Closed Bug 1123671 Opened 5 years ago Closed 5 years ago

Clicking "Add Exception" for invalid certificates fail in both Nightly & Developer Edition

Categories

(Core :: Security: PSM, defect)

x86_64
Windows 7
defect
Not set

Tracking

()

RESOLVED FIXED
mozilla38
Tracking Status
firefox38 --- fixed

People

(Reporter: flaki, Assigned: keeler)

References

Details

Attachments

(2 files)

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150119030222

Steps to reproduce:

Opening an intranet location over https, which has an invalid (self-signed) certificate, throws up the "This Connection is Untrusted" panel


Actual results:

Clicking the "Add Exception..." button fails, nothing happens.

Browser console logs:

NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISerializationHelper.deserializeObject]

12065 |  let sslStatus = serhelper.deserializeObject(sslStatusAsString);
in content/browser/browser.js, line 12065 (in "onAboutCertError")


Trying to manually load the site certificate in Options -> Advanced -> View Certificates -> Servers -> Add Exception... fails likewise, with borwser console showing:

Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help http://xhr.spec.whatwg.org/ exception
[in Dialog.js:107:0]

Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Failure"  nsresult: "0x80004005 (NS_ERROR_FAILURE)"  location: "JS frame :: chrome://pippki/content/exception
[in Dialog.js :: checkCert :: line 109"  data: no]


Expected results:

Both methods should work and I should carry on with my browsing after adding a security exception.
Site I'm trying to access is already a saved exception.
Additional info - site works fine in stable.


The error message shown on the certificate error page:

An error occurred during a connection to szmozsanszkyi.pannon.monk.dmz.
Peer's Certificate issuer is not recognized.
(Error code: sec_error_unknown_issuer)

Tried saving the certificate in stable, then importing to Dev. Edition - makes seemingly no difference, still can't get it to work.
Does it work outside of e10s? (You've got e10s on, right?)
Flags: needinfo?(falconmaster)
I do have e10s enabled in latest Nightly (2015.01.21), but it doesn't make a differenc if I open the URL in an e10s window or a non-e10s window.

Also, latest Dev. Edition (37.0a2, 2015-01-22 - which is non-e10s) exhibits the same buggy behavior.
Flags: needinfo?(falconmaster)
Can you attach the (public parts of) the certificate with this issue?
Component: Untriaged → Security: PSM
Flags: needinfo?(falconmaster)
Product: Firefox → Core
As per Chrome Certificate info, it's a self-signed "End Entity" certificate (sha1RSA, version V3) for "monk.dmz" with alternate DNS names monk.dmz, *.monk.dmz, *.*.monk.dmz ... etc.

Attached the certificate, as exported by Firefox 33 stable.
Flags: needinfo?(falconmaster)
David, do you know why this isn't working in 37 and up?
Flags: needinfo?(dkeeler)
As of bug 1107791, only wildcard DNSNames of the form *.example.com are accepted, not *.*.example.com or foo*.example.com. Unfortunately, our error handling results in a situation where internally the error is considered not overridable, but externally we show the overridable ui.
Flags: needinfo?(dkeeler)
Attached patch patchSplinter Review
Assignee: nobody → dkeeler
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8563139 - Flags: review?(jjones)
Comment on attachment 8563139 [details] [diff] [review]
patch

Review of attachment 8563139 [details] [diff] [review]:
-----------------------------------------------------------------

Monica, if you could also have a look, that would be great.
Attachment #8563139 - Flags: review?(mmc)
Comment on attachment 8563139 [details] [diff] [review]
patch

Review of attachment 8563139 [details] [diff] [review]:
-----------------------------------------------------------------

::: security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -229,5 @@
>    });
> -  add_connection_test(hostName, expectedResult, null,
> -                      function (securityInfo) {
> -                        securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
> -                        // XXX(Bug 754369): SSLStatus isn't available for

Did you mean to remove these tests? It looks like bug 754369 is still open.
Attachment #8563139 - Flags: review?(mmc)
Comment on attachment 8563139 [details] [diff] [review]
patch

Review of attachment 8563139 [details] [diff] [review]:
-----------------------------------------------------------------

Nevermind, I see you are testing that case above.
Attachment #8563139 - Flags: review+
Comment on attachment 8563139 [details] [diff] [review]
patch

Review of attachment 8563139 [details] [diff] [review]:
-----------------------------------------------------------------

r=jcj

To be honest, I don't understand exactly how the tests fire, but I dug around the code that calls NSSErrorsService::GetErrorClass and am happy with the change. I'm glad Monica took a look too. :)
Attachment #8563139 - Flags: review?(jjones) → review+
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #11)
> ::: security/manager/ssl/tests/unit/test_cert_overrides.js
> @@ -229,5 @@
> >    });
> > -  add_connection_test(hostName, expectedResult, null,
> > -                      function (securityInfo) {
> > -                        securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
> > -                        // XXX(Bug 754369): SSLStatus isn't available for
> 
> Did you mean to remove these tests? It looks like bug 754369 is still open.

(In reply to [:mmc] Monica Chew (please use needinfo) from comment #12)
> Nevermind, I see you are testing that case above.

Right - I think there was a refactor that didn't include that code. The changes I made there are basically a bit of cleanup.
https://hg.mozilla.org/mozilla-central/rev/f1e0ee57dee0
Status: ASSIGNED → RESOLVED
Closed: 5 years ago
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
Duplicate of this bug: 1141033
Hi,
this is my first post here. I am using firefox 36.0.1 on win 7 and I have exactly same problem(same behavior and same NS_ERROR_FAILURE in console) described by Istvan since today morning. Some windows updates came today but I am not sure it is related. Is this really fixed?
(In reply to Petr Vanis from comment #19)
> Hi,
> this is my first post here. I am using firefox 36.0.1 on win 7 and I have
> exactly same problem(same behavior and same NS_ERROR_FAILURE in console)
> described by Istvan since today morning. Some windows updates came today but
> I am not sure it is related. Is this really fixed?

Yes, but only in a newer version (namely 38) of Firefox than the one you're using. Firefox 38 is currently available as "Firefox Developer Edition".
Duplicate of this bug: 1152003
You need to log in before you can comment on or make changes to this bug.