Myself, some guys from NCI and a gang from NUI Maynooth headed down to the IRISS Cyber Security Conference in the D4 Hotels, Dublin. Unfortunately we missed most of the talks, but we still got alot out of it:
Theres alot of discussion lately about Mozilla’s decision to annex self-signed certificates in Firefox 3.x; up until now Firefox would have grudgingly lived with self-signed certificates – when reaching a website that was self-signed all you had to do was click the ‘add exception’ link at the bottom of the warning message, but no more!
When you visit a website that secures itself with a self-signed SSL certificate your now more likely to recieve a much more ominous warning telling you that the certificate is invalid and no obvious way to allow you to proceed regardless.
Having recently setup a secure subversion repository I had this exact problem also. This morning I found a solution, its not ideal but it works perfectly. To make Firefox play nice you have to add your CA (certificate authority) certificate AND your server certificate to Firefox’s list of allowed authorities, then and only then do you get the option to add the server as an exception. Here’s how you do it:
You will need a local copy of the ca.crt and server.crt certificate files.
Open the certificates window
Firefox Preferences -> Advanced Tab -> Encryption -> View Certificates
Import your Certificate Authority file
Authorities Tab -> Click Import -> Browse to your ca.crt file
Import your Server Certificate file
Servers Tab -> Click Import -> Browse to your server.crt file
Thats it! Next time you visit your website (https://mywebsite.com/ for example) you should now be able to add an exception to allow the self-signed certificate.
Reaching the Firefox preferences window differs slightly from OS to OS. In Mac OS X its Firefox -> Preferences, in Linux its often Edit -> Preferences and in Windows its Tools -> Preferences. Its beyond me why Mozilla couldn’t keep it consistent, but there you go.
I hope this post helped you.