Closed
Bug 546023
Opened 14 years ago
Closed 11 years ago
ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerprint'
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
mozilla1.9.1
People
(Reporter: cbook, Assigned: KaiE)
References
()
Details
(Keywords: assertion, regression, Whiteboard: [crashkill-automation])
Steps to reproduce - 1.9.1 Mac Debug Build. Load a site like https://www.mozilla.com - triggers : ###!!! ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerprint', file /work/mozilla/builds/1.9.1/mozilla/security/manager/ssl/src/nsIdentityChecking.cpp, line 846 Also seem at lot of times on other sites during the test automation runs
Flags: blocking1.9.0.19?
Comment 1•14 years ago
|
||
I don't know why we're even looking for EV roots on sites like www.mozilla.com, whose certs don't carry the EV extension. But I don't know if it's a problem that "sha1 != fingerprint" there.
Whiteboard: [crashkill-automation] → [crashkill-automation][sg:investigate]
Reporter | ||
Comment 2•14 years ago
|
||
stack from a windows build. It seems this assertion is also triggered when the Extension Manager/Update Manager checks for update (which is also done via https://) ###!!! ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerpr int', file c:/work/mozilla/builds/1.9.1/mozilla/security/manager/ssl/src/nsIdent ityChecking.cpp, line 846 nspr4!PR_CallOnce+0x0000000000000038 (c:\work\mozilla\builds\1.9.1\mozilla\nsprp ub\pr\src\misc\prinit.c, line 805) xul!nsNSSComponent::EnsureIdentityInfoLoaded+0x0000000000000018 (c:\work\mozilla \builds\1.9.1\mozilla\security\manager\ssl\src\nsidentitychecking.cpp, line 1160 ) xul!nsNSSCertificate::hasValidEVOidTag+0x00000000000000CE (c:\work\mozilla\build s\1.9.1\mozilla\security\manager\ssl\src\nsidentitychecking.cpp, line 987) xul!nsNSSCertificate::getValidEVOidTag+0x000000000000004A (c:\work\mozilla\build s\1.9.1\mozilla\security\manager\ssl\src\nsidentitychecking.cpp, line 1100) xul!nsNSSCertificate::GetIsExtendedValidation+0x00000000000000B7 (c:\work\mozill a\builds\1.9.1\mozilla\security\manager\ssl\src\nsidentitychecking.cpp, line 112 6) xul!AuthCertificateCallback+0x000000000000012E (c:\work\mozilla\builds\1.9.1\moz illa\security\manager\ssl\src\nsnsscallbacks.cpp, line 987) ssl3!ssl3_HandleCertificate+0x00000000000003CA (c:\work\mozilla\builds\1.9.1\moz illa\security\nss\lib\ssl\ssl3con.c, line 7281) ssl3!ssl3_HandleHandshakeMessage+0x00000000000003DF (c:\work\mozilla\builds\1.9. 1\mozilla\security\nss\lib\ssl\ssl3con.c, line 7959) ssl3!ssl3_HandleHandshake+0x00000000000001C8 (c:\work\mozilla\builds\1.9.1\mozil la\security\nss\lib\ssl\ssl3con.c, line 8083) ssl3!ssl3_HandleRecord+0x00000000000005F8 (c:\work\mozilla\builds\1.9.1\mozilla\ security\nss\lib\ssl\ssl3con.c, line 8346) ssl3!ssl3_GatherCompleteHandshake+0x00000000000000BB (c:\work\mozilla\builds\1.9 .1\mozilla\security\nss\lib\ssl\ssl3gthr.c, line 206) ssl3!ssl_GatherRecord1stHandshake+0x000000000000007B (c:\work\mozilla\builds\1.9 .1\mozilla\security\nss\lib\ssl\sslcon.c, line 1258) ssl3!ssl_Do1stHandshake+0x000000000000021D (c:\work\mozilla\builds\1.9.1\mozilla \security\nss\lib\ssl\sslsecur.c, line 151) ssl3!ssl_SecureSend+0x00000000000001C5 (c:\work\mozilla\builds\1.9.1\mozilla\sec urity\nss\lib\ssl\sslsecur.c, line 1176) ssl3!ssl_SecureWrite+0x0000000000000016 (c:\work\mozilla\builds\1.9.1\mozilla\se curity\nss\lib\ssl\sslsecur.c, line 1221) ssl3!ssl_Write+0x00000000000000A3 (c:\work\mozilla\builds\1.9.1\mozilla\security \nss\lib\ssl\sslsock.c, line 1488) xul!nsSSLThread::Run+0x000000000000025D (c:\work\mozilla\builds\1.9.1\mozilla\se curity\manager\ssl\src\nssslthread.cpp, line 1043) xul!nsPSMBackgroundThread::nsThreadRunner+0x0000000000000016 (c:\work\mozilla\bu ilds\1.9.1\mozilla\security\manager\ssl\src\nspsmbackgroundthread.cpp, line 45) nspr4!