OCSP requests are sent through proxy server without (required) authentication

UNCONFIRMED
Unassigned

Status

()

Core
Security: PSM
P3
normal
UNCONFIRMED
3 years ago
4 months ago

People

(Reporter: max, Unassigned)

Tracking

35 Branch
x86_64
Windows 7
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-backlog])

(Reporter)

Description

3 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:35.0) Gecko/20100101 Firefox/35.0
Build ID: 20150122214805

Steps to reproduce:

I'm using a proxy server which requires HTTP Basic authentication for all requests.
Firefox is configured to always validate a certificate using OCSP.


Actual results:

When accessing a HTTPS site in Private Browsing mode, Firefox tries to send requests to the OCSP server through the proxy without authentication. This fails since the proxy server is respondig with a HTTP/403 error which leads to a firefox error page
"sec_error_ocsp_server_error".


Expected results:

Firefox should send those OCSP requests also with authentication like in "normal mode".
(Reporter)

Updated

3 years ago
Component: Untriaged → Private Browsing

Comment 1

3 years ago
This is an interesting problem. The OCSP fetch appears to be created nsHttpDownloadEvent::Run (http://in mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSCallbacks.cpp#50), and there's nothing special about the channel. It doesn't appear to have any ties to the originating window, so I can't see how the behaviour in private windows would behave differently, yet obviously it does.

Comment 2

3 years ago
Figuring out what changes in the behaviour of http://mxr.mozilla.org/mozilla-central/source/netwerk/protocol/http/nsHttpChannelAuthProvider.cpp#158 between private and normal modes would be instructive.

Updated

3 years ago
Component: Private Browsing → Security: PSM
Product: Firefox → Core
This changeset illustrates what's going on, I think:

https://hg.mozilla.org/mozilla-central/rev/da6a55f4fdae

We don't want to send cookies, etc. with OCSP requests (they should be as anonymous as possible), so we set the LOAD_ANONYMOUS flag, but that also prevents proxy auth, it seems.

Comment 4

3 years ago
That doesn't explain why it works in non-private mode, though.
Whiteboard: [psm-backlog]

Comment 5

5 months ago
I have described a similar issue, but without "Private Browsing mode" involvement, in

https://bugzilla.mozilla.org/show_bug.cgi?id=1389783

Updated

5 months ago
See Also: → bug 1389783
Priority: -- → P3
You need to log in before you can comment on or make changes to this bug.