fixup! Bug 23247: Communicating security expectations for .onion

Bug 42334: Adapt our self-signed patch to Bug 1611381 Bug 1611381 introduced a few changes to catch more self-signed certificates. As a result, we risk of accepting some cases different than unknown issuer for .onion certificates, such as bad signature or invalid use for a certificate. It makes sense to still display an error for such cases, and to keep accepting only unknown issuers.

fixup! Bug 23247: Communicating security expectations for .onion
a98f84b7 · Pier Angelo Vendrame · 58b5b4ed · a98f84b7
Verified Commit a98f84b7 authored Dec 13, 2023 by Pier Angelo Vendrame
--- a/security/certverifier/CertVerifier.cpp
+++ b/security/certverifier/CertVerifier.cpp
@@ -865,12 +865,15 @@ Result CertVerifier::VerifySSLServerCert(
      // find other certificates with the same subject but different keys, and
      // the certificate is self-signed.
      if (StringEndsWith(hostname, ".onion"_ns)) {
-        // Self signed cert over onion is deemed secure, the hidden service
-        // provides authentication. We defer returning this error and keep
-        // processing to determine if there are other legitimate certificate
-        // errors (such as expired, wrong domain) that we would like to surface
-        // to the user
-        errOnionWithSelfSignedCert = true;
+        // Self signed cert over onion is deemed secure in some cases, as the
+        // onion service provides encryption.
+        // Firefox treats some errors as self-signed certificates and it allows
+        // to override them. For Onion services, we prefer being stricter, and
+        // we return the original errors.
+        // Moreover, we need also to determine if there are other legitimate
+        // certificate errors (such as expired, wrong domain) that we would like
+        // to surface to the user.
+        errOnionWithSelfSignedCert = rv == Result::ERROR_UNKNOWN_ISSUER;
      } else {
        return Result::ERROR_SELF_SIGNED_CERT;
      }