Closed Bug 1240548 Opened 9 years ago Closed 9 years ago

Firefox stalls after TLS handshake on self signed certificate with a missing contact email

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
43 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1056341

People

(Reporter: fanf42, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:43.0) Gecko/20100101 Firefox/43.0
Build ID: 20160107040617

Steps to reproduce:

* create a site with apache + self-signed certificate without a contact email, for example with the command:

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder-webapp.key -out /opt/rudder/etc/ssl/rudder-webapp.crt -days 1460 -nodes -sha256

* try to connect to it with Chrome => OK
* try to connect to it with Firefox (most version since at least v39à => stall with status bar displaying "Connected to IP...." and nothing else happening

A details description of the problem with Apache SSL logs, faulty and working certificated are available at: http://www.rudder-project.org/redmine/issues/7800

If you want more information, like wireshark dump, a VM snapshot with the problem, of anything else, please ask. 

The problem is extremelly infuriating, not always reproducible (i.e: it does not works for 5 people at Normation, but it used to work for me for same version of Firefox, and now I'm experiencing the pb... But we still have some people not having it!). 



Actual results:

I can't connect to my site :(


Expected results:

I should be able to connect to my site.
Component: Untriaged → Networking
Product: Firefox → Core
Component: Networking → Security: PSM
The certificates in the linked bug report are all certificate authorities rather than end-entity certificates. It would be helpful to also see the end-entity certificates that the server is using (Firefox generally doesn't allow CAs to act as end-entities).
Flags: needinfo?(fanf42)
Hello David, thanks for you message. 

This are the end-entity certificates that the server is using. They are self-signed, which is why they look like CA certificates, but they are the ones in use by the server in this bug report.

ie, we have in our Apache vhost configuration:

  SSLCertificateFile      /opt/rudder/etc/ssl/rudder-webapp.crt
  SSLCertificateKeyFile   /opt/rudder/etc/ssl/rudder-webapp.key

With the linked certificate / key. 

(If needed, you can see the actual vhost config here: https://github.com/Normation/rudder/blob/master/rudder-web/src/main/resources/rudder-vhost-ssl.conf)

Hope it helps,
Flags: needinfo?(fanf42)
Oh, I bet this is bug 1056341. If you try with a new Firefox profile, does it work as expected?
Flags: needinfo?(fanf42)
Wow. Thanks David Keeler, creating a new empty profile (with firefox -P) actually allows to connect to the site with the bad certificate. 

So you're certainly right about this one being a duplicate, the symptomes are quite alike (self signed certificate etc). 

So bad the title of the bug didn't let me find it when I was searching for existing bug before opening that one. And actually, I don't think anybody without a deep understanding of mozilla internals would search for "mozilla::pkix" and "path", but more tags like "self-signed certificate", "hang / stall", etc. 

All in all, thanks for the pointer.
Flags: needinfo?(fanf42)
Status: UNCONFIRMED → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.