_PR_NativeRunThread+0x00000000000000F7 (c:\work\mozilla\builds\1.9.1\mozil la\nsprpub\pr\src\threads\combined\pruthr.c, line 426) nspr4!pr_root+0x0000000000000023 (c:\work\mozilla\builds\1.9.1\mozilla\nsprpub\p r\src\md\windows\w95thred.c, line 122) MSVCR80D!beginthreadex+0x0000000000000221 MSVCR80D!beginthreadex+0x00000000000001C7 kernel32!GetModuleFileNameA+0x00000000000001BA
OS: Mac OS X → All
Assignee | ||
Comment 3•14 years ago
|
||
Not a security problem, simply a checksum mismatch, caused by landing the wrong patch into the stable branch, bug 499716, I'll comment there. I hope we aren't crashing, we shouldn't!
Comment 4•14 years ago
|
||
Since we shipped with bug 499716 let's fix it here as a regression. Kai: this isn't filed as a crash bug (though debug builds could crash if you use the fatal-assertion setting), but we are trying to eliminate assertions as part of the "crashkill" effort. New assertions, in particular, pop out in testing. Tomcat: are you seeing this in 1.9.0.18? Bug 499716 didn't land there afaik. Or was blocking1.9.0.19? supposed to be a 1.9.1 request?
Blocks: 499716
Group: core-security
blocking1.9.1: --- → ?
status1.9.1:
--- → wanted
No longer depends on: 499716
Keywords: regression
Whiteboard: [crashkill-automation][sg:investigate] → [crashkill-automation]
Reporter | ||
Comment 5•14 years ago
|
||
(In reply to comment #4) > Tomcat: are you seeing this in 1.9.0.18? Bug 499716 didn't land there afaik. Or > was blocking1.9.0.19? supposed to be a 1.9.1 request? oh sorry, yeah was confused by version numbers it seems :/ yeah was more a 1.9.1 request !
Flags: blocking1.9.0.19?
Comment 6•14 years ago
|
||
regression fix "wanted/needed" on 1.9.1 but not going to "block" on it.
blocking1.9.1: ? → needed
Comment 7•14 years ago
|
||
Need to backout http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab and check in attachment 401219 [details] [diff] [review] from bug 499716 (attachment 401121 [details] [diff] [review] checked in by mistake).
Assignee | ||
Comment 8•14 years ago
|
||
(In reply to comment #7) > Need to backout http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab Not all of that, just the first chunk that changed nsIdentityChecking.cpp
Assignee | ||
Comment 9•14 years ago
|
||
(In reply to comment #8) > (In reply to comment #7) > > Need to backout http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab > > Not all of that, just the first chunk that changed nsIdentityChecking.cpp In particular, this line: "61:57:3a:11:df:0e:d8:7e:d5:92:65:22:ea:d0:56:d7:44:b3:23:71", needs to be changed to have uppercase hex characters, that's all.
Updated•12 years ago
|
Summary: ###!!! ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerprint' → ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerprint'
Assignee | ||
Comment 10•12 years ago
|
||
reassign bug owner. mass-update-kaie-20120918
Assignee: kaie → nobody
Comment 11•11 years ago
|
||
Fixed as part of Bug 545755: https://hg.mozilla.org/releases/mozilla-1.9.1/diff/6cb32633cd1e/security/manager/ssl/src/nsIdentityChecking.cpp
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Updated•11 years ago
|
Assignee: nobody → kaie
Target Milestone: --- → mozilla1.9.1
You need to log in
before you can comment on or make changes to this bug.
Description
•