Closed Bug 1276848 Opened 8 years ago Closed 5 years ago

Permalink to download firefox leads to a download link with a bad certificate

Categories

(Cloud Services :: Operations: Product Delivery, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: eloi, Unassigned)

References

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:46.0) Gecko/20100101 Firefox/46.0
Build ID: 20160502172042

Steps to reproduce:

Sorry, bug with the website more than with Firefox itself.

Trying to download latest versions of Firefox with the permalinks furnished in the README file http://releases.mozilla.org/pub/firefox/releases/latest/README.txt ; e.g. in my case the french version of the latest Firefox :
https://download.mozilla.org/?product=firefox-latest&os=win&lang=fr


Actual results:

The site redirects me to download the following file :
https://download.cdn.mozilla.net/pub/firefox/releases/46.0.1/win32/en-US/Firefox%20Setup%2046.0.1.exe
which seems to be the one I want. However, the connection is not secure because of a problem with the used SSL certificate. Downloading is blocked due to HSTS.

download.cdn.mozilla.net utilise un certificat de sécurité invalide. Le certificat n'est valide que pour les noms suivants : a248.e.akamai.net, *.akamaihd.net, *.akamaihd-staging.net, *.akamaized.net, *.akamaized-staging.net Code d'erreur : SSL_ERROR_BAD_CERT_DOMAIN


Expected results:

Download the setup executable.
Component: Untriaged → Installer
OS: Unspecified → All
Hardware: Unspecified → All
Version: 46 Branch → unspecified
Thanks for the report. Moving to (what I think is) a better component, so the right people see this.
Component: Installer → Operations: Product Delivery
Product: Firefox → Cloud Services
QA Contact: oremj
Do you have an addon installed that is forcing SSL? I get the following from 'https://download.mozilla.org/?product=firefox-latest&os=win&lang=fr'

➜  ~ curl -v 'https://download.mozilla.org/?product=firefox-latest&os=win&lang=fr'
*   Trying 52.10.91.46...
* Connected to download.mozilla.org (52.10.91.46) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* Server certificate: download.mozilla.org
* Server certificate: DigiCert Secure Server CA
* Server certificate: DigiCert Global Root CA
> GET /?product=firefox-latest&os=win&lang=fr HTTP/1.1
> Host: download.mozilla.org
> User-Agent: curl/7.43.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Cache-Control: max-age=60
< Content-Type: text/html; charset=utf-8
< Date: Tue, 31 May 2016 15:28:10 GMT
< Location: http://download.cdn.mozilla.net/pub/firefox/releases/46.0.1/win32/fr/Firefox%20Setup%2046.0.1.exe
< Content-Length: 120
< Connection: keep-alive
< 
<a href="http://download.cdn.mozilla.net/pub/firefox/releases/46.0.1/win32/fr/Firefox%20Setup%2046.0.1.exe">Found</a>.
See Also: → 1272909
See Also: → 1258123
You are absolutely right, NoScript is the problem here. I did not find those bugs when looking for precedents, my mistake.
The fix here (https://bugzilla.mozilla.org/show_bug.cgi?id=1272909#c11) works very well.

Cheers
Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.