diff --git a/browser/actors/NetErrorChild.jsm b/browser/actors/NetErrorChild.jsm
index 8332b69c88c2..2c62918c84a4 100644
--- a/browser/actors/NetErrorChild.jsm
+++ b/browser/actors/NetErrorChild.jsm
@@ -39,8 +39,6 @@ const SEC_ERROR_UNKNOWN_ISSUER = SEC_ERROR_BASE + 13;
const SEC_ERROR_UNTRUSTED_ISSUER = SEC_ERROR_BASE + 20;
const SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE = SEC_ERROR_BASE + 30;
const SEC_ERROR_CA_CERT_INVALID = SEC_ERROR_BASE + 36;
-const SEC_ERROR_OCSP_FUTURE_RESPONSE = SEC_ERROR_BASE + 131;
-const SEC_ERROR_OCSP_OLD_RESPONSE = SEC_ERROR_BASE + 132;
const SEC_ERROR_REUSED_ISSUER_AND_SERIAL = SEC_ERROR_BASE + 138;
const SEC_ERROR_OCSP_INVALID_SIGNING_CERT = SEC_ERROR_BASE + 144;
const SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED = SEC_ERROR_BASE + 176;
@@ -160,7 +158,7 @@ class NetErrorChild extends ActorChild {
// This error code currently only exists for the Symantec distrust, we may need to adjust
// it to fit other distrusts later.
case MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
- msg1 += gPipNSSBundle.formatStringFromName("certErrorTrust_Symantec", [hostString], 1) + "\n";
+ msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_Symantec1") + "\n";
break;
default:
msg1 += gPipNSSBundle.GetStringFromName("certErrorTrust_Untrusted") + "\n";
@@ -178,7 +176,7 @@ class NetErrorChild extends ActorChild {
if (newErrorPagesEnabled) {
technicalInfo.textContent = "";
let brandName = gBrandBundle.GetStringFromName("brandShortName");
- msgPrefix = gPipNSSBundle.formatStringFromName("certErrorMismatchSinglePrefix2", [brandName, hostString], 2) + " ";
+ msgPrefix = gPipNSSBundle.formatStringFromName("certErrorMismatchSinglePrefix3", [brandName, hostString], 2) + " ";
msgPrefix += gPipNSSBundle.GetStringFromName("certErrorMismatchSinglePrefix");
} else {
msgPrefix = gPipNSSBundle.GetStringFromName("certErrorMismatchSinglePrefix");
@@ -252,7 +250,7 @@ class NetErrorChild extends ActorChild {
if (newErrorPagesEnabled) {
technicalInfo.textContent = "";
let brandName = gBrandBundle.GetStringFromName("brandShortName");
- msg = gPipNSSBundle.formatStringFromName("certErrorMismatchMultiple2", [brandName, hostString], 2) + " ";
+ msg = gPipNSSBundle.formatStringFromName("certErrorMismatchMultiple3", [brandName, hostString], 2) + " ";
} else {
msg = gPipNSSBundle.GetStringFromName("certErrorMismatchMultiple") + "\n";
}
@@ -269,7 +267,7 @@ class NetErrorChild extends ActorChild {
if (newErrorPagesEnabled) {
technicalInfo.textContent = "";
let brandName = gBrandBundle.GetStringFromName("brandShortName");
- msg = gPipNSSBundle.formatStringFromName("certErrorMismatch2", [brandName, hostString], 2) + " ";
+ msg = gPipNSSBundle.formatStringFromName("certErrorMismatch3", [brandName, hostString], 2) + " ";
} else {
msg = gPipNSSBundle.formatStringFromName("certErrorMismatch",
[hostString], 1);
@@ -398,7 +396,7 @@ class NetErrorChild extends ActorChild {
// without replicating the complex logic from certverifier code.
case MOZILLA_PKIX_ERROR_ADDITIONAL_POLICY_CONSTRAINT_FAILED:
let description = gPipNSSBundle.formatStringFromName(
- "certErrorSymantecDistrustDescription", [doc.location.hostname], 1);
+ "certErrorSymantecDistrustDescription1", [doc.location.hostname], 1);
let descriptionContainer = doc.getElementById("errorShortDescText2");
descriptionContainer.textContent = description;
@@ -421,8 +419,6 @@ class NetErrorChild extends ActorChild {
// and is not before the build date.
