703024 - Back out bug 662996 (OCSP requests leak cookies) because of bug 701019

Status: VERIFIED FIXED

(Core :: Security: PSM, defect)

Description

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

+++ This bug was initially created as a clone of Bug #662996 +++

(In reply to Ruud van Melick from bug 701019 comment 0)
> Created attachment 573192 [details]
> Firefox 8 - HTTP headers captured with Live HTTP Headers add-on
> 
> Visit http://bankieren.rabobank.nl/klanten/
> This website uses an EV-certificate.
> 
> After upgrading Firefox to version 8 (previous version 7.0.1) the site
> identity button is blue instead of green.
> 
> If I enable this preference: advanced => encryption => validation => "When
> an OCSP server connection fails, treat the certificate as invalid", then I
> get this error message when visiting the website:
> sec_error_ocsp_bad_http_response
> 
> Looking at the HTTP headers, this seems related to the fact that the OCSP
> request is rejected by our proxy server due to lack of authentication. This
> does not happen when using Firefox 7.0.1 (not all computers have been
> upgraded to Firefox 8 yet).

Comment 1

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

OCSP doesn't work when the user is going through an authenticating HTTP proxy. Either we will silently ignore the OCSP failure (default behavior), or almost every HTTPS site will stop working for said user.

Comment 2

[Honza Bambas (:mayhemer)]

Do you have arguments why to back this out rather then fix the actual bug 701019?  I still miss it and therefor I'm strongly against.

Comment 3

[Brian Smith (:briansmith, :bsmith, use NEEDINFO?)]

1. We should do this as ridealone to any 8.0.2 release. I don't think we should land anything more complicated than the backout for 8.0.2.

2. Similarly, I don't think we should land a fix for 701019 on mozilla-beta, but we should fix the regression for mozilla-beta.

3. More generally, it isn't clear that we can just change what LOAD_ANONYMOUS means yet, I don't have time to think about that right now, but we should fix the regression ASAP on mozilla-central and mozilla-aurora.

Comment 4

[Kai Engert (:KaiE:)]

(In reply to Brian Smith (:bsmith) from comment #1)
> OCSP doesn't work when the user is going through an authenticating HTTP
> proxy.

Brian, this really surprises me.
The whole motiviation for the addition of the SSL thread had been done in order to support OCSP trough proxies, and the last time I had tested that used to work.

Why do you think it doesn't work? Have you tested it?

In particular, which is the oldest version where this regressed?

Comment 5

[Honza Bambas (:mayhemer)]

Thanks Brian.  Now I understand.  I had to take a look at the target milestone of bug 662996 first.

I agree now.  I'll have a patch for this soon.

Comment 6

[Honza Bambas (:mayhemer)]

Attachment: v1

Commenting out the code added in bug 662996.

Kai, the regression we are trying to quickly fix here is that an OCSP request cannot go with the LOAD_ANONYMOUS flag set through a proxy requiring authentication.  It causes blue larry for EV certs.  This regressed in Firefox 8 for which bug 662996 has landed.

This will be fully fixed in bug 701019 because there are also other issues caused by incorrect behavior of LOAD_ANONYMOUS flag (as I see it).  That fix needs a security review first and is expected to be too risky for Aurora, Beta, Release.

Comment 7

[Honza Bambas (:mayhemer)]

Comment on attachment 574972 [details] [diff] [review]
v1

https://hg.mozilla.org/integration/mozilla-inbound/rev/18f70e33e444

Comment 8

[Alex Keybl [:akeybl]]

Comment on attachment 574972 [details] [diff] [review]
v1

[Triage Comment]
For anybody just joining us, this is basically a full backout of bug 662996 (albeit by commenting out the change). Approving for Aurora/Beta, pending landing on m-c first.

Please land this ASAP to make it into today's build.

Comment 9

[Honza Bambas (:mayhemer)]

https://hg.mozilla.org/releases/mozilla-aurora/rev/417f8f91c250
https://hg.mozilla.org/releases/mozilla-beta/rev/d67013733acb

Comment 10

[Ed Morley [:emorley]]

https://hg.mozilla.org/mozilla-central/rev/18f70e33e444

Comment 11

[Vlad [QA]]

I have tried this with https://www.verisign.com on:

Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0 beta 6
Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20100101 Firefox/9.0 beta 6
Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 Firefox/9.0 beta 6

The secure connection notification appears.
Setting resolution to Verified Fixed on Beta.

Comment 12

[Vlad [QA]]

I have tried this using the link from the description and the secure notification is present (green site's identity button).

I get no error with the pref activated: "When an OCSP server connection fails, treat the certificate as invalid". (it's deactivated by default)

Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0 beta 6
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/10.0 beta 6
Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 beta 6

Setting resolution to Verified Fixed.

Comment 13

[Alex Keybl [:akeybl]]

Marking as fixed for Firefox 11 since this landed while 11 was on m-c.

Comment 14

[Vlad [QA]]

Setting this Verified Fixed on Firefox 11 beta on

Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0 beta 3
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 beta 3
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0 beta 3

I've followed the steps from comment11 and comment12 the secure notification is present (green site's identity button) and also I get no error with the pref activated: "When an OCSP server connection fails, treat the certificate as invalid". (it's deactivated by default)