Closed
Bug 1240548
Opened 9 years ago
Closed 9 years ago
Firefox stalls after TLS handshake on self signed certificate with a missing contact email
Categories
(Core :: Security: PSM, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 1056341
People
(Reporter: fanf42, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0 Build ID: 20160107040617 Steps to reproduce: * create a site with apache + self-signed certificate without a contact email, for example with the command: openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder-webapp.key -out /opt/rudder/etc/ssl/rudder-webapp.crt -days 1460 -nodes -sha256 * try to connect to it with Chrome => OK * try to connect to it with Firefox (most version since at least v39à => stall with status bar displaying "Connected to IP...." and nothing else happening A details description of the problem with Apache SSL logs, faulty and working certificated are available at: http://www.rudder-project.org/redmine/issues/7800 If you want more information, like wireshark dump, a VM snapshot with the problem, of anything else, please ask. The problem is extremelly infuriating, not always reproducible (i.e: it does not works for 5 people at Normation, but it used to work for me for same version of Firefox, and now I'm experiencing the pb... But we still have some people not having it!). Actual results: I can't connect to my site :( Expected results: I should be able to connect to my site.
Updated•9 years ago
|
Component: Networking → Security: PSM
Comment 1•9 years ago
|
||
The certificates in the linked bug report are all certificate authorities rather than end-entity certificates. It would be helpful to also see the end-entity certificates that the server is using (Firefox generally doesn't allow CAs to act as end-entities).
Flags: needinfo?(fanf42)
Hello David, thanks for you message. This are the end-entity certificates that the server is using. They are self-signed, which is why they look like CA certificates, but they are the ones in use by the server in this bug report. ie, we have in our Apache vhost configuration: SSLCertificateFile /opt/rudder/etc/ssl/rudder-webapp.crt SSLCertificateKeyFile /opt/rudder/etc/ssl/rudder-webapp.key With the linked certificate / key. (If needed, you can see the actual vhost config here: https://github.com/Normation/rudder/blob/master/rudder-web/src/main/resources/rudder-vhost-ssl.conf) Hope it helps,
Flags: needinfo?(fanf42)
Comment 3•9 years ago
|
||
Oh, I bet this is bug 1056341. If you try with a new Firefox profile, does it work as expected?
Flags: needinfo?(fanf42)
Wow. Thanks David Keeler, creating a new empty profile (with firefox -P) actually allows to connect to the site with the bad certificate. So you're certainly right about this one being a duplicate, the symptomes are quite alike (self signed certificate etc). So bad the title of the bug didn't let me find it when I was searching for existing bug before opening that one. And actually, I don't think anybody without a deep understanding of mozilla internals would search for "mozilla::pkix" and "path", but more tags like "self-signed certificate", "hang / stall", etc. All in all, thanks for the pointer.
Flags: needinfo?(fanf42)
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•