Closed Bug 546023 Opened 14 years ago Closed 11 years ago

ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerprint'

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
1.9.1 Branch
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9.1
Tracking Flags:
Tracking Status
blocking1.9.1 --- needed
status1.9.1 --- wanted

People

(Reporter: cbook, Assigned: KaiE)

References

(
URL
)

Details

(Keywords: assertion, regression, Whiteboard: [crashkill-automation]) 

Steps to reproduce - 1.9.1 Mac Debug Build.

Load a site like https://www.mozilla.com - triggers :

###!!! ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerprint', file /work/mozilla/builds/1.9.1/mozilla/security/manager/ssl/src/nsIdentityChecking.cpp, line 846

Also seem at lot of times on other sites during the test automation runs
Flags: blocking1.9.0.19?
I don't know why we're even looking for EV roots on sites like www.mozilla.com, whose certs don't carry the EV extension. But I don't know if it's a problem that "sha1 != fingerprint" there.
Whiteboard: [crashkill-automation] → [crashkill-automation][sg:investigate]
stack from a windows build.

It seems this assertion is also triggered when the Extension Manager/Update Manager checks for update (which is also done via https://)


###!!! ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerpr
int', file c:/work/mozilla/builds/1.9.1/mozilla/security/manager/ssl/src/nsIdent
ityChecking.cpp, line 846
nspr4!PR_CallOnce+0x0000000000000038 (c:\work\mozilla\builds\1.9.1\mozilla\nsprp
ub\pr\src\misc\prinit.c, line 805)
xul!nsNSSComponent::EnsureIdentityInfoLoaded+0x0000000000000018 (c:\work\mozilla
\builds\1.9.1\mozilla\security\manager\ssl\src\nsidentitychecking.cpp, line 1160
)
xul!nsNSSCertificate::hasValidEVOidTag+0x00000000000000CE (c:\work\mozilla\build
s\1.9.1\mozilla\security\manager\ssl\src\nsidentitychecking.cpp, line 987)
xul!nsNSSCertificate::getValidEVOidTag+0x000000000000004A (c:\work\mozilla\build
s\1.9.1\mozilla\security\manager\ssl\src\nsidentitychecking.cpp, line 1100)
xul!nsNSSCertificate::GetIsExtendedValidation+0x00000000000000B7 (c:\work\mozill
a\builds\1.9.1\mozilla\security\manager\ssl\src\nsidentitychecking.cpp, line 112
6)
xul!AuthCertificateCallback+0x000000000000012E (c:\work\mozilla\builds\1.9.1\moz
illa\security\manager\ssl\src\nsnsscallbacks.cpp, line 987)
ssl3!ssl3_HandleCertificate+0x00000000000003CA (c:\work\mozilla\builds\1.9.1\moz
illa\security\nss\lib\ssl\ssl3con.c, line 7281)
ssl3!ssl3_HandleHandshakeMessage+0x00000000000003DF (c:\work\mozilla\builds\1.9.
1\mozilla\security\nss\lib\ssl\ssl3con.c, line 7959)
ssl3!ssl3_HandleHandshake+0x00000000000001C8 (c:\work\mozilla\builds\1.9.1\mozil
la\security\nss\lib\ssl\ssl3con.c, line 8083)
ssl3!ssl3_HandleRecord+0x00000000000005F8 (c:\work\mozilla\builds\1.9.1\mozilla\
security\nss\lib\ssl\ssl3con.c, line 8346)
ssl3!ssl3_GatherCompleteHandshake+0x00000000000000BB (c:\work\mozilla\builds\1.9
.1\mozilla\security\nss\lib\ssl\ssl3gthr.c, line 206)
ssl3!ssl_GatherRecord1stHandshake+0x000000000000007B (c:\work\mozilla\builds\1.9
.1\mozilla\security\nss\lib\ssl\sslcon.c, line 1258)
ssl3!ssl_Do1stHandshake+0x000000000000021D (c:\work\mozilla\builds\1.9.1\mozilla
\security\nss\lib\ssl\sslsecur.c, line 151)
ssl3!ssl_SecureSend+0x00000000000001C5 (c:\work\mozilla\builds\1.9.1\mozilla\sec
urity\nss\lib\ssl\sslsecur.c, line 1176)
ssl3!ssl_SecureWrite+0x0000000000000016 (c:\work\mozilla\builds\1.9.1\mozilla\se
curity\nss\lib\ssl\sslsecur.c, line 1221)
ssl3!ssl_Write+0x00000000000000A3 (c:\work\mozilla\builds\1.9.1\mozilla\security
\nss\lib\ssl\sslsock.c, line 1488)
xul!nsSSLThread::Run+0x000000000000025D (c:\work\mozilla\builds\1.9.1\mozilla\se
curity\manager\ssl\src\nssslthread.cpp, line 1043)
xul!nsPSMBackgroundThread::nsThreadRunner+0x0000000000000016 (c:\work\mozilla\bu
ilds\1.9.1\mozilla\security\manager\ssl\src\nspsmbackgroundthread.cpp, line 45)
nspr4!_PR_NativeRunThread+0x00000000000000F7 (c:\work\mozilla\builds\1.9.1\mozil
la\nsprpub\pr\src\threads\combined\pruthr.c, line 426)
nspr4!pr_root+0x0000000000000023 (c:\work\mozilla\builds\1.9.1\mozilla\nsprpub\p
r\src\md\windows\w95thred.c, line 122)
MSVCR80D!beginthreadex+0x0000000000000221
MSVCR80D!beginthreadex+0x00000000000001C7
kernel32!GetModuleFileNameA+0x00000000000001BA
OS: Mac OS X → All
Not a security problem, simply a checksum mismatch, caused by landing the wrong patch into the stable branch, bug 499716, I'll comment there.

