Closed Bug 1289517 Opened 8 years ago Closed 8 years ago

Base case of Kinto OneCRL block no longer functioning

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Version:
50 Branch
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

()

Status:
RESOLVED WORKSFORME
Tracking Flags:
Tracking Status
firefox50 --- affected

People

(Reporter: mwobensmith, Unassigned)

Details

This worked as of last week, is suddenly non-functional today.

1. Create new profile.
2. Set services.settings.server to https://kinto.stage.mozaws.net/v1
3. Leave other settings the same w/r/t signing (off) and via.amo (false)
4. Force blocklist update.
5. Try these two sites, whose certs are on the blocklist:

https://www.dogfoodadvisor.com
https://www.cca.edu

Result:
First site is blocked, second is not

Expected:
Both sites blocked

Also, the cert for the second site does not appear in the local kinto.sqlite database or revocations.txt, although it is indeed on the blocklist staged via kinto.

issuer:
MEcxCzAJBgNVBAYTAlVTMRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMSAwHgYDVQQDExdSYXBpZFNTTCBTSEEyNTYgQ0EgLSBHMw==

serial:
AcSs

Staging URL here:
https://kinto.stage.mozaws.net/v1/buckets/staging/collections/certificates/records
I saw this issue yesterday at the same time as you were experiencing it - but later, when I tried to reproduce the issue via a proxy and with a debugger, the problem had gone.

I've tried, for several hours (many, many repetitions), to reproduce this issue and I can't.

Did you remove and re-add that second entry at any point (e.g. via kinto admin)?

If you're able to reproduce this issue again, there are some steps you could take that would help diagnose the problem:
1) Test via a MITM proxy (e.g. ZAP or Charles - ZAP is really great for this sort of thing) and keep a log of the traffic. That way, when something fails, we can see what the browser was requesting and what the server returned.
2) Try to get the moz log info from the cert blocklist. You can do this by setting the NSPR_LOG_MODULES env. variable to CertBlock:5
3) Redirect standard out / standard error into a log file - that way, we can see signs of stuff throwing during sync

Let me know if you need any help with any of this.
Flags: needinfo?(mwobensmith)
(In reply to Mark Goodwin [:mgoodwin] from comment #1)
> I saw this issue yesterday at the same time as you were experiencing it -
> but later, when I tried to reproduce the issue via a proxy and with a
> debugger, the problem had gone.
> 
> I've tried, for several hours (many, many repetitions), to reproduce this
> issue and I can't.

Btw, these strongly suggest to me that the issue was either server or data related. Was there anything going on with kinto.stage.mozaws.net yesterday?
Flags: needinfo?(jschneider)
Flags: needinfo?(dmaher)
I did not change the blocklist in any way, between the time where it worked, it broke and then started to work again. I'd like to think it was server/data related. At the same time, the staged blocklist was correct AFAICT, and of the two entries I was testing, only one was reflected in the local files on disk.

I am trying to reproduce again myself, and will follow your steps to get more data should I encounter it.
Flags: needinfo?(mwobensmith)
We made no changes to that infra at all either, so there should have been no issues with the server.
Flags: needinfo?(jschneider)
Flags: needinfo?(dmaher)
Matt, do you have any updates here?
Flags: needinfo?(mwobensmith)
This issue mysteriously disappeared, but not before Mark saw it too in comment 1.

I'll mark it resolved for now.
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(mwobensmith)
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.