case SEC_ERROR_EXPIRED_CERTIFICATE:
case SEC_ERROR_EXPIRED_ISSUER_CERTIFICATE:
- case SEC_ERROR_OCSP_FUTURE_RESPONSE:
- case SEC_ERROR_OCSP_OLD_RESPONSE:
case MOZILLA_PKIX_ERROR_NOT_YET_VALID_CERTIFICATE:
case MOZILLA_PKIX_ERROR_NOT_YET_VALID_ISSUER_CERTIFICATE:
@@ -507,23 +503,39 @@ class NetErrorChild extends ActorChild {
let textContainer = doc.getElementById("text-container");
errorPageContainer.style.backgroundPosition = `left top calc(50vh - ${textContainer.clientHeight / 2}px)`;
} else {
- doc.getElementById("wrongSystemTime_systemDate2").textContent = systemDate;
- let errDesc = doc.getElementById("ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE");
- let sd = doc.getElementById("errorShortDescText2");
- if (sd) {
- // eslint-disable-next-line no-unsanitized/property
- sd.innerHTML = errDesc.innerHTML;
- }
- if (es) {
- // eslint-disable-next-line no-unsanitized/property
- es.innerHTML = errWhatToDo.innerHTML;
- }
- if (est) {
- // eslint-disable-next-line no-unsanitized/property
- est.textContent = errWhatToDoTitle.textContent;
- est.style.fontWeight = "bold";
- }
- updateContainerPosition();
+ doc.getElementById("wrongSystemTime_systemDate2").textContent = systemDate;
+
+ let errDesc = doc.getElementById("ed_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE");
+ let sd = doc.getElementById("errorShortDescText");
+ // eslint-disable-next-line no-unsanitized/property
+ sd.innerHTML = errDesc.innerHTML;
+
+ let span = sd.querySelector(".hostname");
+ span.textContent = doc.location.hostname;
+
+ // The secondary description mentions expired certificates explicitly
+ // and should only be shown if the certificate has actually expired
+ // instead of being not yet valid.
+ if (msg.data.code == SEC_ERROR_EXPIRED_CERTIFICATE) {
+ let {cssClass} = this.getParams(doc);
+ let stsSuffix = cssClass == "badStsCert" ? "_sts" : "";
+ let errDesc2 = doc.getElementById(
+ `ed2_nssBadCert_SEC_ERROR_EXPIRED_CERTIFICATE${stsSuffix}`);
+ let sd2 = doc.getElementById("errorShortDescText2");
+ // eslint-disable-next-line no-unsanitized/property
+ sd2.innerHTML = errDesc2.innerHTML;
+ }
+
+ if (es) {
+ // eslint-disable-next-line no-unsanitized/property
+ es.innerHTML = errWhatToDo.innerHTML;
+ }
+ if (est) {
+ // eslint-disable-next-line no-unsanitized/property
+ est.textContent = errWhatToDoTitle.textContent;
+ est.style.fontWeight = "bold";
+ }
+ updateContainerPosition();
}
break;
}
diff --git a/browser/base/content/aboutNetError-new.xhtml b/browser/base/content/aboutNetError-new.xhtml
index ed526552ace7..dad22b59d017 100644
--- a/browser/base/content/aboutNetError-new.xhtml
+++ b/browser/base/content/aboutNetError-new.xhtml
@@ -94,6 +94,7 @@
&nssFailure2.longDesc2;
&certerror.introPara2;
&certerror.sts.introPara;
+ &certerror.expiredCert.introPara;
&cspBlocked.longDesc;
&remoteXUL.longDesc;
&corruptedContentErrorv2.longDesc;
@@ -103,7 +104,8 @@
&clockSkewError.longDesc;
-
&certerror.expiredCert.secondPara;
+
&certerror.expiredCert.secondPara2;
+
&certerror.expiredCert.sts.secondPara;
&certerror.whatCanYouDoAboutItTitle;
@@ -112,12 +114,9 @@
&certerror.unknownIssuer.whatCanYouDoAboutIt;
&certerror.expiredCert.whatCanYouDoAboutIt2;
&certerror.expiredCert.whatCanYouDoAboutIt2;
-
&certerror.expiredCert.whatCanYouDoAboutIt2;
-
&certerror.expiredCert.whatCanYouDoAboutIt2;
&certerror.expiredCert.whatCanYouDoAboutIt2;
&certerror.expiredCert.whatCanYouDoAboutIt2;
&certerror.badCertDomain.whatCanYouDoAboutIt;
-
&certerror.badCertDomain.whatCanYouDoAboutIt;
. If you visit this site, attackers could try to steal information like your passwords, emails, or credit card details.">
because this website requires a secure connection.">
-
+. The website is either misconfigured or your computer clock is set to the wrong time.">
+
+
@@ -232,7 +234,7 @@ certificate.">
-
+
, which prevents &brandShortName; from connecting securely. To visit , update your computer clock in your system settings to the current date, time, and time zone, and then refresh .">
diff --git a/browser/themes/shared/aboutNetError-new.css b/browser/themes/shared/aboutNetError-new.css
index e3853c504e19..48c8d7a98039 100644
--- a/browser/themes/shared/aboutNetError-new.css
+++ b/browser/themes/shared/aboutNetError-new.css
@@ -47,6 +47,10 @@ button:disabled {
cursor: pointer;
}
+#errorWhatToDoTitle {
+ margin-top: 2em;
+}
+
#prefChangeContainer {
display: none;
}
diff --git a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
index 9dd5a3174787..277842cf6756 100755
--- a/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
+++ b/security/manager/locales/en-US/chrome/pipnss/pipnss.properties
@@ -287,18 +287,16 @@ certErrorTrust_SignatureAlgorithmDisabled=The certificate is not trusted because
certErrorTrust_ExpiredIssuer=The certificate is not trusted because the issuer certificate has expired.
