Closed
Bug 1300633
Opened 8 years ago
Closed 8 years ago
Users report Netflix stopped working after Firefox 48 as CDM won't get installed
Categories
(Core :: Audio/Video: Playback, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 1309463
| Tracking | Status | |
|---|---|---|
| platform-rel | --- | + |
| firefox48 | --- | wontfix |
| firefox49 | + | wontfix |
| firefox50 | + | fix-optional |
| firefox51 | --- | fix-optional |
People
(Reporter: philipp, Unassigned)
References
Details
(Keywords: regression, Whiteboard: [platform-rel-Netflix])
we got quite a number of reports on sumo from users across platforms (win, os x) who are no longer able to play netflix videos after the firefox 48 update and get an infobar "Firefox is installing components needed to play audio or video, please try again later" instead, but the CDM module necessary for drm playback doesn't get applied.
|
Reporter | |
Comment 1•8 years ago
|
||
https://support.mozilla.org/en-US/questions/firefox?tagged=bug1300633&show=all
|
||
Updated•8 years ago
|
Component: General → Audio/Video
|
||
Comment 2•8 years ago
|
||
Thanks Ben.
Assignee: nobody → cpearce
Component: Audio/Video → Audio/Video: Playback
Priority: -- → P1
|
|
||
Comment 3•8 years ago
|
||
In this SUMO thread: https://support.mozilla.org/en-US/questions/1135638?page=2#answer-913745 We had a user who was able to post her GMPProvider log: Init: Loading set App1App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loaded set App1App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loaded set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set Compose1App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loaded set Compose1App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set Compose2App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set SearchFiltersApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loaded set SearchFiltersApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loaded set Compose2App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set Compose3App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loaded set Compose3App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loaded set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set SearchFiltersApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155 "Handler function threw an exception: TypeError: this.transport is null Stack: DSC_send@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/main.js:1391:5 NEA_addSecurityInfo@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/webconsole.js:2136:5 NetworkResponseListener.prototype._getSecurityInfo<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/webconsole/network-monitor.js:266:5 exports.makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/ThreadSafeDevToolsUtils.js:101:14 NetworkResponseListener.prototype.onStartRequest@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/webconsole/network-monitor.js:215:5 Line: 1391, column: 5"ThreadSafeDevToolsUtils.js:80 JQMIGRATE: Logging is activecommon-min.80cc97d7f66d.js:6:5685 JQMIGRATE: jQuery.browser is deprecatedcommon-min.80cc97d7f66d.js:6:6026 console.trace():common-min.80cc97d7f66d.js:6 migrateWarn()common-min.80cc97d7f66d.js:6 migrateWarnProp/<.get()common-min.80cc97d7f66d.js:6 <anonymous>questions-min.c6e4a6ff3318.js:3 x.Callbacks/c()common-min.80cc97d7f66d.js:4 x.Callbacks/p.fireWith()common-min.80cc97d7f66d.js:4 .ready()common-min.80cc97d7f66d.js:3 q()common-min.80cc97d7f66d.js:3 JQMIGRATE: $(html) HTML strings must start with '<' charactercommon-min.80cc97d7f66d.js:6:6026 console.trace():common-min.80cc97d7f66d.js:6 migrateWarn()common-min.80cc97d7f66d.js:6 jQuery.fn.init()common-min.80cc97d7f66d.js:6 x()common-min.80cc97d7f66d.js:3 x.prototype.init()common-min.80cc97d7f66d.js:3 jQuery.fn.init()common-min.80cc97d7f66d.js:6 x()common-min.80cc97d7f66d.js:3 Marky.CannedResponsesButton.prototype<.getPermissionBits/<.success()questions-min.c6e4a6ff3318.js:1 x.Callbacks/c()common-min.80cc97d7f66d.js:4 x.Callbacks/p.fireWith()common-min.80cc97d7f66d.js:4 k()common-min.80cc97d7f66d.js:5 .send/r()common-min.80cc97d7f66d.js:5 "Handler function threw an exception: TypeError: this.transport is null Stack: DSC_send@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/main.js:1391:5 NEA_addSecurityInfo@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/webconsole.js:2136:5 NetworkResponseListener.prototype._getSecurityInfo<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/webconsole/network-monitor.js:266:5 