Closed
Bug 1005364
Opened 11 years ago
Closed 11 years ago
Nightly only: loading https://services.addons.mozilla.org returns sec_error_application_callback_error
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
VERIFIED
FIXED
mozilla32
| Tracking | Status | |
|---|---|---|
| firefox32 | --- | verified |
People
(Reporter: edwong, Assigned: mmc)
References
Details
(Keywords: regression)
Attachments
(2 files, 1 obsolete file)
|
498.03 KB,
image/png
|
Details | |
|
2.88 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
Screen Shot 2014-05-02 at 4.00.35 PM.png
doesn't happen on release or cert checks, but only when i'm on nightly. I don't have any self-signed certs on that browser
1. goto about:addons or https://services.addons.mozilla.org
result:
An error occurred during a connection to services.addons.mozilla.org. The certificate was rejected by extra checks in the application. (Error code: sec_error_application_callback_error)
|
Reporter | |
Comment 1•11 years ago
|
||
this looks like mac only. Reproduce on another mac but No repro on Windows Nightly
|
|
Reporter | |
Comment 2•11 years ago
|
||
disreguard comment #1 - user updated nightly on windows and now reproduces the sec_error_application_callback_error
moving to firefox as it's nightly specific
Assignee: server-ops-webops → nobody
Component: WebOps: SSL and Domain Names → General
Product: Infrastructure & Operations → Firefox
QA Contact: nmaul
Version: other → Trunk
|
||
Comment 3•11 years ago
|
||
This also breaks the "Get Add-ons" pane in the add-on manager.
Severity: normal → major
OS: Mac OS X → All
Hardware: x86 → All
|
|
||
Comment 4•11 years ago
|
||
Manually switching back to the old pkix verifier enabled by bug 915930 doesn't seem to help.
|
|
||
Comment 5•11 years ago
|
||
Keywords: regression
|
|
||
Comment 6•11 years ago
|
||
Caused by bug 744204. Backing out affd460bc3d7 fixes it for me.
|
Assignee | |
Comment 7•11 years ago
|
||
Camilo, looks like we are missing some Verisign certs in the mozilla pinset.
Flags: needinfo?(cviecco)
|
|
Assignee | |
Updated•11 years ago
|
Assignee: nobody → cviecco
|
|
Assignee | |
Comment 8•11 years ago
|
||
David, Camilo: I suggest we rollback include_subdomains=true on addons.mozilla.org for now, audit the certs from the CT database for mozilla properties, and try again. What do you think?
Flags: needinfo?(dkeeler)
|
||
Comment 9•11 years ago
|
||
No, we should fix by changeing the built-inlist. Patching sometime today...
Flags: needinfo?(cviecco)
|
|
||
Comment 10•11 years ago
|
||
Workaround: set (hidden)integer pref security.cert_pinning.enforcement_level to 0.
|
|
||
Comment 11•11 years ago
|
||
Made addons.mozilla.org be for the cdn pinning list not just the mozilla one.
|
|
||
Comment 12•11 years ago
|
||
Comment on attachment 8416963 [details] [diff] [review]
move-all-p1-to-cdn-mozilla
Review of attachment 8416963 [details] [diff] [review]:
-----------------------------------------------------------------
Something happended with my local repo (PreloadedHPKPins.json) is on the incorrect location, but this should do it.
Attachment #8416963 -
Flags: review?(dkeeler)
|
|
Assignee | |
Comment 13•11 years ago
|
||
Comment on attachment 8416963 [details] [diff] [review]
move-all-p1-to-cdn-mozilla
Review of attachment 8416963 [details] [diff] [review]:
-----------------------------------------------------------------
Looks like you need to sync, the preload file is in security/manager/tools. Also, did you test going to https://services.addons.mozilla.org with this change?
::: security/manager/boot/src/PreloadedHPKPins.json
@@ -93,5 @@
> ],
>
> "entries": [
> - { "name": "addons.mozilla.org", "include_subdomains": true, "pins": "mozilla" },
> - { "name": "addons.mozilla.net", "include_subdomains": true, "pins": "mozilla" },
Are we not going to use the mozilla pinset at all? If so, we should remove it from the list so no one uses it by accident in the future.
|
||
Comment 14•11 years ago
|
||
Comment on attachment 8416963 [details] [diff] [review]
move-all-p1-to-cdn-mozilla
Review of attachment 8416963 [details] [diff] [review]:
-----------------------------------------------------------------
Right now, we do not have a robust process by which we determine what Mozilla properties should be pinned by what key sets. This needs to be fixed before we can have confidence that changes we make to this preloaded data will be correct. Thus, I think the best approach is to disable pinning for now, develop a process to determine this data (which requires strong involvement from ops), and then turn it back on again.
