Seamonkey Scratchpad

I am tired of beeing told what is allowed to use and constantly nagged about to update software (e.g. plugins)
and settings (e.g. ciphers). Using on old browser in a virtual environment is cumbersone and resource intense and - this is the main reason to ignore this alternative - you loose the security fixed and updated features (e.g. CSS) integrated modern browsers.

Goal

  • Reduce Cookies
  • Disable Telemetry/Geolocation
  • Works with obsolete ciphers (e.g. SSLv3) and certificates (e.g. SHA1)
  • Works with obsolete Flash and Java Plugin versions
  • No Phone-Home

about:config

option default modified
security.tls.version.min* 1 0
security.tls.version.fallback-limit* 1 or 3 0
security.tls.insecure_fallback_hosts* (empty) www.yourdomain.tld
extensions.blocklist.enabled true false
extensions.blocklist.interval 86400
extensions.blocklist.level 2
extensions.blocklist.url https://addons.mozilla.org/blocklist/3/%APP_ID%/%APP_VERSION%/%PRODUCT%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/%PING_COUNT%/%TOTAL_PING_COUNT%/%DAYS_SINCE_LAST_PING%/ https://addons.mozilla.org/blocklist/3/%20/%20/%20/%20/%20/%20/%20/%20/%20/%20/1/2/1/
extensions.blocklist.detailsURL https://www.mozilla.com/%LOCALE%/blocklist/
extensions.blocklist.itemURL https://addons.mozilla.org/%LOCALE%/%APP%/blocked/%blockID%
* only available in "newer" versions (Firefox >38)
More config sites... about:certerror

Cookies cleanup

Use and SQLLite DB Browser such as sqlitespy and modify the cookie storage on bulk.

delete from moz_cookies where baseDomain not like aham% and baseDomain not like benno% \
and baseDomain not like bluew% and baseDomain not like brack% and BaseDomain not like digi% \
and baseDomain not like amaz% and BaseDomain not like 192.% and BaseDomain not like xing% \
and baseDomain not like yahoo% and baseDomain not like tenab% and baseDomain not like swiss% \
and baseDomain not like www.% and baseDomain not like strueby% and baseDomain not like sbb% \
and baseDomain not like redhat% and baseDomain not like oracle% and baseDomain not like post% \
and baseDomain not like nic% and baseDomain not like metan%;

Sourcecode

./mozilla/toolkit/mozapps/extensions/nsBlocklistService.js
./mozilla/xpcom/system/nsIBlocklistService.idl
root@oracle:/tmp/seamonkey-2.12.1/mozilla# find . -name "pkix" -print ./security/nss/cmd/libpkix/pkix ./security/nss/lib/libpkix/pkix root@oracle:/tmp/seamonkey-2.12.1/mozilla# find ../../seamonkey-2.40 seamonkey-2.40/ seamonkey-2.40-x86_64-1.txz root@oracle:/tmp/seamonkey-2.12.1/mozilla# find ../../seamonkey-2.40 -name "pkix" -print ../../seamonkey-2.40/mozilla/security/nss/cmd/libpkix/pkix ../../seamonkey-2.40/mozilla/security/nss/lib/libpkix/pkix ../../seamonkey-2.40/mozilla/security/pkix ../../seamonkey-2.40/mozilla/security/pkix/include/pkix ../../seamonkey-2.40/obj/security/nss/lib/libpkix/pkix ../../seamonkey-2.40/obj/security/pkix Code: Select all if (getCSSClass() == "expertBadCert") { toggle(technicalContent); toggle(expertContent); } ./browser/components/certerror/content/aboutCertError.xhtml // about:certerror root@oracle:/tmp/seamonkey-2.12.1/mozilla# find . -name "netError.xhtml" -print ./mobile/xul/chrome/content/netError.xhtml ./mobile/android/chrome/content/netError.xhtml ./docshell/resources/content/netError.xhtml ./b2g/chrome/content/netError.xhtml root@oracle:/tmp/seamonkey-2.12.1/mozilla# vi ./docshell/resources/content/netError.xhtml skipping 2 old session files reading ./docshell/resources/content/netError.xhtml This is the only place inside libpkix that produces error ca_cert_invalid.
security/manager/ssl/src/NSSErrorsService.cpp (+2 lines) 
/security/manager/ssl/src/SSLServerCertVerification.cpp (+5 lines) 
bool
ErrorIsOverridable(PRErrorCode code)
{
  switch (code)
  {
    // Overridable errors.
    case mozilla::pkix::MOZILLA_PKIX_ERROR_CA_CERT_USED_AS_END_ENTITY:
    case mozilla::pkix::MOZILLA_PKIX_ERROR_INADEQUATE_KEY_SIZE:
    case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
    case mozilla::pkix::MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
    case mozilla::pkix::MOZILLA_PKIX_ERROR_V1_CERT_USED_AS_CA:
    case SEC_ERROR_CA_CERT_INVALID:
    case SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED:
    case SEC_ERROR_EXPIRED_CERTIFICATE:
    case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
    case SEC_ERROR_INVALID_TIME:
    case SEC_ERROR_UNKNOWN_ISSUER:
    case SSL_ERROR_BAD_CERT_DOMAIN:
      return true;
    // Non-overridable errors.
    default:
      return false;
  }
}

Profile files

blocklist.xml
cert_override.txt
cert8.db

Copy and Paste

http://kb.mozillazine.org/SSL_is_disabled
SSL 3.0 is considered unsafe and disabled by default starting with Firefox/Thunderbird 34.0
and SeaMonkey 2.31. Enable it only to access legacy websites not working with TLS 1.x, and only
as long as needed, keeping in mind that its vulnerable to attacks.
I suspect that mozilla::pkix rejects the MD2 signature, and incorrectly prohibits it from being overriden.
sec_error_ca_cert_invalid
David, I would suggest that when filtering errors for cert overrides in SSLServerCertVerification, for this error and maybe other errors, check if the end-entity certificate is self-signed and, if so, translate the error to Result::ERROR_UNKNOWN_ISSUER and calculate the override bits on that error.

Comment 40 David Keeler [:keeler] (use needinfo?) 2014-10-06 13:33:17 PDT

I dont think that will fix the issue. My understanding is that the end-entity certificate is not self-signed, and the issuer is an x509v1 certificate that is not a trust anchor and does not have a basic constraints extension. Consequently, mozilla::pkix sees this as a case where we cant safely say that the x509v1 certificate may issue other certificates, and returns Result::ERROR_CA_CERT_INVALID.

Links

re-enable-sslv3-on-firefox - Mozilla Tracking - bypass-the-secure-connection-failed
Browser Poodle Test (sslv3)
Mozilla SSL Security Error Summary
security.use_mozillapkix_verification = false
David Keeler