI3EyNi08sYOXb1Ut2Fat5lSI/JjEDJtjLyqiBrD R4aTxwIDAQABoxwwGjAYBgNVHREEETAPgg0qLmV4YW1wbGUuY29tMA0GCSqGSIb3 DQEBCwUAA4ICAQBogYdHtb7QplycHqHcLGpM9ZdQ6dgAoxH1UCCnZjFXtLMzTkcS 4fZaTXJmpz+sCmeg8kgQIoeJ7+bBLH46xNwE7q6RsFmJX9BFR9rPMXJiHlDgZJk0 k6ol26cLazzKAXnmOZAgPOWjHhgAExneG7vYs4pEIg0q5QfW/XNiyTsHOuSK7k9/ n86jPpRk/3Enr6l2FsF+U0et42LkZk9xAOq6eqa8mHcRVS7OsD7p/gzwv8UqqT5a wzXy5tgN9j/MDSq6H0Q9rw8Z62VMRStAEFRSqALiIGo6QnUfHoOor3G+Godje2yj G9DDRVQg0eYWuD136XFMJgHFqOmWCiu434R+MrDQlTMS5jny0Wy2PeJ1LiJe1b8z NvtBMlvpci8NGpSTPjcCTzmAyTVHwcFllhWXUdYViiY+qL8X2OfOHHU3Tyac9Jwc nIb9+OWbL5ULYhLz1QGprRDttg1dFSqD7ByXqAEsGgQ2pcvFBpaNZVUH+lUX3AlX D171kjOwvfCUe1Cr4zmMRz8UPG7Skzo934BcEbiD3aeFrHjGtn8ETpvhWZ03mQz1 VPJMbO0/gnMAGUx4UD14WRcBgl/U5j2Kg2TKlaGEG6RAY5bsdwxYh8IiVJ45vIKy C+449NGVUFBynIZmVU0e1UEhgK42qbMEganFXIEfY0ZRUKlqQMLUR+cOcg== -----END CERTIFICATE----- 1 s:/CN=Example Intermediate CA i:/CN=Example CA -----BEGIN CERTIFICATE----- MIIFHTCCAwWgAwIBAgIJAJWHsXsU1GlFMA0GCSqGSIb3DQEBCwUAMBUxEzARBgNV BAMMCkV4YW1wbGUgQ0EwHhcNMjYwMjA5MTM1MTE4WhcNMzEwMjA4MTM1MTE4WjAi MSAwHgYDVQQDDBdFeGFtcGxlIEludGVybWVkaWF0ZSBDQTCCAiIwDQYJKoZIhvcN AQEBBQADggIPADCCAgoCggIBAOXeuD5h/XeAjOriQGukwqpJiUgqSqvHoV10Lu2P /ItQ+AoFhZ/UA9KLW0LlgXkF7Vul72RE7h50pLzILr5jjiLeAClXFpU4yHjh5FZF TwYcsEc0RxCo4+XhpNAuWSN5AdqhOUxsszabW3fiw0Sfr6z1zb8Qcxny2zeUVp6J VVf+SR+6VBj57iwcsH7HNkYnd1v5ReuuZ6U8/Z9wBpaAWV7vW/dMOOLWGfjgO/t8 gHf7pSKcSeZZ4ieXv47v7P7CPL0HBlLJQp5FXVHoB1fRNk2sLiAy9TbN4tFDCSPt euyrnWgv8lkW9eIiPDsq4H6el3T+gZgdE1UtJLTqWExTqtUnQNr2rjQF3mdDLEZy wOgNwJVxcIaT5Oc6Rdf3BljtM3DILcBE6b7nYFkk8P7Vynp8DaCrw4loDTXuD0BQ WK+5rdIdawiOwnW7CxkBAUFS/PAUtROmAULyxl+I4+XHI4HAZveA92l0epNQCfwA EPvhwE8Dh1TrxWpU3Y2VQPSk93SykG5rzB+tOM/UMNyYqFoCu76T1eeF3n9ZIan0 AEwzbuiPawpEsYTdc1HCVIJCvsC6XnwHt0Hv0FH4wIRStmEXpDlOwCeu1hVEGVaS dR/qsqKZxwrdtYcOuqrP+bui10G85ZCWZncGMm1Tj6Ai72OpIu7jOoFgN71AQHsz yJDhAgMBAAGjYzBhMB0GA1UdDgQWBBSfHy9OR6pCrbCbxAM6RN0ULucI+jAfBgNV HSMEGDAWgBQjWX0665SYi/x0D3dtTrLX2ud1xDAPBgNVHRMBAf8EBTADAQH/MA4G A1UdDwEB/wQEAwIBhjANBgkqhkiG9w0BAQsFAAOCAgEAIGiLjeSNIZJZ8cokGy/M SnIjLYCrbjXLqOUe1ZcvnTsEr61DM8rsgN4I8+crkPJSa6JawjcWU2CKzgGaHRv2 rPp1wyYyFbz0AgYZ5mqu5UP280faykSkPjq/s/mOBzhwxusPKvSRIG+4bj91TBCv SK/RDhXLk+Vd3jvfnWXwTgLvt2bCSmH3XxhRQN3er/llKb3Wwqv1s6UfaulgO4vv bMC1iqLDyC43RtlS2l05gyow1SyOnx3DNOrYXGki8S/vck+sDQTnCrAsBS9obN1x r0nW0O/LAYm5P7naG7+sa3alzYi0rbPngHNk6P1F4gC3kYo5sbK3z7+cdBh3BJ6J sdxwXVjDNrWEpQ5toyLUAL7+jwveq12zC1LI2povUerKQ49LcA47pAbIUK5CoFCY zeinoaI6CTdqk3pRZA9dn6VcsRiMsS0hFR+7Lh0UJo46XSdWuKNpAteZHcDDNjaA eIU3ts7SBmNm/I7IhPZzsYY224S8tfP4qqtOe8mTv3ByRIRCwdsqRwDjXJLSVJL2 