Firefox self-signed certificate

#1

I am using Mongoose 6.13 embedded server.

When trying to connect from a Chrome browser with self signed certificate I see the following SSL operations:

mg_if_accept_tcp_cb() → mg_ssl_if_handshake() → SSL_accept() → error 2 (SSL_ERROR_WANT_READ)

mg_recv_tcp() → mg_ssl_if_handshake() → SSL_accept() → error 1 (SSL_ERROR_SSL)

mg_destroy_conn() → mg_ssl_if_conn_free() → SSL_free()

After that, the browser shows the following message:

After adding the exception for the self-signed certificate, everything moves perfectly as expected.

If I try to execute exactly the same steps with Firefox, I see the following SSL operations:

mg_if_accept_tcp_cb() → mg_ssl_if_handshake() → SSL_accept() → error 2 (SSL_ERROR_WANT_READ)

mg_recv_tcp() → mg_ssl_if_handshake() → SSL_accept() → SUCCESS

mg_recv_tcp() → mg_ssl_if_read() → SSL_read() → 0

After that, the browser shows the following message:

After adding the exception for the self-signed certificate, the whole Mongoose web server stops working with any self-signed certificates for any browser.

If I keep trying FireFox, I get the following:

mg_if_accept_tcp_cb() → mg_ssl_if_handshake() → SSL_accept() → error 2 (SSL_ERROR_WANT_READ)

mg_recv_tcp() → mg_ssl_if_handshake() → SSL_accept() → SUCCESS

mg_recv_tcp() → mg_ssl_if_read() → SSL_read() → SUCCESS

“GET / HTTP/1.1\r\nHost: centos6x64:8443\r\nUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0\r\nAccept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0”…

mg_recv_tcp() → mg_ssl_if_read() → SSL_read() → error 1 (SSL_ERROR_SSL)

As the exception has already been added to the browser, this error doesn’t show the “untrusted site”, it simply fails.

From this point on, also any other browser, even the ones that has already the self-signed certificate added we are getting the following SSL errors:

mg_if_accept_tcp_cb() → mg_ssl_if_handshake() → SSL_accept() → error 2 (SSL_ERROR_WANT_READ)

mg_recv_tcp() → mg_ssl_if_handshake() → SSL_accept() → error 1 (SSL_ERROR_SSL)

As the exception has already been added to the browser, this error doesn’t show the “untrusted site”, it simply fails.

If I simply restart the Mongoose instance, everything is working perfect, because the exceptions are already added to the browser.

Looks like Mongoose doesn’t know how to deal with Firefox ERR_CERT_AUTHORITY_INVALID process of adding an exception for self-signed certificate?

#2

Not sure I understand the question.

#3

I think I found the problem. It looked to be in Mongoose initially but actually, I noticed that updating the OpenSSL version linked with Mongoose, solved the issue.

I was using “OpenSSL 1.0.1e-fips 11 Feb 2013” and in this case the web server got unresponsive while trying Firefox, but after updating to “OpenSSL 1.0.2k-fips 26 Jan 2017”, it is working fine.

I am sorry about that.

1 Like