Closed
Bug 1306368
Opened 8 years ago
Closed 7 years ago
download.cdn.mozilla.net does not have correct HTTPS certificate
Categories
(Cloud Services :: Operations: Product Delivery, task)
Cloud Services
Operations: Product Delivery
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: mstanke, Assigned: oremj)
References
()
Details
Yesterday we have got a report, that download links on http://www.mozilla.cz/stahnout/firefox/ redirect to https://download.cdn.mozilla.net/pub/firefox/releases/49.0.1/win64/cs/Firefox%20Setup%2049.0.1.exe, which results to an HTTPS error due to wrong certificate domain name.
I was unable to reproduce it, but can confirm that download.cdn.mozilla.net produces warning when accessed over HTTPS. Probably the redirection from download.mozilla.org is misconfigured and should use https://download-installer.cdn.mozilla.net instead of https://download.cdn.mozilla.net ?
Assignee | ||
Comment 1•8 years ago
|
||
download.cdn.mozilla.net is intended to be HTTP only. This happens when someone has an addon that forces HTTPS.
Rail, thoughts on setting "SSL Only" for all non-update products? I'm pretty sure we can't do this, because we may require http in some instances.
Michal, for a quick fix on your side, can you instead link to "-ssl" products e.g., https://download.mozilla.org/?product=firefox-49.0.1-ssl&os=win&lang=cs.
Flags: needinfo?(rail)
Flags: needinfo?(mstanke)
Assignee | ||
Updated•8 years ago
|
Assignee: nobody → oremj
Reporter | ||
Comment 2•8 years ago
|
||
Thank you, I will use it. I just wonder what is the use case for distributing Firefox in an "insecure" way over HTTP.
Flags: needinfo?(mstanke)
Reporter | ||
Comment 3•8 years ago
|
||
Seems the "-ssl" does not work for SeaMonkey, but will server good for Firefox and Thunderbird.
Comment 4•8 years ago
|
||
(In reply to Jeremy Orem [:oremj] from comment #1)
> Rail, thoughts on setting "SSL Only" for all non-update products? I'm pretty
> sure we can't do this, because we may require http in some instances.
My only worry is the stub installer which uses the non-https bouncer entry:
https://dxr.mozilla.org/mozilla-central/source/browser/branding/official/branding.nsi#21 used in https://dxr.mozilla.org/mozilla-central/source/browser/installer/windows/nsis/stub.nsi#1373
I'm not sure if the stub installer handles https, Matt may have more information here.
Flags: needinfo?(rail) → needinfo?(mhowell)
Comment 5•8 years ago
|
||
I'm not sure if we've ever tried it, but the stub installer just uses WinINet for its downloads, and specifically accepts HTTPS URL's, so I don't see a reason why it wouldn't work.
Flags: needinfo?(mhowell)
Updated•8 years ago
|
Blocks: tls-everything
Assignee | ||
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•