Closed Bug 1417125 Opened 8 years ago Closed 8 years ago

Can1t acess web site , FireFox does not start TLS

Categories

(Core :: Security, defect)

Product:
Core
Component:
Security
Version:
56 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: fredcw, Unassigned)

Details

Attachments

(4 files)

log-main
974.32 KB, text/plain
Details
Attempt with FF53.4.0 - https webveic.ccbfinanceira.com.br using WireShark
78.16 KB, application/octet-stream
Details
02 - Attemp- Google Chrome - https webveic.ccbfinanceira.com.br with Wireshark
72.38 KB, application/octet-stream
Details
03 Attemp - Squid both ends - .pcap - WireShark
6.48 KB, application/octet-stream
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20170928210252 Steps to reproduce: Tried to access https://webveic.ccbfinanceira.com.br/ Tried with 45 , 51 ,52 , 56 and 56.0.2 Same problem on all of them. Problem is not new ., We should had switched to Firefox 'cause of an application; we are stranded with 3 browsers now,;.;;; I can't acess https://webveic.ccbfinanceira.com.br/ ONLY WITH FIREFOX (45+ or 56+) ; receiving a message of interrupted when loading. Using wireshark, found that after CONNECTION ESTABLISHED 200 OK --> firefox starts a SSL HELLO CLIENT , instead of a TLSv1 HELLO CLIENT., Did compare using Google-Chrome 62.0.3202.75 ,, Follows PERTINENT TCP transcript of FIREFOX conversation:: 30 2.942425470 192.168.32.44 192.168.33.185 HTTP 295 CONNECT webveic.ccbfinanceira.com.br:443 HTTP/1.1 32 2.982720472 192.168.33.185 192.168.32.44 HTTP 105 HTTP/1.1 200 Connection established 34 2.982993132 192.168.32.44 192.168.33.185 SSL 270 Client Hello 35 2.983180166 192.168.33.185 192.168.32.44 TCP 66 3128 → 36563 [ACK] Seq=40 Ack=434 Win=31104 Len=0 TSval=521130987 TSecr=3129245 36 3.024289382 192.168.33.185 192.168.32.44 TCP 66 3128 → 36563 [FIN, ACK] Seq=40 Ack=434 Win=31104 Len=0 TSval=521130997 TSecr=3129245 37 3.024579222 192.168.32.44 192.168.33.185 TCP 66 36563 → 3128 [FIN, ACK] Seq=434 Ack=41 Win=29312 Len=0 TSval=3129256 TSecr=521130997 Connection is closed here... And the same transcript using google-chrome . , 13 1.416390182 192.168.32.44 192.168.33.185 HTTP 307 CONNECT webveic.ccbfinanceira.com.br:443 HTTP/1.1 25 1.494568301 192.168.33.185 192.168.32.44 HTTP 105 HTTP/1.1 200 Connection established 27 1.494942928 192.168.32.44 192.168.33.185 TLSv1 282 Client Hello 60 1.620670604 192.168.33.185 192.168.32.44 TLSv1 322 Server Hello, Certificate, Server Key Exchange, Server Hello Done Actual results: Error - Loading interrupted Expected results: Page shoul open normally
Component: Untriaged → Networking: HTTP
Product: Firefox → Core
Version: 45 Branch → 56 Branch
Probably a mis-configured site; although IE (5,6,7), Safari and Chrome do work with it; Trying to find a solution to work with FF in order to not have +1 browser in facility. Using http or https to start browsing does not make any difference. FF does not start TLS.
Attached file log-main
I can reproduce this bug on v59 nightly
Ni? David who probably have some ideas about the issue.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(dkeeler)
Hmmm - it seems to work for me. fred - can you attach the packet traces for firefox and chrome connecting to this site?
Flags: needinfo?(dkeeler) → needinfo?(fredcw)
Test setup src IP 192.168.25.47 - FF
Test case 2 - Google Chrome - SRC IP Address 192.168.25.47 -
Flags: needinfo?(fredcw)
Problem continues. FF returns: The page you are trying to view cannot be shown because the authenticity of the received data could not be verified; Chrome opens site normally, ...
Thanks! Are you connecting through some sort of proxy? Are any other sites affected?
Flags: needinfo?(fredcw)
1) With and without proxy. Tested both ways, . In both cases the tcp flow is the same, except of what concerns SQUID 3., since IP address of the server comes from the proxy. Other than that, same-o.. If needed, I can generate the tcp flow in both sides of squid Just for the record Proxy server :: 3.16.0-4-amd64 #1 SMP Debian 3.16.7-ckt11-1+deb8u3 (2015-08-04) x86_64 GNU/Linux Squid *** 3.4.8-6 0 500 cdrom://[Debian GNU/Linux 8.2.0 _Jessie_ - Official amd64 BD Binary-1 20150906-11:13] *** 2) I'm not really sure; there are sites that just doesn't open with firefox, and wasn't paying much attention to the problem. Monday 20th I'll be in the facility and inquire with the users to see if there are other cases;
Flags: needinfo?(fredcw)
https request, using squid3 proxy, both sides , FF , client -- 192.168.25.3 <---> squid 192.168.25.25 <--> adsl 192.168.25.1 **
Linux fcwdmz01 4.9.0-3-amd64 #1 SMP Debian 4.9.30-2+deb9u5 (2017-09-19) x86_64 GNU/Linux squid3: Instalado: 3.5.23-5 Tabela de versão: *** 3.5.23-5 500 500 http://internal-mirror.fcwsistemas.com.br/debian stretch/main amd64 Packages 100 /var/lib/dpkg/status 3.4.8-6+deb8u4 500 500 http://ftp.br.debian.org/debian jessie/main amd64 Packages
==> /var/log/squid/access.log <== 1510871385.923 17908 192.168.25.3 TCP_MISS_ABORTED/000 0 GET http://webveic.ccbfinanceira.com.br/ - HIER_DIRECT/186.232.246.184 - 1510871415.409 78 192.168.25.3 TCP_TUNNEL/200 0 CONNECT webveic.ccbfinanceira.com.br:443 - HIER_DIRECT/186.232.246.184 - 1510871468.536 130 192.168.25.3 TCP_TUNNEL/200 0 CONNECT webveic.ccbfinanceira.com.br:443 - HIER_DIRECT/186.232.246.184 - 1510871518.266 180515 192.168.25.3 TCP_TUNNEL/200 12540 CONNECT ssl.gstatic.com:443 - HIER_DIRECT/172.217.30.3 -
I don't really know how to interpret comments 10-13. I'm assuming they're more or less unrelated if the problem persists even when you're not going through a proxy. Have you tried from other networks? How about with a new profile?
Flags: needinfo?(fredcw)
Comments 10 - 13 answers comment 9; I did test with two other networks in other facilities and trying with and without proxy in all cases to certify that it would be reproducible always. Since there was a doubt about the proxy interfering in the case it would be used, managed to trace test with the proxy, in both ends of it to certify that it had the same outcome. Comment 13 and attachment "03 Attemp - Squid both ends - .pcap - WireShark" is just a proof of this test case. Hope this clears up any misunderstanding.
Flags: needinfo?(fredcw)
Answering Comment 14, did the following tests in two different networks, a) new profile, b) cleaning up all profiles c) purging FF , cleaning all ~/.mozilla files, and reinstalling FF. from distro package d) using FF safe mode , The issue stands in all cases Secure Connection Failed The connection to the server was reset while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem.
As this is likely an SSL issue and seeing David taking care of this, moving to the right component.
Component: Networking: HTTP → Security
Dear all, Thanks for following this bug, . But the issue is resolved at the source serever. Some one did reconfigure something, but was unwilling to give up what they did. There were corrections on the server end, and it looks like they fixed whatever was going wrong. Since the issued disappeared, and it was observed by them that they would not help in future aids, I would like to close this problem, as we will not be able to make the solution for it available . For that reason I'm marking it as invalid. Thanks for the attention. Sincerely, Frederico C Wilhelms Senior Support Braz e Freitas Ltda
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → INVALID
(In reply to fredcw from comment #18) > Dear all, > > Thanks for following this bug, . > But the issue is resolved at the source serever. Some one did reconfigure > something, but was unwilling to give up what they did. > There were corrections on the server end, and it looks like they fixed > whatever was going wrong. > > Since the issued disappeared, and it was observed by them that they would > not help in future aids, I would like to close this problem, as we will not > be able to make the solution for it available . > > For that reason I'm marking it as invalid. > > Thanks for the attention. > > Sincerely, > > > Frederico C Wilhelms > Senior Support > Braz e Freitas Ltda The timestamp of the server fix was 2017-11-23 14:35 GMT
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: