Closed
Bug 1123671
Opened 11 years ago
Closed 10 years ago
Clicking "Add Exception" for invalid certificates fail in both Nightly & Developer Edition
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
FIXED
mozilla38
| Tracking | Status | |
|---|---|---|
| firefox38 | --- | fixed |
People
(Reporter: flaki, Assigned: keeler)
References
Details
Attachments
(2 files)
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:38.0) Gecko/20100101 Firefox/38.0
Build ID: 20150119030222
Steps to reproduce:
Opening an intranet location over https, which has an invalid (self-signed) certificate, throws up the "This Connection is Untrusted" panel
Actual results:
Clicking the "Add Exception..." button fails, nothing happens.
Browser console logs:
NS_ERROR_FAILURE: Component returned failure code: 0x80004005 (NS_ERROR_FAILURE) [nsISerializationHelper.deserializeObject]
12065 | let sslStatus = serhelper.deserializeObject(sslStatusAsString);
in content/browser/browser.js, line 12065 (in "onAboutCertError")
Trying to manually load the site certificate in Options -> Advanced -> View Certificates -> Servers -> Add Exception... fails likewise, with borwser console showing:
Synchronous XMLHttpRequest on the main thread is deprecated because of its detrimental effects to the end user's experience. For more help http://xhr.spec.whatwg.org/ exception
[in Dialog.js:107:0]
Attempted to connect to a site with a bad certificate in the add exception dialog. This results in a (mostly harmless) exception being thrown. Logged for information purposes only: [Exception... "Failure" nsresult: "0x80004005 (NS_ERROR_FAILURE)" location: "JS frame :: chrome://pippki/content/exception
[in Dialog.js :: checkCert :: line 109" data: no]
Expected results:
Both methods should work and I should carry on with my browsing after adding a security exception.
|
Reporter | |
Comment 1•11 years ago
|
||
Site I'm trying to access is already a saved exception.
Additional info - site works fine in stable.
The error message shown on the certificate error page:
An error occurred during a connection to szmozsanszkyi.pannon.monk.dmz.
Peer's Certificate issuer is not recognized.
(Error code: sec_error_unknown_issuer)
Tried saving the certificate in stable, then importing to Dev. Edition - makes seemingly no difference, still can't get it to work.
|
||
Comment 2•11 years ago
|
||
Does it work outside of e10s? (You've got e10s on, right?)
Flags: needinfo?(falconmaster)
|
|
Reporter | |
Comment 3•11 years ago
|
||
I do have e10s enabled in latest Nightly (2015.01.21), but it doesn't make a differenc if I open the URL in an e10s window or a non-e10s window.
Also, latest Dev. Edition (37.0a2, 2015-01-22 - which is non-e10s) exhibits the same buggy behavior.
Flags: needinfo?(falconmaster)
|
|
||
Comment 4•11 years ago
|
||
Can you attach the (public parts of) the certificate with this issue?
Component: Untriaged → Security: PSM
Flags: needinfo?(falconmaster)
Product: Firefox → Core
|
|
Reporter | |
Comment 5•11 years ago
|
||
As per Chrome Certificate info, it's a self-signed "End Entity" certificate (sha1RSA, version V3) for "monk.dmz" with alternate DNS names monk.dmz, *.monk.dmz, *.*.monk.dmz ... etc.
Attached the certificate, as exported by Firefox 33 stable.
Flags: needinfo?(falconmaster)
|
|
Reporter | |
Comment 6•11 years ago
|
||
|
|
||
Comment 7•11 years ago
|
||
David, do you know why this isn't working in 37 and up?
Flags: needinfo?(dkeeler)
|
Assignee | |
Comment 8•11 years ago
|
||
As of bug 1107791, only wildcard DNSNames of the form *.example.com are accepted, not *.*.example.com or foo*.example.com. Unfortunately, our error handling results in a situation where internally the error is considered not overridable, but externally we show the overridable ui.