exports.makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/ThreadSafeDevToolsUtils.js:101:14 NetworkResponseListener.prototype.onStartRequest@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/webconsole/network-monitor.js:215:5 Line: 1391, column: 5"ThreadSafeDevToolsUtils.js:80 "The version of Tabzilla you are using is deprecated and will be removed in the future. Please update to the new static version here: https://github.com/mozilla/tabzilla/"tabzilla.js:612:17 MediaKeySystemAccess::GetKeySystemStatus(com.widevine.alpha, minVer=-1) result=cdm-not-installed version='' msg='CDM is not installed' 1473132512539 Toolkit.GMP TRACE GMPWrapper(gmp-eme-adobe) receiveMessage() data={"keySystem":"com.widevine.alpha","status":"cdm-not-installed"} 1473132512540 Toolkit.GMP TRACE GMPWrapper(gmp-widevinecdm) receiveMessage() data={"keySystem":"com.widevine.alpha","status":"cdm-not-installed"} 1473132512541 Toolkit.GMP TRACE GMPWrapper(gmp-eme-adobe) receiveMessage() data={"keySystem":"com.widevine.alpha","status":"cdm-not-installed"} 1473132512543 Toolkit.GMP TRACE GMPWrapper(gmp-widevinecdm) receiveMessage() data={"keySystem":"com.widevine.alpha","status":"cdm-not-installed"} 1473132512583 Toolkit.GMP INFO GMPInstallManager.simpleCheckAndInstall Last check was: 1473132513 seconds ago, minimum seconds: 86400 1473132512584 Toolkit.GMP INFO GMPInstallManager._getURL Using url: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml 1473132512585 Toolkit.GMP INFO GMPInstallManager._getURL Using url (with replacement): https://aus5.mozilla.org/update/3/GMP/48.0.2/20160823121617/WINNT_x86-msvc-x64/en-US/release/Windows_NT%2010.0.0.0%20(x64)/default/default/update.xml 1473132512589 Toolkit.GMP INFO GMPInstallManager.simpleCheckAndInstall Last check was: 1473132513 seconds ago, minimum seconds: 86400 1473132512590 Toolkit.GMP INFO GMPInstallManager._getURL Using url: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml 1473132512591 Toolkit.GMP INFO GMPInstallManager._getURL Using url (with replacement): https://aus5.mozilla.org/update/3/GMP/48.0.2/20160823121617/WINNT_x86-msvc-x64/en-US/release/Windows_NT%2010.0.0.0%20(x64)/default/default/update.xml TypeError: i.subscribe is not a function bk:39:7270 "Handler function threw an exception: TypeError: this.transport is null Stack: DSC_send@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/main.js:1391:5 NEA_addSecurityInfo@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/webconsole.js:2136:5 NetworkResponseListener.prototype._getSecurityInfo<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/webconsole/network-monitor.js:266:5 exports.makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/ThreadSafeDevToolsUtils.js:101:14 NetworkResponseListener.prototype.onStartRequest@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/webconsole/network-monitor.js:215:5 Line: 1391, column: 5"ThreadSafeDevToolsUtils.js:80 TypeError: this.transport is nullmain.js:1391:5 Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://fls-na.amazon.com/1/action-impressions/1/OP/csm/action/csm-features:impression-tracking?requestId=E7DAFK5QVPG2Q47KZ96H&marketplaceId=ATVPDKIKX0DER&session=164-9077408-8303711&csm=1. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*').(unknown) no element found3.0:1:1 Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', got: 'CN=VertoAnalyticsCA'. CertUtils.jsm:109 Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=thawte SSL CA - G2,O="thawte, Inc.",C=US', got: 'CN=VertoAnalyticsCA'. CertUtils.jsm:109 Certificate checks failed. See previous errors for details. CertUtils.jsm:112 1473132514535 addons.productaddons ERROR Request failed certificate checks: [Exception... "Certificate checks failed. See previous errors for details." nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113" data: no] Log.jsm:753 1473132514536 Toolkit.GMP ERROR GMPInstallManager.simpleCheckAndInstall Could not check for addons: [Exception... "Certificate checks failed. See previous errors for details." nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113" data: no] Stack trace: validateCert()@resource://gre/modules/CertUtils.jsm:113 < checkCert()@resource://gre/modules/CertUtils.jsm:155 < downloadXML/</success()@resource://gre/modules/addons/ProductAddonChecker.jsm:121 Log.jsm:753 no element foundping:1:1 Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', got: 