Closed Bug 1401796 Opened 7 years ago Closed 7 years ago

HSTS preloading entries get removed on "could not connect to host" errors

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
mozilla58
Tracking Flags:
Tracking Status
firefox57 --- wontfix
firefox58 --- fixed

People

(Reporter: jan, Assigned: keeler)

References

Details

(Keywords: nightly-community, Whiteboard: [psm-assigned])

Attachments

(1 file)

bug 1401796 - fix HSTS preload script to keep preexisting hosts if there was a connection error DONTBUILD NPOTB
59 bytes, text/x-review-board-request
jcj
: review+
Details
same url (same diff), different anchors: https://hg.mozilla.org/mozilla-central/rev/aa0877abb872#l1.961 > +futos.de: could not connect to host https://hg.mozilla.org/mozilla-central/rev/aa0877abb872#l2.998 > -futos.de, 1 This isn't intented if you look here: https://dxr.mozilla.org/mozilla-central/source/security/manager/tools/getHSTSPreloadList.js#254 > // If we've encountered an error for this entry (other than the site not > // sending an HSTS header), be safe and don't remove it from the list > // (given that it was already on the list). I switched some domains from dualstack to IPv6-only on port 443 (and Mozilla can't connect to IPv6 hosts because of bug 1309201): * futos.de * gabriele-kluge.de (all removed from the preloading list in the above diff) For example, this one was on the same IPv6 address, but also had an A record and was left in the list: * perfektesgewicht.de
Priority: -- → P2
Whiteboard: [psm-backlog]
https://hg.mozilla.org/mozilla-central/rev/f3339e6a451e#l1.12 --- a/security/manager/tools/getHSTSPreloadList.js +++ b/security/manager/tools/getHSTSPreloadList.js @@ -254,43 +254,50 @@ function output(sortedStatuses, currentL try { var file = FileUtils.getFile("CurWorkD", [OUTPUT]); var errorFile = FileUtils.getFile("CurWorkD", [ERROR_OUTPUT]); var fos = FileUtils.openSafeFileOutputStream(file); var eos = FileUtils.openSafeFileOutputStream(errorFile); writeTo(HEADER, fos); writeTo(getExpirationTimeString(), fos); writeTo(PREFIX, fos); - for (var status of sortedStatuses) { + for (let status in sortedStatuses) { // If we've encountered an error for this entry (other than the site not // sending an HSTS header), be safe and don't remove it from the list // (given that it was already on the list). if (status.error != ERROR_NONE && status.error != ERROR_NO_HSTS_HEADER && status.error != ERROR_MAX_AGE_TOO_LOW && status.name in currentList) { dump("INFO: error connecting to or processing " + status.name + " - using previous status on list\n"); writeTo(status.name + ": " + errorToString(status) + "\n", eos); status.maxAge = MINIMUM_REQUIRED_MAX_AGE; status.includeSubdomains = currentList[status.name]; } + } sortedStatuses is an array, so `of` is what we want here.
Assignee: nobody → dkeeler
Blocks: 1255425
Priority: P2 → P1
Whiteboard: [psm-backlog] → [psm-assigned]
Comment on attachment 8911906 [details] bug 1401796 - fix HSTS preload script to keep preexisting hosts if there was a connection error DONTBUILD NPOTB https://reviewboard.mozilla.org/r/183296/#review188450
Attachment #8911906 - Flags: review?(jjones) → review+
Thanks!
See Also: 1309201
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/218757467ee8 fix HSTS preload script to keep preexisting hosts if there was a connection error r=jcj DONTBUILD NPOTB
https://hg.mozilla.org/mozilla-central/rev/218757467ee8
Status: NEW → RESOLVED
Closed: 7 years ago
status-firefox58: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla58
Verified fixed. Thank you. https://hg.mozilla.org/mozilla-central/rev/3b5a9353f77c#l1.74 > +necesitodinero.org: could not connect to host This domain was switched to IPv6-only after this fix had been pushed. There was a connection error, but it wasn't removed from the list, which is the desired behavior.
Status: RESOLVED → VERIFIED
Has STR: --- → yes
status-firefox57: affectedfixed
Mistake. Sorry. https://wiki.mozilla.org/SecurityEngineering/HTTP_Strict_Transport_Security_%28HSTS%29_Preload_List > The versions of the list as it exists in the various channels of Firefox are available here: mozilla-central mozilla-aurora mozilla-beta mozilla-release mozilla-esr45. https://dxr.mozilla.org/mozilla-beta/source/security/manager/ssl/nsSTSPreloadList.errors Last Updated: 2017-09-21. futos.de is not preloaded, but we can see a connection error. https://dxr.mozilla.org/mozilla-beta/source/security/manager/tools/getHSTSPreloadList.js#253 > or (let status in sortedStatuses) { (wrong) This looks like a beta uplift might be desirable.
status-firefox57: fixedaffected
The automated updates don't run for beta, so uplifting this wouldn't do anything.
status-firefox57: affectedwontfix
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: