Open Bug 1128278 Opened 9 years ago Updated 2 years ago

OCSP requests are sent through proxy server without (required) authentication

Categories

(Core :: Security: PSM, defect, P3)

Product:
Core
Component:
Security: PSM
Version:
35 Branch
Platform:
x86_64
Windows 7
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: max, Unassigned)

References

Details

(Whiteboard: [psm-backlog]) 

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Build ID: 20150122214805

Steps to reproduce:

I'm using a proxy server which requires HTTP Basic authentication for all requests.
Firefox is configured to always validate a certificate using OCSP.


Actual results:

When accessing a HTTPS site in Private Browsing mode, Firefox tries to send requests to the OCSP server through the proxy without authentication. This fails since the proxy server is respondig with a HTTP/403 error which leads to a firefox error page
"sec_error_ocsp_server_error".


Expected results:

Firefox should send those OCSP requests also with authentication like in "normal mode".
Component: Untriaged → Private Browsing
This is an interesting problem. The OCSP fetch appears to be created nsHttpDownloadEvent::Run (http://in mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSCallbacks.cpp#50), and there's nothing special about the channel. It doesn't appear to have any ties to the originating window, so I can't see how the behaviour in private windows would behave differently, yet obviously it does.
Figuring out what changes in the behaviour of http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp#158 between private and normal modes would be instructive.
Component: Private Browsing → Security: PSM
Product: Firefox → Core
This changeset illustrates what's going on, I think:

https://hg.mozilla.org/mozilla-central/rev/da6a55f4fdae

We don't want to send cookies, etc. with OCSP requests (they should be as anonymous as possible), so we set the LOAD_ANONYMOUS flag, but that also prevents proxy auth, it seems.
That doesn't explain why it works in non-private mode, though.
I have described a similar issue, but without "Private Browsing mode" involvement, in

https://bugzilla.mozilla.org/show_bug.cgi?id=1389783
See Also: → 1389783
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.