'CN=VertoAnalyticsCA'. CertUtils.jsm:109 Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=thawte SSL CA - G2,O="thawte, Inc.",C=US', got: 'CN=VertoAnalyticsCA'. CertUtils.jsm:109 Certificate checks failed. See previous errors for details. CertUtils.jsm:112 1473132514695 addons.productaddons ERROR Request failed certificate checks: [Exception... "Certificate checks failed. See previous errors for details." nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113" data: no] Log.jsm:753 1473132514696 Toolkit.GMP ERROR GMPInstallManager.simpleCheckAndInstall Could not check for addons: [Exception... "Certificate checks failed. See previous errors for details." nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113" data: no] Stack trace: validateCert()@resource://gre/modules/CertUtils.jsm:113 < checkCert()@resource://gre/modules/CertUtils.jsm:155 < downloadXML/</success()@resource://gre/modules/addons/ProductAddonChecker.jsm:121 Log.jsm:753 Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', got: 'CN=VertoAnalyticsCA'. CertUtils.jsm:109 Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=thawte SSL CA - G2,O="thawte, Inc.",C=US', got: 'CN=VertoAnalyticsCA'. CertUtils.jsm:109 Certificate checks failed. See previous errors for details. CertUtils.jsm:112 1473132514788 addons.productaddons ERROR Request failed certificate checks: [Exception... "Certificate checks failed. See previous errors for details." nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113" data: no] Log.jsm:753 1473132514789 Toolkit.GMP ERROR GMPInstallManager.simpleCheckAndInstall Could not check for addons: [Exception... "Certificate checks failed. See previous errors for details." nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113" data: no] Stack trace: validateCert()@resource://gre/modules/CertUtils.jsm:113 < checkCert()@resource://gre/modules/CertUtils.jsm:155 < downloadXML/</success()@resource://gre/modules/addons/ProductAddonChecker.jsm:121 Log.jsm:753 An unbalanced tree was written using document.write() causing data from the network to be reparsed. For more information https://developer.mozilla.org/en/Optimizing_Your_Pages_for_Speculative_Parsingsf-1.38_FX4._V280516968_.html:27 Use of getAttributeNode() is deprecated. Use getAttribute() instead.site-wide-7123153309._V1_.js:640:62 no element foundproperties:1:1 Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', got: 'CN=VertoAnalyticsCA'. CertUtils.jsm:109 Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=thawte SSL CA - G2,O="thawte, Inc.",C=US', got: 'CN=VertoAnalyticsCA'. CertUtils.jsm:109 Certificate checks failed. See previous errors for details. CertUtils.jsm:112 1473132520755 addons.productaddons ERROR Request failed certificate checks: [Exception... "Certificate checks failed. See previous errors for details." nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113" data: no] Log.jsm:753 1473132520756 Toolkit.GMP ERROR GMPInstallManager.simpleCheckAndInstall Could not check for addons: [Exception... "Certificate checks failed. See previous errors for details." nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113" data: no] Stack trace: validateCert()@resource://gre/modules/CertUtils.jsm:113 < checkCert()@resource://gre/modules/CertUtils.jsm:155 < downloadXML/</success()@resource://gre/modules/addons/ProductAddonChecker.jsm:121 Log.jsm:753 NS_ERROR_UNEXPECTED(unknown) Note the certificate errors. VertoAnalytics is intercepting the HTTPS request to download from aus5.mozilla.org. So the user's HTTPS traffic has been MITM.
The symptom of MITM (man-in-the-middle) attacks is that Widevine, Primetime and OpenH264 are all failing to download. OpenH264/Primetime have been available longer so could've been installed before a MITM.
|
|
Reporter | |
Comment 5•8 years ago
|
||
a fair number of security software (avast, bitdefender, eset, kaspersky) will man-in-the-middle all secure network traffic by default afaik.
|
||
Comment 6•8 years ago
|
||
Too late for 48, if we want to fix that in 49, a fix will need to arrive very soon.
|
||
Comment 7•8 years ago
|
||
For posterity, here's the part of the log that shows the MitM: Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', got: 'CN=VertoAnalyticsCA'. CertUtils.jsm:109 Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=thawte SSL CA - G2,O="thawte, Inc.",C=US', got: 'CN=VertoAnalyticsCA'. CertUtils.jsm:109 Certificate checks failed. See previous errors for details.
