FF33 and pfsense
-
Hi All,
I have just updated my FF to 33.0.1 and I can't access my pfsense (2.1.5) GUI. I have previously set security.use_mozillapkix_verification to false in about:config and I have checked and the setting is still there. I tried with Chrome and IE and they both can access the pfsense GUI.
Any one have any issue?
Regards.
-
In theory what you did should be disabling the new certificate verification code that causes the slow (in your case very slow) access. You can also clean up the old cached certificates like this: https://forum.pfsense.org/index.php?topic=82828.msg458036#msg458036
-
You just updated to 33.0.1? .2 has been out over a week - why would you be not using it?
-
He doesn't say which OS. Perhaps his OS hasn't updated their repos yet. I'm still running 33.0 under Xubuntu. No issues there.
What did you update from?
Steve
-
FF took away the pkix toggle in FF 33, so it's a bigger issue now.
Vote up and yell at Mozilla on this ticket: https://bugzilla.mozilla.org/show_bug.cgi?id=1056341
But don't be that guy.
-
I am using Windows 7 Pro and now the auto-update on Firefox have updated the version to 33.0.3 and still I cannot open the pfSense web GUI.
I have gone to the Buzilla and voted on this. Hope they can resolve this soon.
-
I am on Firefox 33.1 now. I have not seen any issue since I removed al the old "CompanyName" certificates. I have 6 of them again now, but it is not slow.
Maybe you have lots more of them?
The bug does describe an O(n!) algorithm that slows things down - so if you have 10, 15, 20 of those from connecting to lots of pfSense boxes then maybe it will slow down. How many do you have? Does cleaning them out and letting it start again help? -
Here's how I handled it (before finding this thread).
While Firefox was hung loading an https page, I ran Process Monitor and found firefox.exe endlessly querying cert8.db.
I closed Firefox and renamed cert8.db. When I launched Firefox, it generated a new cert8.db and I can access the webUI again.cert8.db located at
%APPDATA%\Mozilla\Firefox\Profiles\%FIREFOX_PROFILE_DIR%\cert8.db
-
That will only work to let you into a small number of pfSense devices until it trips the bug again. Also it would forget any other HTTPS certificates that were manually marked as trusted.
That db can be managed from inside the settings on Firefox, though it's still a poor workaround for most of us.
If you're on 2.1.5, apply this patch: http://files.pfsense.org/jimp/patches/cert-unique.patch
Afterward, from the shell, run:pfSsh.php playback generateguicert
Then the GUI will use a certificate that Firefox won't choke on.
If you're on 2.2 already, run the command above from the shell. It's already present. Certs on fresh 2.2 installs are fine.