tags:

views:

4211

answers:

9
+4  Q: 

Is there a way to make Firefox ignore invalid ssl-certificates?

I am maintaining a few web applications. The development and qa environments use invalid/outdated ssl-certificates.

Although it is generally a good thing, that Firefox makes me click like a dozen times to accept the certificate, this is pretty annoying.

Is there a configuration-parameter to make Firefox (and possibly IE too) accept any ssl-certificate?

EDIT: I have accepted the solution, that worked. But thanks to all the people that have advised to use self-signed certificates. I am totally aware, that the accepted solution leaves me with a gaping security hole. Nonetheless I am to laze to change the certificate for all the applications and all the environments...

But I also advice anybody strongly to leave validation enabled!

+3  A: 

Instead of using invalid/outdated SSL certificates, why not use self-signed SSL certificates? Then you can add an exception in Firefox for just that site.

Forgotten Semicolon  2008-08-21 14:35:41
+4  A: 

The better thing to do would be to get a free SSL cert for your dev and QA servers, and configure the developer's boxen to accept that cert authority.

Greg Hurlman  2008-08-21 14:36:00
A: 

perhaps one of the security.warn options in about:config does what you are looking for.

sparkes  2008-08-21 14:36:31
+2  A: 

I just use self-signed certs for my test servers, and then FF3 allows you to add an exception.

Eric Haskins  2008-08-21 14:37:07
A: 

The MitM Me addon will do this - but I think self-signed certificates is probably a better solution.

palmsey  2008-08-21 14:37:26
+2  A: 

Using a free certificate is a better idea if your developers use Firefox 3. Firefox 3 complains loudly about self-signed certificates, and it is a major annoyance.

rudle  2008-08-21 14:37:31
+5  A: 

Go to Tools > Options > Advanced "Tab"(?) > Encryption Tab

Click the "Validation" button, and uncheck the checkbox for checking validity

Be advised though that this is pretty unsecure as it leaves you wide open to accept any invalid certificate. I'd only do this if using the browser on an Intranet where the validity of the cert isn't a concern to you, or you aren't concerned in general.

Dan Herbert  2008-08-21 14:37:43
I'm confused: I can't find that option on FF2 or FF3. There is only an option to switch the use of OCSP. In what version of FF did see what you describe?
sleske  2009-05-15 22:54:34
@sleske OCSP is how certificates are checked. Switching the use of this will turn on or off the check for certificates depending on what you prefer.
Dan Herbert  2009-05-16 01:02:19
This seems like a Very Bad Idea.
Greg Hurlman  2009-11-06 15:49:04
@Greg, I agree. I would definitely recommend your solution over mine as the correct practice.
Dan Herbert  2009-11-06 16:30:06
A: 

For a secure alternative, try the Perspectives Firefox add-on

 2008-09-16 10:59:22
+2  A: 

Try Add Exception: FireFox -> Tools -> Advanced -> View Certificates -> Servers -> Add Exception.

henryc2323  2010-01-11 16:53:02

related questions

Why is access denied when installing SSL cert on IIS 5?
What does a PHP developer need to know about https / secure socket layer connections?
Am I turning away customers by disabling SSL 2.0 and PCT 1.0 in IIS5?
Coding Dojo with IE and SSL
Enforce SSL in code in an ashx handler
How to connect to PostgreSQL from .NET using TLS with both client and server authentication?
HELP SSL GURUs!!! ... Problems with SSL Connection
What's a clean/simple way to ensure the security of a page?
How to specify accepted certificates for Client Authentication in .NET SslStream
SharePoint stream file for preview
Problem with Oracle Application Server SSL Certificates
Is there a limit with the number of SSL connections?
Testing HTTPS files with MAMP
Cheapest SSL certificates
Limiting traffic to SSL version of page only
How do I support SSL Client Certificate authentication?
Why can't I connect to my CAS server with Perl's AuthCAS?
How do I create a self signed SSL certificate to use while testing a web app.
Can a proxy server cache SSL GETs? If not, would response body encryption suffice?
HTTPS in IIS 5.1
How do you redirect HTTPS to HTTP?
Debugging: IE6 + SSL + AJAX + post form = 404 error
How do I add SSL to a .net application that uses httplistener - it will *not* be running on IIS
Options for Google Maps over SSL