|
|
||
Comment 8•8 years ago
|
||
It's also worth noting that we stopped SSL pinning for Firefox updates, partly for this reason. If we were able to sign the payload for gecko media plugins we might be able to do the same for them.
|
||
Comment 9•8 years ago
|
||
It sounds like this is likely to be a widespread problem. To work around this problem in 49, do we need the solution (possibly in bug 1267495) to be hashed out before release? Or could this be in a dot release after 49 goes out?
tracking-firefox49:
--- → +
|
||
Comment 10•8 years ago
|
||
The OpenH264 downloads are signed, so pinning the update URL has less impact than it might. There is a downside in that if someone were to MITM redirect the download to an older copy that was signed but has been replaced, they could sneak a vulnerable version of the download into the system. It still runs in a sandbox (excluding Android for Openh264 at least)
|
|
||
Comment 11•8 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #10) > The OpenH264 downloads are signed, so pinning the update URL has less impact > than it might. There is a downside in that if someone were to MITM redirect > the download to an older copy that was signed but has been replaced, they > could sneak a vulnerable version of the download into the system. It still > runs in a sandbox (excluding Android for Openh264 at least) Unfortunately, I don't think we could remove pinning unless all plugins are signed. Downgrade attacks are something that can be protected against. IIRC, we refuse to install versions of Firefox that are older than the current version by comparing against the version in the MAR. This would be trickier for GMP plugins in situations where you don't have one yet...perhaps we'd need to embed the minimum allowed version into Firefox, and compare against that for new installs.
|
|
||
Comment 12•8 years ago
|
||
(In reply to Ben Hearsum (:bhearsum) from comment #11) > Unfortunately, I don't think we could remove pinning unless all plugins are > signed. /me boggles Can we get them signed? (with something we can check?) > Downgrade attacks are something that can be protected against. IIRC, we > refuse to install versions of Firefox that are older than the current > version by comparing against the version in the MAR. This would be trickier > for GMP plugins in situations where you don't have one yet...perhaps we'd > need to embed the minimum allowed version into Firefox, and compare against > that for new installs. It's also the case that we occasionally may need to downgrade OpenH264 (don't know about other GMP downloads) if an update turns out to cause problems in the field. I suppose we could "downgrade" by resigning it with a higher (fake) version number (annoying), with a higher non-visible number, or something that says "invalidates version X.Y"
|
|
||
Comment 13•8 years ago
|
||
(In reply to Randell Jesup [:jesup] from comment #12) > (In reply to Ben Hearsum (:bhearsum) from comment #11) > > Unfortunately, I don't think we could remove pinning unless all plugins are > > signed. > > /me boggles > > Can we get them signed? (with something we can check?) That might be more of a question for someone else. Last I checked, the only plugin we build ourselves is OpenH264. For the others, we'd probably want them signed by whomever is building them? We should probably spin this off into another bug. > > Downgrade attacks are something that can be protected against. IIRC, we > > refuse to install versions of Firefox that are older than the current > > version by comparing against the version in the MAR. This would be trickier > > for GMP plugins in situations where you don't have one yet...perhaps we'd > > need to embed the minimum allowed version into Firefox, and compare against > > that for new installs. > > It's also the case that we occasionally may need to downgrade OpenH264 > (don't know about other GMP downloads) if an update turns out to cause > problems in the field. I suppose we could "downgrade" by resigning it with > a higher (fake) version number (annoying), with a higher non-visible number, > or something that says "invalidates version X.Y" This is pretty much what we do for everything else. You can only go forward, which means if you discover a stop-ship issue, you halt all updates, spin a new version, and then ship that.
|
|
||
Comment 14•8 years ago
|
||
OK. As I'm understanding this, you all are discussing and working towards some possible solutions. But we don't gain anything from blocking 49 on this issue since we already have the issue in 48.
|
||
Updated•8 years ago
|
platform-rel: --- → ?
|
||
Updated•8 years ago
|
status-firefox51:
--- → affected
|
|
||
Comment 15•8 years ago
|
||
NI? bsmedberg for thoughts on: (In reply to Ben Hearsum (:bhearsum) from comment #13) > (In reply to Randell Jesup [:jesup] from comment #12) > > (In reply to Ben Hearsum (:bhearsum) from comment #11) > > > Unfortunately, I don't think we could remove pinning unless all plugins are > > > signed. > > > > /me boggles > > > > Can we get them signed? (with something we can check?) > > That might be more of a question for someone else. Last I checked, the only > plugin we build ourselves is OpenH264. For the others, we'd probably want > them signed by whomever is building them? We should probably spin this off > into another bug.