8pBYJHWbOd6cLViAx+xO35qi0W13G6+/saRsVaj+ZMCLGV6zGSsMKrrB9+PkLlya 3IduwgDvtSwalM3TBFEU2uuizzwCOlwtW7DmMUeYuLlaI2iSsg5G5cviqPTka5TC HlAnOGJe4WM9/HxWeg9z/mQ= -----END CERTIFICATE----- --- Server certificate subject=/CN=example.com issuer=/CN=Example Intermediate CA --- No client certificate CA names sent Peer signing digest: SHA512 Server Temp Key: ECDH, P-256, 256 bits --- SSL handshake has read 3522 bytes and written 439 bytes --- New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-GCM-SHA384 Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE No ALPN negotiated SSL-Session: Protocol : TLSv1.2 Cipher : ECDHE-RSA-AES256-GCM-SHA384 Session-ID: F93A9EAF9E9E3DBA8CD6DD061AFBDDBDB18A1B8FFA918CBD8C73EF0C610A017B Session-ID-ctx: Master-Key: 5C54406D8F76063122ED22596A75EECBEB1787A1FD065A8FCF19F0A2D34549A8CDA0CA0604460894688C3DCCB4A9DAE4 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None TLS session ticket lifetime hint: 300 (seconds) TLS session ticket: 0000 - a1 5d 59 2d 1c ef 34 04-3a 3b 4a 87 46 d3 94 4d .]Y-..4.:;J.F..M 0010 - 66 3a eb ec b9 68 3e 14-b3 7b 45 bd f8 ce b8 c8 f:...h>..{E..... 0020 - 31 1e 0d ce 86 50 fd ad-02 90 59 b2 ad fc 90 0b 1....P....Y..... 0030 - 2e 24 22 b0 ad 0b e8 c8-b8 dc e0 9d 4b e1 2d 97 .$".........K.-. 0040 - 53 1e 0b e5 45 9d 1e 68-f5 7f 18 72 e0 bb 2a 63 S...E..h...r..*c 0050 - 78 c6 e1 56 cd 28 29 d5-ba eb 11 be db 29 a1 b8 x..V.()......).. 0060 - 04 fc 39 25 2a cd 48 78-aa c4 c8 b0 34 8d f2 32 ..9%*.Hx....4..2 0070 - 22 92 a4 51 ad ac f5 aa-39 aa 33 55 d7 cc 59 81 "..Q....9.3U..Y. 0080 - fa 88 34 13 17 a2 11 56-de a3 64 1a db 9f 32 3b ..4....V..d...2; 0090 - c4 65 f8 d2 24 63 57 a5-6f 28 89 5d 90 33 d2 a6 .e..$cW.o(.].3.. 00a0 - a1 3f 1e 77 18 5a af dc-f8 b5 3b 4a 77 a7 49 5b .?.w.Z....;Jw.I[ 00b0 - ef a9 27 2c ff c3 2a 92-5b 2b 9c a6 83 07 9b 6e ..',..*.[+.....n 00c0 - c1 a3 44 e1 12 e3 a1 f9-f7 60 4f d0 4f 79 e8 05 ..D......`O.Oy.. Start Time: 1770646226 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE 12. Log via GDM in as an ordinary user and launch Firefox with an empty profile: $ empty=$(mktemp -d) $ firefox --profile $empty https://www.example.com
Expected results
Firefox should open the page.
Actual results
A page containing the message “Warning: Potential Security Risk Ahead”.
Possible Workarounds
- Downgrade firefox to the latest working version:
# yum downgrade firefox-128.14.0-2.el7_9
- Keep firefox-140 and import the CA certificates:
Settings->Privacy and Security/Certificates->View Certificates/Authorities->Import