Attachment #8416963 -
Flags: review?(dkeeler) → review-
|
|
||
Updated•11 years ago
|
Flags: needinfo?(dkeeler)
|
|
||
Comment 15•11 years ago
|
||
(In reply to David Keeler (:keeler) from comment #14)
> Comment on attachment 8416963 [details] [diff] [review]
> move-all-p1-to-cdn-mozilla
>
> Review of attachment 8416963 [details] [diff] [review]:
> -----------------------------------------------------------------
>
> Right now, we do not have a robust process by which we determine what
> Mozilla properties should be pinned by what key sets. This needs to be fixed
> before we can have confidence that changes we make to this preloaded data
> will be correct. Thus, I think the best approach is to disable pinning for
> now, develop a process to determine this data (which requires strong
> involvement from ops), and then turn it back on again.
Since we are so far away from the merge day I disagree. Yes we need a better process
to determine this list, but the reason why we discovered this issue is precisely because
the pin list is on (and the process issue a bug and forget failed). If you desire we
can go with Monica's idea of disabling subdomains for addons.mozilla.org, but I strongly oppose at disabling pinning.
With this in mind what are your thoughts?
Flags: needinfo?(dkeeler)
|
||
Comment 16•11 years ago
|
||
I agree with David that it is better to disable the pinning for mozilla.org until there's clear documentation and verification that the pins are correct and not DoSing importing services. Pinning is defense-in-depth and we've lived without it forever so disabling the pins for a few days more isn't likely to hurt anybody. DoSing services.addons.mozilla.org is a potentially-serious security issue since it seems to be the server used for addon (security) updates.
|
|
Assignee | |
Comment 17•11 years ago
|
||
(In reply to Brian Smith (:briansmith, was :bsmith; NEEDINFO? for response) from comment #16)
> I agree with David that it is better to disable the pinning for mozilla.org
Just for clarification for anyone reading along, pinning is not enabled for all of *.mozilla.org. The full list is at http://mxr.mozilla.org/mozilla-central/source/security/manager/tools/PreloadedHPKPins.json
"entries": [
96 { "name": "addons.mozilla.org", "include_subdomains": true, "pins": "mozilla" },
97 { "name": "addons.mozilla.net", "include_subdomains": true, "pins": "mozilla" },
98 { "name": "cdn.mozilla.net", "include_subdomains": true, "pins": "mozilla_cdn" },
99 { "name": "cdn.mozilla.org", "include_subdomains": true, "pins": "mozilla_cdn" },
100 { "name": "media.mozilla.com", "include_subdomains": true, "pins": "mozilla_cdn" },
101 { "name": "include-subdomains.pinning.example.com", "include_subdomains": true, "pins": "mozilla_test" },
102 { "name": "exclude-subdomains.pinning.example.com", "include_subdomains": false, "pins": "mozilla_test" }
> until there's clear documentation and verification that the pins are correct
> and not DoSing importing services. Pinning is defense-in-depth and we've
> lived without it forever so disabling the pins for a few days more isn't
> likely to hurt anybody. DoSing services.addons.mozilla.org is a
> potentially-serious security issue since it seems to be the server used for
> addon (security) updates.
Visiting addons.mozilla.org itself doesn't break with pinning on for me, and turning off include-subdomains lets us do an incremental rollout on important subdomains https://bugzilla.mozilla.org/show_bug.cgi?id=1005430. I agree with David we need to audit cert usage before turning on subdomains for anything: https://bugzilla.mozilla.org/show_bug.cgi?id=1005653
Either way, we need to push a fix today so people who update tomorrow are fixed.
|
|
Assignee | |
Comment 20•11 years ago
|
||
I found this cert in the CT database. This is not on any of the pinsets, so we need to disable until we understand what's going on. There are also some Digicerts CAs that we might need that aren't on the list.