I hope we aren't crashing, we shouldn't!
Depends on: 499716
Since we shipped with bug 499716 let's fix it here as a regression.

Kai: this isn't filed as a crash bug (though debug builds could crash if you use the fatal-assertion setting), but we are trying to eliminate assertions as part of the "crashkill" effort. New assertions, in particular, pop out in testing.

Tomcat: are you seeing this in 1.9.0.18? Bug 499716 didn't land there afaik. Or was blocking1.9.0.19? supposed to be a 1.9.1 request?
Blocks: 499716
Group: core-security
blocking1.9.1: --- → ?
status1.9.1: --- → wanted
No longer depends on: 499716
Keywords: regression
Whiteboard: [crashkill-automation][sg:investigate] → [crashkill-automation]
(In reply to comment #4)

> Tomcat: are you seeing this in 1.9.0.18? Bug 499716 didn't land there afaik. Or
> was blocking1.9.0.19? supposed to be a 1.9.1 request?

oh sorry, yeah was confused by version numbers it seems :/ yeah was more a 1.9.1 request !
Flags: blocking1.9.0.19?
regression fix "wanted/needed" on 1.9.1 but not going to "block" on it.
blocking1.9.1: ? → needed
(In reply to comment #7)
> Need to backout http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab

Not all of that, just the first chunk that changed nsIdentityChecking.cpp
(In reply to comment #8)
> (In reply to comment #7)
> > Need to backout http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab
> 
> Not all of that, just the first chunk that changed nsIdentityChecking.cpp

In particular, this line:
    "61:57:3a:11:df:0e:d8:7e:d5:92:65:22:ea:d0:56:d7:44:b3:23:71",
needs to be changed to have uppercase hex characters,
that's all.
Summary: ###!!! ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerprint' → ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerprint'
reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody
Fixed as part of Bug 545755:
https://hg.mozilla.org/releases/mozilla-1.9.1/diff/6cb32633cd1e/security/manager/ssl/src/nsIdentityChecking.cpp
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Assignee: nobody → kaie
Target Milestone: --- → mozilla1.9.1
You need to log in before you can comment on or make changes to this bug.