certErrorTrust_Untrusted=The certificate does not come from a trusted source.
certErrorTrust_MitM=Your connection is being intercepted by a TLS proxy. Uninstall it if possible or configure your device to trust its root certificate.
-# LOCALIZATION NOTE (certErrorTrust_Symantec): %S is replaced by the domain for which the certificate is valid
-certErrorTrust_Symantec=The security certificate for %S is not trustworthy because the issuing organization failed to follow security practices. Certificates issued by Symantec, including the Thawte, GeoTrust, and RapidSSL brands, are not considered safe.
+certErrorTrust_Symantec1=Certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign are no longer considered safe because these certificate authorities failed to follow security practices in the past.
certErrorMismatch=The certificate is not valid for the name %S.
-# LOCALIZATION NOTE (certErrorMismatch2, certErrorMismatchSinglePrefix2, certErrorMismatchMultiple2): %1$S is replaced by the brand name, %2$S is replaced by host name.
-certErrorMismatch2=Websites prove their identity via certificates. %1$S does not trust %2$S because it uses a certificate that is not valid for %2$S.
+# LOCALIZATION NOTE (certErrorMismatch3, certErrorMismatchSinglePrefix3, certErrorMismatchMultiple3): %1$S is replaced by the brand name, %2$S is replaced by host name.
+certErrorMismatch3=Websites prove their identity via certificates. %1$S does not trust this site because it uses a certificate that is not valid for %2$S.
# LOCALIZATION NOTE (certErrorMismatchSinglePrefix): %S is replaced by the domain for which the certificate is valid
certErrorMismatchSinglePrefix=The certificate is only valid for %S.
-# LOCALIZATION NOTE (certErrorMismatchSinglePrefix2): %3$S is replaced by the domain for which the certificate is valid
-certErrorMismatchSinglePrefix2=Websites prove their identity via certificates. %1$S does not trust %2$S because it uses a certificate that is not valid for %2$S.
+certErrorMismatchSinglePrefix3=Websites prove their identity via certificates. %1$S does not trust this site because it uses a certificate that is not valid for %2$S.
certErrorMismatchMultiple=The certificate is only valid for the following names:
-certErrorMismatchMultiple2=Websites prove their identity via certificates. %1$S does not trust %2$S because it uses a certificate that is not valid for %2$S. The certificate is only valid for the following names:
+certErrorMismatchMultiple3=Websites prove their identity via certificates. %1$S does not trust this site because it uses a certificate that is not valid for %2$S. The certificate is only valid for the following names:
# LOCALIZATION NOTE (certErrorExpiredNow): Do not translate %1$S (date+time of expired certificate) or %2$S (current date+time)
certErrorExpiredNow=The certificate expired on %1$S. The current time is %2$S.
@@ -308,8 +306,8 @@ certErrorExpiredNow2=Websites prove their identity via certificates, which are v
certErrorNotYetValidNow=The certificate will not be valid until %1$S. The current time is %2$S.
certErrorNotYetValidNow2=Websites prove their identity via certificates, which are valid for a set time period. The certificate for %S appears to be not yet valid.
-# LOCALIZATION NOTE (certErrorSymantecDistrustDescription): %S will be replaced by the domain for which the certificate is valid.
-certErrorSymantecDistrustDescription=Websites prove their identity via certificates, which are issued by certificate authorities. Most browsers will no longer trust Symantec, the certificate authority for %S.
+# LOCALIZATION NOTE (certErrorSymantecDistrustDescription1): %S will be replaced by the domain for which the certificate is valid.
+certErrorSymantecDistrustDescription1=Websites prove their identity via certificates, which are issued by certificate authorities. Most browsers no longer trust certificates issued by GeoTrust, RapidSSL, Symantec, Thawte, and VeriSign. %S uses a certificate from one of these authorities and so the website’s identity cannot be proven.
certErrorSymantecDistrustAdministrator=You may notify the website’s administrator about this problem.
# LOCALIZATION NOTE (certErrorCodePrefix3): %S is replaced by the error code.