CN:addons.mozilla.org
ISSUER:UTN-USERFirst-Hardware
DNS:addons.mozilla.org
DNS:www.addons.mozilla.org
CRL:http://crl.comodoca.com/UTN-USERFirst-Hardware.crl
CRL:http://crl.comodo.net/UTN-USERFirst-Hardware.crl
OCSP:http://ocsp.comodoca.com
-----BEGIN CERTIFICATE-----
MIIF+DCCBOCgAwIBAgIRAJI51TSPQNFpWnRUcOHyP0MwDQYJKoZIhvcNAQEFBQAw
gZcxCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJVVDEXMBUGA1UEBxMOU2FsdCBMYWtl
IENpdHkxHjAcBgNVBAoTFVRoZSBVU0VSVFJVU1QgTmV0d29yazEhMB8GA1UECxMY
aHR0cDovL3d3dy51c2VydHJ1c3QuY29tMR8wHQYDVQQDExZVVE4tVVNFUkZpcnN0
LUhhcmR3YXJlMB4XDTExMDMxNTAwMDAwMFoXDTE0MDMxNDIzNTk1OVowgeIxCzAJ
BgNVBAYTAlVTMQ4wDAYDVQQREwUzODQ3NzEQMA4GA1UECBMHRmxvcmlkYTEQMA4G
A1UEBxMHRW5nbGlzaDEXMBUGA1UECRMOU2VhIFZpbGxhZ2UgMTAxFDASBgNVBAoT
C0dvb2dsZSBMdGQuMRMwEQYDVQQLEwpUZWNoIERlcHQuMSgwJgYDVQQLEx9Ib3N0
ZWQgYnkgR1RJIEdyb3VwIENvcnBvcmF0aW9uMRQwEgYDVQQLEwtQbGF0aW51bVNT
TDEbMBkGA1UEAxMSYWRkb25zLm1vemlsbGEub3JnMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAq8ZtNvMVc3iDc850hdWu7LLw4CQfE4O4IKy7mv6Iu6uh
HQsfRQCqSbc1Nwxq70dMudG+41cSBI2Sx7bsAby22seBOCCtcoXmDvyBbAetaHY4
xUTXzMZKxZc+ZPRR5vB+suxW9yWCTUmYyxaY3SPxiZHRF5dAmSbW4qIrXt+9ifIb
GlMtzFBBetA9KgxVcBQB6VhJEHoLk4KL4R7tOoAQgs6WijTwzNfTubRQh1VUCbid
QihVAOWMNVS/3SWRRrcN5V2DqOWL+4TkPK522sRDK1t0C/i+XWjxeFu1zn3xXZlA
2sruOIFQvpihbLgkrfOvjA/XESgshBhMfbXZjzC1GwIDAQABo4IB8DCCAewwHwYD
VR0jBBgwFoAUoXJfJhsomEOVXQc31YWWnUvSw0UwHQYDVR0OBBYEFN2A0lQ990xw
yqOw3TR6MuToO1o7MA4GA1UdDwEB/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1Ud
JQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjBGBgNVHSAEPzA9MDsGDCsGAQQBsjEB
AgEDBDArMCkGCCsGAQUFBwIBFh1odHRwczovL3NlY3VyZS5jb21vZG8uY29tL0NQ
UzB7BgNVHR8EdDByMDigNqA0hjJodHRwOi8vY3JsLmNvbW9kb2NhLmNvbS9VVE4t
VVNFUkZpcnN0LUhhcmR3YXJlLmNybDA2oDSgMoYwaHR0cDovL2NybC5jb21vZG8u
bmV0L1VUTi1VU0VSRmlyc3QtSGFyZHdhcmUuY3JsMHEGCCsGAQUFBwEBBGUwYzA7
BggrBgEFBQcwAoYvaHR0cDovL2NydC5jb21vZG9jYS5jb20vVVROQWRkVHJ1c3RT
ZXJ2ZXJDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNvbW9kb2NhLmNv
bTA1BgNVHREELjAsghJhZGRvbnMubW96aWxsYS5vcmeCFnd3dy5hZGRvbnMubW96
aWxsYS5vcmcwDQYJKoZIhvcNAQEFBQADggEBADM7YxX8sewULJPddZTegVrZTpm+
+0qkOVVNoUB63hMqh6k3z+jV+63Re21vjCCHglTmV0m8ICiEzdYB2ZOLF24jZuWE
yIA/xqFwgOTsTR35/JFac2IpmvcgHGHgizmfyrx+jd282bHjn57fFVORIVIL2Roj
D2Y226yTlkqjpSLPKfeimaj2ttlArtl+tvZYLpusNspkj2VS3IacgqtuUEvaX/oF
AIgwDt6NVr+BR409BuKyYpJnj57ImrLlBrhwJLh3fCMKOMN5CNixUZ2slRHHQBee
oxyP8hGnaCfaSQWEGHxYLQFnXOWfoSm7SjlFL78Rqnmi7bTUtWVDt5NGitM=
-----END CERTIFICATE-----
|
|
Assignee | |
Comment 21•11 years ago
|
||
|
|
Assignee | |
Updated•11 years ago
|
Assignee: cviecco → mmc
Status: NEW → ASSIGNED
|
|
Assignee | |
Comment 22•11 years ago
|
||
Comment on attachment 8417052 [details] [diff] [review]
Disable pinning for all mozilla properties (
Review of attachment 8417052 [details] [diff] [review]:
-----------------------------------------------------------------
I'm leaving soon, so I may not be able to check in myself.
Attachment #8417052 -
Flags: review?(dkeeler)
|
|
||
Comment 23•11 years ago
|
||
Comment on attachment 8417052 [details] [diff] [review]
Disable pinning for all mozilla properties (
Review of attachment 8417052 [details] [diff] [review]:
-----------------------------------------------------------------
r=me. I don't have my private key on this machine, so I can't check this in either this weekend :/
I'll mark checkin-needed and hopefully a sheriff will get to it.
::: security/manager/tools/PreloadedHPKPins.json
@@ +93,5 @@
> ],
>
> "entries": [
> + // Disable until bug 1005653 is fixed.
> + // { "name": "addons.mozilla.org", "include_subdomains": true, "pins": "mozilla" },
I'm not sure there's much value in leaving these in commented-out, but since this is sufficient and time-sensitive, I think it's fine.
@@ +97,5 @@
> + // { "name": "addons.mozilla.org", "include_subdomains": true, "pins": "mozilla" },
> + // { "name": "addons.mozilla.net", "include_subdomains": true, "pins": "mozilla" },
> + // { "name": "cdn.mozilla.net", "include_subdomains": true, "pins": "mozilla_cdn" },
> + // { "name": "cdn.mozilla.org", "include_subdomains": true, "pins": "mozilla_cdn" },
> + //{ "name": "media.mozilla.com", "include_subdomains": true, "pins": "mozilla_cdn" },
nit: space after "//"
Attachment #8417052 -
Flags: review?(dkeeler) → review+
|
|
||
Updated•11 years ago
|
Attachment #8416963 -
Attachment is obsolete: true
Flags: needinfo?(dkeeler)
|
|
||
Updated•11 years ago
|
Keywords: checkin-needed
|
|
||
Comment 24•11 years ago
|
||
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #20)
> I found this cert in the CT database. This is not on any of the pinsets, so
> we need to disable until we understand what's going on. There are also some
> Digicerts CAs that we might need that aren't on the list.
>
> CN:addons.mozilla.org
> ISSUER:UTN-USERFirst-Hardware
> DNS:addons.mozilla.org
> DNS:www.addons.mozilla.org
This one isn't legit, and we've already blacklisted it:
https://www.eff.org/deeplinks/2011/03/iranian-hackers-obtain-fraudulent-https
https://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
https://mxr.mozilla.org/mozilla-central/source/security/nss/lib/ckfw/builtins/certdata.txt#19970
|
||
Comment 25•11 years ago
|
||
Reproduced on 2011 Macbook Air on the latest version of Nightly (2014-05-04)
Screnshot here: http://i.imgur.com/YvS5PUY.png
Build info:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0) Gecko/20100101 Firefox/32.0
20140504030205
|
|
Assignee | |
Comment 26•11 years ago
|
||
|
|
Assignee | |
Updated•11 years ago
|
Keywords: checkin-needed
|
|
Assignee | |
Comment 29•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/e07b3f07953c
Hopefully it's not too late to make it into nightly for tomorrow's update.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
|
||
Comment 30•11 years ago
|
||
|
|
Assignee | |
Comment 31•11 years ago
|
||
This appears to be fixed in the 5/5 Nightly update.
|
||
Updated•11 years ago
|
Target Milestone: --- → mozilla32
|
||
Comment 32•10 years ago
|
||
Verified based on comment 31.
Status: RESOLVED → VERIFIED
status-firefox32:
--- → verified
|
||
Comment 33•10 years ago
|
||
Just upgraded to FF35.0.1 ubuntu 12.04 32bits and I get this issue. Unchecking "Query OCSP responder to check the validity of your certicates" allows me to show the about:addons's Catalog page.
Re-enabling the responder still allows the page to be shown... until FF restart, then it fails agin;
A look in about:config with OCSP shows keys:
security.OCSP.GET.enabled default bool false
security.OCSP.enabled default integer 1
security.OCSP.require user defined bool true
security.ssl.enable_ocsp_stapling default bool true
services.sync.prefs.sync.security.OCSP.enabled default bool true
services.sync.prefs.sync.security.OCSP.require default bool true
|
|
||
Comment 34•10 years ago
|
||
PS: I have SSL Version Control 0.4 installed
|
|
||
Comment 35•10 years ago
|
||
PS: same in Windows XP : sec_error_revoked_certificate
|
|
||
Comment 36•10 years ago
|
||
PS: I was redirected here by dup https://bugzilla.mozilla.org/show_bug.cgi?id=1005655
|
|
||
Comment 37•10 years ago
|
||
f0rhum, if you're using 35, you're encountering a different issue. Please file a new bug here: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=Security%3A%20PSM
Thanks!
Flags: needinfo?(f0rhum)
|
|
||
Comment 38•10 years ago
|
||
Ok for me in ff36
You need to log in
before you can comment on or make changes to this bug.
Description
•