Flags: needinfo?(dkeeler)
|
|
Assignee | |
Comment 9•11 years ago
|
||
Assignee: nobody → dkeeler
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Attachment #8563139 -
Flags: review?(jjones)
|
|
Assignee | |
Comment 10•11 years ago
|
||
Comment on attachment 8563139 [details] [diff] [review]
patch
Review of attachment 8563139 [details] [diff] [review]:
-----------------------------------------------------------------
Monica, if you could also have a look, that would be great.
Attachment #8563139 -
Flags: review?(mmc)
|
||
Comment 11•11 years ago
|
||
Comment on attachment 8563139 [details] [diff] [review]
patch
Review of attachment 8563139 [details] [diff] [review]:
-----------------------------------------------------------------
::: security/manager/ssl/tests/unit/test_cert_overrides.js
@@ -229,5 @@
> });
> - add_connection_test(hostName, expectedResult, null,
> - function (securityInfo) {
> - securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
> - // XXX(Bug 754369): SSLStatus isn't available for
Did you mean to remove these tests? It looks like bug 754369 is still open.
Attachment #8563139 -
Flags: review?(mmc)
|
|
||
Comment 12•11 years ago
|
||
Comment on attachment 8563139 [details] [diff] [review]
patch
Review of attachment 8563139 [details] [diff] [review]:
-----------------------------------------------------------------
Nevermind, I see you are testing that case above.
Attachment #8563139 -
Flags: review+
|
||
Comment 13•11 years ago
|
||
Comment on attachment 8563139 [details] [diff] [review]
patch
Review of attachment 8563139 [details] [diff] [review]:
-----------------------------------------------------------------
r=jcj
To be honest, I don't understand exactly how the tests fire, but I dug around the code that calls NSSErrorsService::GetErrorClass and am happy with the change. I'm glad Monica took a look too. :)
Attachment #8563139 -
Flags: review?(jjones) → review+
|
|
Assignee | |
Comment 14•11 years ago
|
||
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #11)
> ::: security/manager/ssl/tests/unit/test_cert_overrides.js
> @@ -229,5 @@
> > });
> > - add_connection_test(hostName, expectedResult, null,
> > - function (securityInfo) {
> > - securityInfo.QueryInterface(Ci.nsISSLStatusProvider);
> > - // XXX(Bug 754369): SSLStatus isn't available for
>
> Did you mean to remove these tests? It looks like bug 754369 is still open.
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #12)
> Nevermind, I see you are testing that case above.
Right - I think there was a refactor that didn't include that code. The changes I made there are basically a bit of cleanup.
|
|
Assignee | |
Comment 15•11 years ago
|
||
Thanks for the reviews!
Let's see how try goes: https://treeherder.mozilla.org/#/jobs?repo=try&revision=9a81d5c6db7f
|
|
Assignee | |
Comment 16•10 years ago
|
||
|
||
Comment 17•10 years ago
|
||
Status: ASSIGNED → RESOLVED
Closed: 10 years ago
status-firefox38:
--- → fixed
Flags: in-testsuite+
Resolution: --- → FIXED
Target Milestone: --- → mozilla38
|
||
Comment 19•10 years ago
|
||
Hi,
this is my first post here. I am using firefox 36.0.1 on win 7 and I have exactly same problem(same behavior and same NS_ERROR_FAILURE in console) described by Istvan since today morning. Some windows updates came today but I am not sure it is related. Is this really fixed?
|
|
||
Comment 20•10 years ago
|
||
(In reply to Petr Vanis from comment #19)
> Hi,
> this is my first post here. I am using firefox 36.0.1 on win 7 and I have
> exactly same problem(same behavior and same NS_ERROR_FAILURE in console)
> described by Istvan since today morning. Some windows updates came today but
> I am not sure it is related. Is this really fixed?
Yes, but only in a newer version (namely 38) of Firefox than the one you're using. Firefox 38 is currently available as "Firefox Developer Edition".
You need to log in
before you can comment on or make changes to this bug.
Description
•