Flags: needinfo?(benjamin)
|
||
Comment 16•8 years ago
|
||
The requirements for code updates are that the software must be verified against a builtin certificate; updates must not rely solely on PKI infrastructure. There are many ways to do this: we can use builtin pins to our update servers, include a hash in that response, and validate the hash against the final dwonload location. Or we can build Adobe/Google/etc certificates into Firefox, those companies can sign their releases, and we validate their signature. Or we can use some other validated series of HTTPS pins, but that seems to be what we're trying to avoid here.
Flags: needinfo?(benjamin)
Tracked for Fx50. This seems important enough to get a fix on this one in Beta50.
tracking-firefox50:
--- → +
|
||
Updated•8 years ago
|
platform-rel: ? → +
|
||
Comment 18•8 years ago
|
||
Who's going to implement one of the suggestions from comment 16 (or something else)?
Flags: needinfo?(ajones)
|
||
Updated•8 years ago
|
Whiteboard: [platform-rel-Netflix]
This should be fixed by bug 1267495 but unfortunately isn't yet.
Flags: needinfo?(ajones)
|
|
||
Comment 20•8 years ago
|
||
Looks like followup to bug 1267495 is happening in bug 1309463. I imagine we can probably dupe this to either of those bugs but I'm not sure which one.
|
|
||
Comment 22•8 years ago
|
||
Changing owner to Dale. Note, this bug is tracking Firefox-50.
Assignee: cpearce → dale
|
||
Comment 23•8 years ago
|
||
As 1309463 is the followup it seems sensible to dupe it to that, this should be fixed now and has been in my testing
Status: NEW → RESOLVED
Closed: 8 years ago
Flags: needinfo?(dale)
Resolution: --- → DUPLICATE
|
||
Comment 24•8 years ago
|
||
Dale, in comment #3 the log shows that the certificate was rejected. Bug 1309463 doesn't fix that issue which this bug is about. Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', got: 'CN=VertoAnalyticsCA'. CertUtils.jsm:109 Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=thawte SSL CA - G2,O="thawte, Inc.",C=US', got: 'CN=VertoAnalyticsCA'. CertUtils.jsm:109 Certificate checks failed. See previous errors for details. CertUtils.jsm:112 1473132520755 addons.productaddons ERROR Request failed certificate checks: [Exception... "Certificate checks failed. See previous errors for details." nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113" data: no] Log.jsm:753 1473132520756 Toolkit.GMP ERROR GMPInstallManager.simpleCheckAndInstall Could not check for addons: [Exception... "Certificate checks failed. See previous errors for details." nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)" location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113" data: no] Stack trace: validateCert()@resource://gre/modules/CertUtils.jsm:113 < checkCert()@resource://gre/modules/CertUtils.jsm:155 < downloadXML/</success()@resource://gre/modules/addons/ProductAddonChecker.jsm:121 Log.jsm:753 NS_ERROR_UNEXPECTED(unknown)
Flags: needinfo?(dale)
|
|
||
Comment 25•8 years ago
|
||
rhelmer, relevant to what we discussed over irc
|
|
||
Comment 26•8 years ago
|
||
Ah ok, so https://bugzilla.mozilla.org/show_bug.cgi?id=1309463 provides a fallback if for any reason it is not possible to communicate with the AUS servers, but yes it certainly wont fix any certificate issues. As Andrew / Anthony seemed to imply the fallback was a good enough fix for the certificate issue however if it isnt I will deassign myself. Cheers
Assignee: dale → nobody
Flags: needinfo?(dale)
|
|
||
Comment 27•8 years ago
|
||
I think you mean that bug 1267495 added the fallback and bug 1309463 fixed a check for supported EME platforms. I had a discussion with rhelmer regarding these checks in relation to add-ons (bug 1308251) which is essentially the same as this bug since they share code for the check.
|
|
||
Comment 28•8 years ago
|
||
I'll leave it to rhelmer as to whether to reopen this bug.
|
|
||
Updated•8 years ago
|
You need to log in
before you can comment on or make changes to this bug.
Description
•