Closed Bug 1306368 Opened 8 years ago Closed 7 years ago

download.cdn.mozilla.net does not have correct HTTPS certificate

Categories

(Cloud Services :: Operations: Product Delivery, task)

task
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: mstanke, Assigned: oremj)

References

()

Details

Yesterday we have got a report, that download links on http://www.mozilla.cz/stahnout/firefox/ redirect to https://download.cdn.mozilla.net/pub/firefox/releases/49.0.1/win64/cs/Firefox%20Setup%2049.0.1.exe, which results to an HTTPS error due to wrong certificate domain name.

I was unable to reproduce it, but can confirm that download.cdn.mozilla.net produces warning when accessed over HTTPS. Probably the redirection from download.mozilla.org is misconfigured and should use https://download-installer.cdn.mozilla.net instead of https://download.cdn.mozilla.net ?
download.cdn.mozilla.net is intended to be HTTP only. This happens when someone has an addon that forces HTTPS.

Rail, thoughts on setting "SSL Only" for all non-update products? I'm pretty sure we can't do this, because we may require http in some instances.

Michal, for a quick fix on your side, can you instead link to "-ssl" products e.g., https://download.mozilla.org/?product=firefox-49.0.1-ssl&os=win&lang=cs.
Flags: needinfo?(rail)
Flags: needinfo?(mstanke)
Assignee: nobody → oremj
Thank you, I will use it. I just wonder what is the use case for distributing Firefox in an "insecure" way over HTTP.
Flags: needinfo?(mstanke)
Seems the "-ssl" does not work for SeaMonkey, but will server good for Firefox and Thunderbird.
(In reply to Jeremy Orem [:oremj] from comment #1)
> Rail, thoughts on setting "SSL Only" for all non-update products? I'm pretty
> sure we can't do this, because we may require http in some instances.

My only worry is the stub installer which uses the non-https bouncer entry:

https://dxr.mozilla.org/mozilla-central/source/browser/branding/official/branding.nsi#21 used in https://dxr.mozilla.org/mozilla-central/source/browser/installer/windows/nsis/stub.nsi#1373

I'm not sure if the stub installer handles https, Matt may have more information here.
Flags: needinfo?(rail) → needinfo?(mhowell)
I'm not sure if we've ever tried it, but the stub installer just uses WinINet for its downloads, and specifically accepts HTTPS URL's, so I don't see a reason why it wouldn't work.
Flags: needinfo?(mhowell)
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.