download.cdn.mozilla.net does not have correct HTTPS certificate

RESOLVED FIXED

Status

Cloud Services
Operations: Product Delivery
RESOLVED FIXED
a year ago
3 months ago

People

(Reporter: MikkCZ, Assigned: oremj)

Tracking

(Blocks: 1 bug)

Firefox Tracking Flags

(Not tracked)

Details

(URL)

Yesterday we have got a report, that download links on http://www.mozilla.cz/stahnout/firefox/ redirect to https://download.cdn.mozilla.net/pub/firefox/releases/49.0.1/win64/cs/Firefox%20Setup%2049.0.1.exe, which results to an HTTPS error due to wrong certificate domain name.

I was unable to reproduce it, but can confirm that download.cdn.mozilla.net produces warning when accessed over HTTPS. Probably the redirection from download.mozilla.org is misconfigured and should use https://download-installer.cdn.mozilla.net instead of https://download.cdn.mozilla.net ?
(Assignee)

Comment 1

a year ago
download.cdn.mozilla.net is intended to be HTTP only. This happens when someone has an addon that forces HTTPS.

Rail, thoughts on setting "SSL Only" for all non-update products? I'm pretty sure we can't do this, because we may require http in some instances.

Michal, for a quick fix on your side, can you instead link to "-ssl" products e.g., https://download.mozilla.org/?product=firefox-49.0.1-ssl&os=win&lang=cs.
Flags: needinfo?(rail)
Flags: needinfo?(mstanke)
(Assignee)

Updated

a year ago
Assignee: nobody → oremj
Thank you, I will use it. I just wonder what is the use case for distributing Firefox in an "insecure" way over HTTP.
Flags: needinfo?(mstanke)
Seems the "-ssl" does not work for SeaMonkey, but will server good for Firefox and Thunderbird.
(In reply to Jeremy Orem [:oremj] from comment #1)
> Rail, thoughts on setting "SSL Only" for all non-update products? I'm pretty
> sure we can't do this, because we may require http in some instances.

My only worry is the stub installer which uses the non-https bouncer entry:

https://dxr.mozilla.org/mozilla-central/source/browser/branding/official/branding.nsi#21 used in https://dxr.mozilla.org/mozilla-central/source/browser/installer/windows/nsis/stub.nsi#1373

I'm not sure if the stub installer handles https, Matt may have more information here.
Flags: needinfo?(rail) → needinfo?(mhowell)
I'm not sure if we've ever tried it, but the stub installer just uses WinINet for its downloads, and specifically accepts HTTPS URL's, so I don't see a reason why it wouldn't work.
Flags: needinfo?(mhowell)

Updated

7 months ago
Blocks: 901393
(Assignee)

Updated

3 months ago
Status: NEW → RESOLVED
Last Resolved: 3 months ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.