Firefox stalls after TLS handshake on self signed certificate - bug 1056341 not corrected
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
People
(Reporter: fanf42, Unassigned)
Details
(Whiteboard: [psm-backlog])
Attachments
(1 obsolete file)
|
||
Comment 1•7 years ago
|
||
|
||
Comment 2•7 years ago
|
||
|
|
||
Comment 4•7 years ago
|
||
|
|
||
Updated•7 years ago
|
I actually have the same issue right now on Firefox Developer Edition version 66.0b10
Working on Mac OS Mojave v10.14.3
I am loading a page from webpack-dev-server using port 8080 with a self signed certificate.
Browsing to https://localhost:8080/ will result in a timeout after waiting for a while on "Performing a TLS handshake to localhost"
As I see the most messages here are from a couple of months back I am curious if the got resolved or people still have this issue?
@bar-jan: I still have the bug, and the workaround I described abobe in comment #3 still works for me.
Forgot to mention:
I did not update my computer,
I do not use anti virus programs
I did reboot my machine
I do not have any issues with the 'normal' Firefox version 65.0.1 (64-bit)
I did remove Firefox Developer, reinstalled it (also after a reboot)
none of which worked to solve the issue.
|
||
Comment 10•6 years ago
|
||
(In reply to @fanf42 from comment #8)
@bar-jan: I still have the bug, and the workaround I described abobe in comment #3 still works for me.
Ah yes!
I actually saw that webpack is going to support a self signed cert file, which will prevent this issue.
As you would keep on using the same file each time.
| Comment hidden (advocacy) |
|
||
Comment 12•5 years ago
|
||
I'm seeing this as well. Pretty annoying.
Would you consider making the buildForwardCallBudget introduced in https://hg.mozilla.org/mozilla-central/rev/9dcd9f186bbf a configurable falg, in about:config?
|
||
Comment 13•5 years ago
|
||
I believe we are seeing the same thing here on Firefox Quantum 68.4.2esr (64-bit)
Our Dell servers' out of band management (idrac) all have self-signed certificates.
I can connect to none of them using Firefox ("Performing TLS handshake...")
So I am using Chrome instead, but it's not my preferred solution.
|
||
Comment 14•5 years ago
|
||
I can also confirm the behavior with Dell servers (a HPC cluster of PowerEdge C6525 systems).
Unfortunately, in my experience, it only happens if you access several of them. I.e. you can't reproduce the issue easily with a single server. Login to the iDRAC web UI via https/TLS becomes slower and slower until it times out when you access more and more of the nodes. Both deleting the certificate entries with certutil and starting Firefox with a new profile are (temporary) workarounds.
(I have reported the issue to my Dell contacts as well.)
|
Reporter | |
Comment 15•5 years ago
|
||
@jm: the workaround in comment #3 still works well for me.
|
|
||
Comment 16•5 years ago
|
||
(In reply to Karsten Weiss from comment #14)
I can also confirm the behavior with Dell servers (a HPC cluster of PowerEdge C6525 systems).
(I have reported the issue to my Dell contacts as well.)
Yep, the CN of the certificate always is idrac-SVCTAG [sic]. Probably they intended to replace the string "SVCTAG" by the actual service tag (in which case the problem would not occur) but failed. What did your contacts report back? I guess I'll open a service request with them. But I fear it will be a long one. Still, they officially support Firefox.
|
|
||
Comment 17•5 years ago
|
||
@jm I have not received a reply yet. I hope we'll get a comment here.
However, I flashed a new iDRAC FW today but still need to test if it makes difference. (However, even if it does, this remains a Firefox issue as well.)
|
|
||
Comment 18•5 years ago
|
||
@jm Your guess is probably right because with the iDRAC FW 4.10.10.10 the certificates no longer use "idrac-SVCTAG" but the actual service tag in the name. I've now deleted all accumulated instances of "idrac-SVCTAG" with certutil and hope the issue won't bother me again.
|
|
||
Comment 19•5 years ago
|
||
@Karsten Weiss
I chose to engage Dell Enterprise Support and after some discussion they have forwarded it to their developers. I told them to either correctly replace "SVCTAG" by the actual service tag (such that the certificates are unique, using SVCTAG suggests that that's what they intended to do but failed in the process), or that they remove Firefox from their list of compatible browsers (documentation bug) because it's not compatible (no matter if it's a bug in FF or whatever). Probably that got their attention.
In any case it's interesting that you say it's fixed in idrac 4.10.10.10 because we upgraded to that recently (obviously the new firmware did not actively replace existing certificates).
Maybe it's already fixed in the production chain, such that when you get a new server, the SSL cert CN is set correctly on delivery.
A workaround is the following:
racadm>> sslresetcfg
racadm>> racreset
This creates a new self-signed cert and restarts idrac (all settings are kept).
The new cert contains the hostname in my case (not sure what happens if none is configured, maybe it then defaults to svctag).
Maybe we should continue this discussion in Dell Community ^^ if there is anything further to be discussed.
|
||
Comment 20•5 years ago
|
||
I can confirm this bug for Firefox Quantum 68.8.0esr (64-Bit) on Debian GNU/Linux 10 (buster) against our embedded Linux devices which create their own self-signed certs like this:
60 gen_cert_one_year_from_now() {
61 openssl req -x509 -new \
62 -keyout "${TTSSL_KEY_FILE}" -out "${TTSSL_CERT_FILE}" \
63 -nodes -subj "/CN=$(hostname)" -utf8 -batch -days 365
64 }
The hostname on all of these devices is the same. I had only 11 devices contacted, when connections became unusable slow and CPU usage of Firefox very high:
% certutil -d sql:. -L | grep -c [redacted]
11
Only connections to those local devices are affected. TLS connections to servers on the WWW work fine and within expectable time.
|
||
Updated•2 years ago
|
|
|
||
Updated•1 year ago
|
Description
•