Closed Bug 1146314 Opened 9 years ago Closed 9 years ago

Test failure 'sec_error_expired_certificate != sec_error_unknown_issuer' in testSecurityNotification.js

Categories

(Mozilla QA Graveyard :: Mozmill Tests, defect, P1)

Product:
Mozilla QA Graveyard
Component:
Mozmill Tests
Type:
defect

Tracking

(firefox37 unaffected, firefox38 fixed, firefox39 fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox37 --- unaffected
firefox38 --- fixed
firefox39 --- fixed

People

(Reporter: whimboo, Assigned: whimboo)

References

(
URL
)

Details

(Keywords: regression, Whiteboard: [mozmill-test-failure])

Attachments

(4 files)

skip
1.01 KB, patch
Details | Diff | Splinter Review
Screenshot correct error code.png
44.17 KB, image/png
Details
Screenshot wrong error code.png
47.75 KB, image/png
Details
security_notification v1
2.48 KB, patch
chmanchester
: review+
Details | Diff | Splinter Review 
This test failure started to happen over the weekend and totally breaks our tests across Nightly, and Aurora so far. I haven't tested with beta and release yet.

ERROR | Test Failure | {
  "fail": {
    "message": "The error code is a SEC Expired certificate error - 'summitbook.mozilla.org uses an invalid security certificate.\n\nThe certificate is not trusted because the issuer certificate is unknown.\nThe server might not be sending the appropriate intermediate certificates.\nAn additional root certificate may need to be imported.\nThe certificate expired on 7/8/2011 5:41 AM. The current time is 3/22/2015 6:57 AM.\n\n(Error code: sec_error_unknown_issuer)\n' should contain 'sec_error_expired_certificate'", 
    "fileName": "file:///c:/jenkins/workspace/mozilla-central_remote/data/mozmill-tests/firefox/tests/remote/testSecurity/testSecurityNotification.js", 
    "name": "testSecNotification", 
    "lineNumber": 70
  }
Definitely a regression in our tests or in Firefox as started yesterday March 22nd.

Pushlog:
https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=b8e628af0b5c&tochange=82ae3b4e2215

It's worth investigating because it's our P1 test area for conversation to Marionette.

I will skip this test on default and aurora for now.
URL: http://mozmill-daily.blargon7.com/#/r...
Attached patch skipSplinter Review 

    
    

    
  
Skip patch landed:

https://hg.mozilla.org/qa/mozmill-tests/rev/2c26c90e52db (default)
https://hg.mozilla.org/qa/mozmill-tests/rev/b1d615a2c8b9 (aurora)
Assignee: nobody → hskupin
Status: NEW → ASSIGNED

          status-firefox37:
          --- → unaffected

          status-firefox38:
          --- → disabled

          status-firefox39:
          --- → disabled
Whiteboard: [mozmill-test-failure] → [mozmill-test-failure][mozmill-test-skipped]

    
    

    
  
As it looks like an expired certificate is no longer listed as such in the certificate exception page. Instead it is marked as unknown issuer. The change in behavior came in via this merge from m-i:

https://hg.mozilla.org/mozilla-central/pushloghtml?fromchange=2a404169de2d&tochange=f949be6cd23e

    
    

    
  
This is clearly a regression in NSPR and started with the version bump to 3.18 via bug 1137470.

https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=2da0cd9e724a&tochange=289fa2204f9f

I will attach two screenshots for pre and post behavior. I assume that Kai will be able to tell us if something unusual is happening here or if we have to update our test.
Blocks: 1137470
Flags: needinfo?(kaie)
Keywords: regressionwindow-wanted

    
    

    
  
Steps:

1. Take latest Nightly or Aurora
2. Open https://summitbook.mozilla.org/
3. Expand the "Technical Details" section

As you will notice the error code has been changed: the sec_error_expired_certificate => sec_error_unknown_issuer

Kaie, if that is a problem I will get a new bug filed for NSPR. Please let me know. Thanks.
Summary: Test failure 'The error code is a SEC Expired certificate error...' in testSecurityNotification.js → Test failure 'sec_error_expired_certificate != sec_error_unknown_issuer' in testSecurityNotification.js

    
    

    
  
Henrik, the change in behaviour is expected.

The upgrade to NSS included bug 986019. We removed an old Equifax root CA certificate from the NSS and Firefox trust store, because we are phasing out CA certificates that use a weaker key with only 1024 bit.

The server certificate used by summitbook.mozilla.org was issued by the CA that we removed.

Issuer: "OU=Equifax Secure Certificate Authority,O=Equifax,C=US"

Subject: "CN=summitbook.mozilla.org,O=Mozilla Corporation,L=Mountain View,ST=California,C=US,serialNumber=-csW8OPdwDOZBFy1pK2SKOEzx7o9IqlO"
Flags: needinfo?(kaie)

    
    

    
  
I see! Thanks a lot for this information Kai. As it looks like we are badly blocked on running this test until IT is able to give us a new expired certificate via bug 1106077. :(
Depends on: 1106077
Whiteboard: [mozmill-test-failure][mozmill-test-skipped] → [mozmill-test-failure][mozmill-test-skipped][blocked by bug 1106077]

    
    

    
  


  
Similar to the test for Marionette lets skip the code part which checks for the expired certificate only. Would be good to keep the other tests running.

        Attachment #8581680 -
        Flags: review?(cmanchester)

    
    

    
  
Comment on attachment 8581680 [details] [diff] [review]
security_notification v1

Review of attachment 8581680 [details] [diff] [review]:
-----------------------------------------------------------------

This patch trades one mode of skipping a test for another that skips less of the test. Is review for changes like these really necessary?

        Attachment #8581680 -
        Flags: review?(cmanchester) → review+

    
    

    
  
Maybe not. So in the future we should only ask for review if code changes are involved. But thanks for doing the review.

Landed the changes as:

https://hg.mozilla.org/qa/mozmill-tests/rev/b1589c37920a (default)
https://hg.mozilla.org/qa/mozmill-tests/rev/27944d3cca56 (aurora)

I will remove the skipped whiteboard entry given that only parts of the test are skipped now. The bug will stay open until we can make use of the code again.

Syd, maybe you will have to re-enable it once the dependent bug has been fixed.

          status-firefox38:
          disabledaffected

          status-firefox39:
          disabledaffected
Whiteboard: [mozmill-test-failure][mozmill-test-skipped][blocked by bug 1106077] → [mozmill-test-failure][blocked by bug 1106077]

    
  
Blocks: 1148182

    
  
Whiteboard: [mozmill-test-failure][blocked by bug 1106077] → [mozmill-test-failure]

    
  
Blocks: 1149405

    
    

    
  
Bug 1148182 finally fixed that issue.
No longer blocks: 1148182
Status: ASSIGNED → RESOLVED
Closed: 9 years ago

          status-firefox38:
          affectedfixed

          status-firefox39:
          affectedfixed
Depends on: 1148182
Resolution: --- → FIXED

    
  
Product: Mozilla QA → Mozilla QA Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: