Users report Netflix stopped working after Firefox 48 as CDM won't get installed

RESOLVED DUPLICATE of bug 1309463

Status

()

defect
P1
normal
RESOLVED DUPLICATE of bug 1309463
3 years ago
3 years ago

People

(Reporter: philipp, Unassigned)

Tracking

({regression})

48 Branch
Points:
---

Firefox Tracking Flags

(platform-rel +, firefox48 wontfix, firefox49+ wontfix, firefox50+ fix-optional, firefox51 fix-optional)

Details

(Whiteboard: [platform-rel-Netflix])

Reporter

Description

3 years ago
we got quite a number of reports on sumo from users across platforms (win, os x) who are no longer able to play netflix videos after the firefox 48 update and get an infobar "Firefox is installing components needed to play audio or video, please try again later" instead, but the CDM module necessary for drm playback doesn't get applied.
Component: General → Audio/Video
Thanks Ben.
Assignee: nobody → cpearce
Component: Audio/Video → Audio/Video: Playback
Priority: -- → P1
In this SUMO thread:
https://support.mozilla.org/en-US/questions/1135638?page=2#answer-913745

We had a user who was able to post her GMPProvider log:

Init: Loading set App1App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loaded set App1App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loaded set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set Compose1App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loaded set Compose1App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set Compose2App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set SearchFiltersApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loaded set SearchFiltersApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loaded set Compose2App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set Compose3App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loaded set Compose3App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loaded set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set SearchFiltersApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set Compose0App0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
Init: Loading set PeoplePaneApp0x_LfX7uw78SK6x8985Wwc0cQ2.js:1:696155
"Handler function threw an exception: TypeError: this.transport is null
Stack: DSC_send@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/main.js:1391:5
NEA_addSecurityInfo@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/webconsole.js:2136:5
NetworkResponseListener.prototype._getSecurityInfo<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/webconsole/network-monitor.js:266:5
exports.makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/ThreadSafeDevToolsUtils.js:101:14
NetworkResponseListener.prototype.onStartRequest@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/webconsole/network-monitor.js:215:5
Line: 1391, column: 5"ThreadSafeDevToolsUtils.js:80
JQMIGRATE: Logging is activecommon-min.80cc97d7f66d.js:6:5685
JQMIGRATE: jQuery.browser is deprecatedcommon-min.80cc97d7f66d.js:6:6026
console.trace():common-min.80cc97d7f66d.js:6
migrateWarn()common-min.80cc97d7f66d.js:6
migrateWarnProp/<.get()common-min.80cc97d7f66d.js:6
<anonymous>questions-min.c6e4a6ff3318.js:3
x.Callbacks/c()common-min.80cc97d7f66d.js:4
x.Callbacks/p.fireWith()common-min.80cc97d7f66d.js:4
.ready()common-min.80cc97d7f66d.js:3
q()common-min.80cc97d7f66d.js:3

JQMIGRATE: $(html) HTML strings must start with '<' charactercommon-min.80cc97d7f66d.js:6:6026
console.trace():common-min.80cc97d7f66d.js:6
migrateWarn()common-min.80cc97d7f66d.js:6
jQuery.fn.init()common-min.80cc97d7f66d.js:6
x()common-min.80cc97d7f66d.js:3
x.prototype.init()common-min.80cc97d7f66d.js:3
jQuery.fn.init()common-min.80cc97d7f66d.js:6
x()common-min.80cc97d7f66d.js:3
Marky.CannedResponsesButton.prototype<.getPermissionBits/<.success()questions-min.c6e4a6ff3318.js:1
x.Callbacks/c()common-min.80cc97d7f66d.js:4
x.Callbacks/p.fireWith()common-min.80cc97d7f66d.js:4
k()common-min.80cc97d7f66d.js:5
.send/r()common-min.80cc97d7f66d.js:5

"Handler function threw an exception: TypeError: this.transport is null
Stack: DSC_send@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/main.js:1391:5
NEA_addSecurityInfo@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/webconsole.js:2136:5
NetworkResponseListener.prototype._getSecurityInfo<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/webconsole/network-monitor.js:266:5
exports.makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/ThreadSafeDevToolsUtils.js:101:14
NetworkResponseListener.prototype.onStartRequest@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/webconsole/network-monitor.js:215:5
Line: 1391, column: 5"ThreadSafeDevToolsUtils.js:80
"The version of Tabzilla you are using is deprecated and will be removed in the future.

Please update to the new static version here: https://github.com/mozilla/tabzilla/"tabzilla.js:612:17
MediaKeySystemAccess::GetKeySystemStatus(com.widevine.alpha, minVer=-1) result=cdm-not-installed version='' msg='CDM is not installed'
1473132512539	Toolkit.GMP	TRACE	GMPWrapper(gmp-eme-adobe) receiveMessage() data={"keySystem":"com.widevine.alpha","status":"cdm-not-installed"}
1473132512540	Toolkit.GMP	TRACE	GMPWrapper(gmp-widevinecdm) receiveMessage() data={"keySystem":"com.widevine.alpha","status":"cdm-not-installed"}
1473132512541	Toolkit.GMP	TRACE	GMPWrapper(gmp-eme-adobe) receiveMessage() data={"keySystem":"com.widevine.alpha","status":"cdm-not-installed"}
1473132512543	Toolkit.GMP	TRACE	GMPWrapper(gmp-widevinecdm) receiveMessage() data={"keySystem":"com.widevine.alpha","status":"cdm-not-installed"}
1473132512583	Toolkit.GMP	INFO	GMPInstallManager.simpleCheckAndInstall Last check was: 1473132513 seconds ago, minimum seconds: 86400
1473132512584	Toolkit.GMP	INFO	GMPInstallManager._getURL Using url: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
1473132512585	Toolkit.GMP	INFO	GMPInstallManager._getURL Using url (with replacement): https://aus5.mozilla.org/update/3/GMP/48.0.2/20160823121617/WINNT_x86-msvc-x64/en-US/release/Windows_NT%2010.0.0.0%20(x64)/default/default/update.xml
1473132512589	Toolkit.GMP	INFO	GMPInstallManager.simpleCheckAndInstall Last check was: 1473132513 seconds ago, minimum seconds: 86400
1473132512590	Toolkit.GMP	INFO	GMPInstallManager._getURL Using url: https://aus5.mozilla.org/update/3/GMP/%VERSION%/%BUILD_ID%/%BUILD_TARGET%/%LOCALE%/%CHANNEL%/%OS_VERSION%/%DISTRIBUTION%/%DISTRIBUTION_VERSION%/update.xml
1473132512591	Toolkit.GMP	INFO	GMPInstallManager._getURL Using url (with replacement): https://aus5.mozilla.org/update/3/GMP/48.0.2/20160823121617/WINNT_x86-msvc-x64/en-US/release/Windows_NT%2010.0.0.0%20(x64)/default/default/update.xml
TypeError: i.subscribe is not a function
bk:39:7270
"Handler function threw an exception: TypeError: this.transport is null
Stack: DSC_send@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/main.js:1391:5
NEA_addSecurityInfo@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/server/actors/webconsole.js:2136:5
NetworkResponseListener.prototype._getSecurityInfo<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/webconsole/network-monitor.js:266:5
exports.makeInfallible/<@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/ThreadSafeDevToolsUtils.js:101:14
NetworkResponseListener.prototype.onStartRequest@resource://gre/modules/commonjs/toolkit/loader.js -> resource://devtools/shared/webconsole/network-monitor.js:215:5
Line: 1391, column: 5"ThreadSafeDevToolsUtils.js:80
TypeError: this.transport is nullmain.js:1391:5
Cross-Origin Request Blocked: The Same Origin Policy disallows reading the remote resource at https://fls-na.amazon.com/1/action-impressions/1/OP/csm/action/csm-features:impression-tracking?requestId=E7DAFK5QVPG2Q47KZ96H&marketplaceId=ATVPDKIKX0DER&session=164-9077408-8303711&csm=1. (Reason: CORS header 'Access-Control-Allow-Origin' does not match '*').(unknown)
no element found3.0:1:1
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', got: 'CN=VertoAnalyticsCA'.
CertUtils.jsm:109
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=thawte SSL CA - G2,O="thawte, Inc.",C=US', got: 'CN=VertoAnalyticsCA'.
CertUtils.jsm:109
Certificate checks failed. See previous errors for details.
CertUtils.jsm:112
1473132514535	addons.productaddons	ERROR	Request failed certificate checks: [Exception... "Certificate checks failed. See previous errors for details."  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113"  data: no]
Log.jsm:753
1473132514536	Toolkit.GMP	ERROR	GMPInstallManager.simpleCheckAndInstall Could not check for addons: [Exception... "Certificate checks failed. See previous errors for details."  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113"  data: no] Stack trace: validateCert()@resource://gre/modules/CertUtils.jsm:113 < checkCert()@resource://gre/modules/CertUtils.jsm:155 < downloadXML/</success()@resource://gre/modules/addons/ProductAddonChecker.jsm:121
Log.jsm:753
no element foundping:1:1
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', got: 'CN=VertoAnalyticsCA'.
CertUtils.jsm:109
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=thawte SSL CA - G2,O="thawte, Inc.",C=US', got: 'CN=VertoAnalyticsCA'.
CertUtils.jsm:109
Certificate checks failed. See previous errors for details.
CertUtils.jsm:112
1473132514695	addons.productaddons	ERROR	Request failed certificate checks: [Exception... "Certificate checks failed. See previous errors for details."  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113"  data: no]
Log.jsm:753
1473132514696	Toolkit.GMP	ERROR	GMPInstallManager.simpleCheckAndInstall Could not check for addons: [Exception... "Certificate checks failed. See previous errors for details."  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113"  data: no] Stack trace: validateCert()@resource://gre/modules/CertUtils.jsm:113 < checkCert()@resource://gre/modules/CertUtils.jsm:155 < downloadXML/</success()@resource://gre/modules/addons/ProductAddonChecker.jsm:121
Log.jsm:753
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', got: 'CN=VertoAnalyticsCA'.
CertUtils.jsm:109
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=thawte SSL CA - G2,O="thawte, Inc.",C=US', got: 'CN=VertoAnalyticsCA'.
CertUtils.jsm:109
Certificate checks failed. See previous errors for details.
CertUtils.jsm:112
1473132514788	addons.productaddons	ERROR	Request failed certificate checks: [Exception... "Certificate checks failed. See previous errors for details."  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113"  data: no]
Log.jsm:753
1473132514789	Toolkit.GMP	ERROR	GMPInstallManager.simpleCheckAndInstall Could not check for addons: [Exception... "Certificate checks failed. See previous errors for details."  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113"  data: no] Stack trace: validateCert()@resource://gre/modules/CertUtils.jsm:113 < checkCert()@resource://gre/modules/CertUtils.jsm:155 < downloadXML/</success()@resource://gre/modules/addons/ProductAddonChecker.jsm:121
Log.jsm:753
An unbalanced tree was written using document.write() causing data from the network to be reparsed. For more information https://developer.mozilla.org/en/Optimizing_Your_Pages_for_Speculative_Parsingsf-1.38_FX4._V280516968_.html:27
Use of getAttributeNode() is deprecated. Use getAttribute() instead.site-wide-7123153309._V1_.js:640:62
no element foundproperties:1:1
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', got: 'CN=VertoAnalyticsCA'.
CertUtils.jsm:109
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=thawte SSL CA - G2,O="thawte, Inc.",C=US', got: 'CN=VertoAnalyticsCA'.
CertUtils.jsm:109
Certificate checks failed. See previous errors for details.
CertUtils.jsm:112
1473132520755	addons.productaddons	ERROR	Request failed certificate checks: [Exception... "Certificate checks failed. See previous errors for details."  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113"  data: no]
Log.jsm:753
1473132520756	Toolkit.GMP	ERROR	GMPInstallManager.simpleCheckAndInstall Could not check for addons: [Exception... "Certificate checks failed. See previous errors for details."  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113"  data: no] Stack trace: validateCert()@resource://gre/modules/CertUtils.jsm:113 < checkCert()@resource://gre/modules/CertUtils.jsm:155 < downloadXML/</success()@resource://gre/modules/addons/ProductAddonChecker.jsm:121
Log.jsm:753
NS_ERROR_UNEXPECTED(unknown)



Note the certificate errors. VertoAnalytics is intercepting the HTTPS request to download from aus5.mozilla.org. So the user's HTTPS traffic has been MITM.
The symptom of MITM (man-in-the-middle) attacks is that Widevine, Primetime and OpenH264 are all failing to download. OpenH264/Primetime have been available longer so could've been installed before a MITM.
Reporter

Comment 5

3 years ago
a fair number of security software (avast, bitdefender, eset, kaspersky) will man-in-the-middle all secure network traffic by default afaik.
Too late for 48, if we want to fix that in 49, a fix will need to arrive very soon.
For posterity, here's the part of the log that shows the MitM:
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', got: 'CN=VertoAnalyticsCA'.
CertUtils.jsm:109
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=thawte SSL CA - G2,O="thawte, Inc.",C=US', got: 'CN=VertoAnalyticsCA'.
CertUtils.jsm:109
Certificate checks failed. See previous errors for details.
It's also worth noting that we stopped SSL pinning for Firefox updates, partly for this reason. If we were able to sign the payload for gecko media plugins we might be able to do the same for them.
It sounds like this is likely to be a widespread problem. 

To work around this problem in 49, do we need the solution (possibly in bug 1267495) to be hashed out before release? Or could this be in a dot release after 49 goes out?
The OpenH264 downloads are signed, so pinning the update URL has less impact than it might.  There is a downside in that if someone were to MITM redirect the download to an older copy that was signed but has been replaced, they could sneak a vulnerable version of the download into the system.  It still runs in a sandbox (excluding Android for Openh264 at least)
(In reply to Randell Jesup [:jesup] from comment #10)
> The OpenH264 downloads are signed, so pinning the update URL has less impact
> than it might.  There is a downside in that if someone were to MITM redirect
> the download to an older copy that was signed but has been replaced, they
> could sneak a vulnerable version of the download into the system.  It still
> runs in a sandbox (excluding Android for Openh264 at least)

Unfortunately, I don't think we could remove pinning unless all plugins are signed.

Downgrade attacks are something that can be protected against. IIRC, we refuse to install versions of Firefox that are older than the current version by comparing against the version in the MAR. This would be trickier for GMP plugins in situations where you don't have one yet...perhaps we'd need to embed the minimum allowed version into Firefox, and compare against that for new installs.
(In reply to Ben Hearsum (:bhearsum) from comment #11)
> Unfortunately, I don't think we could remove pinning unless all plugins are
> signed.

/me boggles

Can we get them signed?  (with something we can check?)
 
> Downgrade attacks are something that can be protected against. IIRC, we
> refuse to install versions of Firefox that are older than the current
> version by comparing against the version in the MAR. This would be trickier
> for GMP plugins in situations where you don't have one yet...perhaps we'd
> need to embed the minimum allowed version into Firefox, and compare against
> that for new installs.

It's also the case that we occasionally may need to downgrade OpenH264 (don't know about other GMP downloads) if an update turns out to cause problems in the field.  I suppose we could "downgrade" by resigning it with a higher (fake) version number (annoying), with a higher non-visible number, or something that says "invalidates version X.Y"
(In reply to Randell Jesup [:jesup] from comment #12)
> (In reply to Ben Hearsum (:bhearsum) from comment #11)
> > Unfortunately, I don't think we could remove pinning unless all plugins are
> > signed.
> 
> /me boggles
> 
> Can we get them signed?  (with something we can check?)

That might be more of a question for someone else. Last I checked, the only plugin we build ourselves is OpenH264. For the others, we'd probably want them signed by whomever is building them? We should probably spin this off into another bug.

> > Downgrade attacks are something that can be protected against. IIRC, we
> > refuse to install versions of Firefox that are older than the current
> > version by comparing against the version in the MAR. This would be trickier
> > for GMP plugins in situations where you don't have one yet...perhaps we'd
> > need to embed the minimum allowed version into Firefox, and compare against
> > that for new installs.
> 
> It's also the case that we occasionally may need to downgrade OpenH264
> (don't know about other GMP downloads) if an update turns out to cause
> problems in the field.  I suppose we could "downgrade" by resigning it with
> a higher (fake) version number (annoying), with a higher non-visible number,
> or something that says "invalidates version X.Y"

This is pretty much what we do for everything else. You can only go forward, which means if you discover a stop-ship issue, you halt all updates, spin a new version, and then ship that.
OK. As I'm understanding this, you all are discussing and working towards some possible solutions. 
But we don't gain anything from blocking 49 on this issue since we already have the issue in 48.
platform-rel: --- → ?
NI? bsmedberg for thoughts on:

(In reply to Ben Hearsum (:bhearsum) from comment #13)
> (In reply to Randell Jesup [:jesup] from comment #12)
> > (In reply to Ben Hearsum (:bhearsum) from comment #11)
> > > Unfortunately, I don't think we could remove pinning unless all plugins are
> > > signed.
> > 
> > /me boggles
> > 
> > Can we get them signed?  (with something we can check?)
> 
> That might be more of a question for someone else. Last I checked, the only
> plugin we build ourselves is OpenH264. For the others, we'd probably want
> them signed by whomever is building them? We should probably spin this off
> into another bug.
Flags: needinfo?(benjamin)
The requirements for code updates are that the software must be verified against a builtin certificate; updates must not rely solely on PKI infrastructure.

There are many ways to do this: we can use builtin pins to our update servers, include a hash in that response, and validate the hash against the final dwonload location.

Or we can build Adobe/Google/etc certificates into Firefox, those companies can sign their releases, and we validate their signature. Or we can use some other validated series of HTTPS pins, but that seems to be what we're trying to avoid here.
Flags: needinfo?(benjamin)
Tracked for Fx50. This seems important enough to get a fix on this one in Beta50.
platform-rel: ? → +
Who's going to implement one of the suggestions from comment 16 (or something else)?
Flags: needinfo?(ajones)
Whiteboard: [platform-rel-Netflix]
This should be fixed by bug 1267495 but unfortunately isn't yet.
Flags: needinfo?(ajones)
Looks like followup to bug 1267495 is happening in bug 1309463. I imagine we can probably dupe this to either of those bugs but I'm not sure which one.
Dale, should we dupe this to bug 1309463?
Flags: needinfo?(dale)
Changing owner to Dale.

Note, this bug is tracking Firefox-50.
Assignee: cpearce → dale
As 1309463 is the followup it seems sensible to dupe it to that, this should be fixed now and has been in my testing
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: needinfo?(dale)
Resolution: --- → DUPLICATE
Duplicate of bug: 1309463
Dale, in comment #3 the log shows that the certificate was rejected. Bug 1309463 doesn't fix that issue which this bug is about.

Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=DigiCert SHA2 Secure Server CA,O=DigiCert Inc,C=US', got: 'CN=VertoAnalyticsCA'.
CertUtils.jsm:109
Expected certificate attribute 'issuerName' value incorrect, expected: 'CN=thawte SSL CA - G2,O="thawte, Inc.",C=US', got: 'CN=VertoAnalyticsCA'.
CertUtils.jsm:109
Certificate checks failed. See previous errors for details.
CertUtils.jsm:112
1473132520755	addons.productaddons	ERROR	Request failed certificate checks: [Exception... "Certificate checks failed. See previous errors for details."  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113"  data: no]
Log.jsm:753
1473132520756	Toolkit.GMP	ERROR	GMPInstallManager.simpleCheckAndInstall Could not check for addons: [Exception... "Certificate checks failed. See previous errors for details."  nsresult: "0x80070057 (NS_ERROR_ILLEGAL_VALUE)"  location: "JS frame :: resource://gre/modules/CertUtils.jsm :: validateCert :: line 113"  data: no] Stack trace: validateCert()@resource://gre/modules/CertUtils.jsm:113 < checkCert()@resource://gre/modules/CertUtils.jsm:155 < downloadXML/</success()@resource://gre/modules/addons/ProductAddonChecker.jsm:121
Log.jsm:753
NS_ERROR_UNEXPECTED(unknown)
Flags: needinfo?(dale)
rhelmer, relevant to what we discussed over irc
Ah ok, so https://bugzilla.mozilla.org/show_bug.cgi?id=1309463 provides a fallback if for any reason it is not possible to communicate with the AUS servers, but yes it certainly wont fix any certificate issues. As Andrew / Anthony seemed to imply the fallback was a good enough fix for the certificate issue however if it isnt I will deassign myself. Cheers
Assignee: dale → nobody
Flags: needinfo?(dale)
I think you mean that bug 1267495 added the fallback and bug 1309463 fixed a check for supported EME platforms.

I had a discussion with rhelmer regarding these checks in relation to add-ons (bug 1308251) which is essentially the same as this bug since they share code for the check.
I'll leave it to rhelmer as to whether to reopen this bug.
You need to log in before you can comment on or make changes to this bug.