SSL errors completely freeze any requests in all tabs

VERIFIED FIXED in Firefox 65



Last year
Last month


(Reporter:, Assigned: kershaw)


61 Branch
Dependency tree / graph

Firefox Tracking Flags

(firefox65 verified)


(Whiteboard: [necko-triaged])


(2 attachments)

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/68.0.3440.106 Safari/537.36

Steps to reproduce:

When using a proxy, either by specifying a PAC file or using a VPN extension, navigating to a web-page that has a bad certificate (self-signed, expired, etc) Firefox will completely freeze all network requests in all tabs (including Firefox update checks). I've tested this using several Firefox extensions but also using a PAC script with a fresh squid proxy install with a valid certificate. The same proxy works perfectly in Chrome and displays the corresponding certificate error page.

This is especially frustrating since navigating through sites, if any site has an ajax request or a script or an ad that's on a domain with a bad certificate - the entire browsing experience is ruined as no other page works.

Tested with Firefox 61.0.2 on Windows 8.1 and Firefox 61.0.1 and 62.0b18 on Ubuntu 18.04.

Steps to reproduce:
1. Install Browsec extension (free)
You can test with other extensions and proxies as well, this is not a problem with the extension itself.
2. Turn on VPN
3. Navigate to
4. Click on "expired" link (

Actual results:

Browser hangs: pages don't load. Opening and closing tabs works, the browser itself is not frozen but no network requests go through (not even the Firefox update checks). During this there's a 10-15% load on the CPU (Firefox process). Hitting ESC stops the hanged request and everything goes back to normal. 

Expected results:

Firefox should display the appropriate certificate error message (or just fail to load the request if it was done via ajax or a script/css).
I was not able to reproduce this issue.
Tested on Ubuntu 18.04 and Windows 7x64
Build ID 	20180830143136
User Agent 	Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:62.0) Gecko/20100101 Firefox/62.0

Browser displaying the following error message.

" uses an invalid security certificate. 
The certificate expired on Sunday, April 12, 2015, 5:59:59 PM. The current time is September 7, 2018, 7:38 PM. 

Thank you.
Component: Untriaged → Security
Product: Firefox → Core
Me and a friend of mine have just retested this and the issue is still present with the latest firefox. I've made a video to demo it: . Please make sure that you've followed all the steps carefully.
Sounds more like a Networking issue to me.
Component: Security → Networking
Flags: needinfo?(
I can see this behaviour, but it appears to be a proxy-side issue to me. Here's the steps I used to reproduce:

1. Set up a squid proxy on localhost
2. Set firefox to use said proxy for all connections
3. Visit
4. In a new tab, go to
5. Note that the google tab appears to hang

Here's why I say this is a proxy-side issue - I ran wireshark during the above steps, and when the google load hung (trying to connect to, I saw in wireshark, firefox appropriately sends the CONNECT for, then squid just... doesn't respond. Eventually firefox timed out the connection (sent a FIN), and approximately a second and a half later, squid sent the HTTP 200. I'll attach the pcap.

Reporter, do you know what proxy software is being used in your case?
Posted file proxy-hang.pcapng
Hello Nicholas,

It is not a server side issue. First of all, the same servers work fine on other browsers or in command-line using cURL.
In order to prove that this is not a server side issue I've unpacked the Browsec extension (sorry Browsec...) and extracted the free server host and port: Next, I've tested that the server indeed works fine:

## Simple curl request:

$ time curl -x
curl: (60) SSL certificate problem: certificate has expired
More details here:

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.

real	0m1.055s
user	0m0.121s
sys	0m0.109s

## With `--insecure` flag:

$ time curl -x --insecure
<!DOCTYPE html>
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <link rel="shortcut icon" href="/icons/favicon-red.ico"/>
  <link rel="apple-touch-icon" href="/icons/icon-red.png"/>
  <link rel="stylesheet" href="/style.css">
  <style>body { background: red; }</style>
<div id="content">
  <h1 style="font-size: 12vw;">


real	0m2.505s
user	0m0.240s
sys	0m0.284s

As you can see I am able to perform requests and the replies come in a timely manner.

Next, in order to set this proxy in Firefox I've created a simple pac file, proxy.pac:

$ cat ~/tmp/proxy.pac 
function FindProxyForURL(url, host) {
 return "HTTPS;";

Next I've started a HTTP server using `python -m SimpleHTTPServer 8080` and have set the automatic proxy configuration URL in firefox to `http://localhost:8080/proxy.pac` like in this screenshot: .

I've navigated to a couple of sites and have checked my IP in order to make sure that the proxy is being used and then navigated to and it hanged just like in the video.
Flags: needinfo?(
I've initially mentioned that there's a 10-15% load on the CPU (Firefox process) but I have to make a correction - the firefox process consumes 100% CPU.
(In reply to shark0der from comment #6)
> function FindProxyForURL(url, host) {
>  return "HTTPS;";
> }

Please retry with:

return "HTTPS";

(remove the trailing semicolon) and let us know.  I know you can specify multiple proxies but there may be a bug when the semicolon is not followed by one.
Flags: needinfo?(
> Please retry with:
> return "HTTPS";

I have removed the trailing semicolon, it made no difference - invalid certificates still freeze all the network requests and a process spikes to 100% CPU as previously mentioned.
Flags: needinfo?(
OK, thanks.  Then please provide a log, it may tell us something:

please add few more modules to the MOZ_LOG list: pipnss:5,proxy:5

Flags: needinfo?(
I can reproduce this.

Please see the link for the log below.

Note that this log is produced with MOZ_LOG=timestamp,nsHttp:5,nsSocketTransport:5,pipnss:5
Assignee: nobody → kershaw
Flags: needinfo?(
Ever confirmed: true
Priority: -- → P2
Whiteboard: [necko-triaged]
(In reply to Kershaw Chang [:kershaw] from comment #11)
> I can reproduce this.
> Please see the link for the log below.
> view?usp=sharing
> Note that this log is produced with
> MOZ_LOG=timestamp,nsHttp:5,nsSocketTransport:5,pipnss:5

The log shows that STS thread is stuck in this loop.
When PR_Read/PR_White returns -1, we have to use ErrorAccordingToNSPR to get the error code. We need to close the transaction if the real error happens.
Duplicate of this bug: 1415412
Duplicate of this bug: 1503296
Attachment #9019757 - Attachment description: Bug 1484947 - Close the transaction if PR_Read/PR_Write failed → Bug 1484947 - Close the transaction if PR_Read/PR_Write failed, r=nwgh
Pushed by
Close the transaction if PR_Read/PR_Write failed, r=nwgh
Closed: 10 months ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla65
Flags: qe-verify+
I reproduced this issue using Fx 63.0a1, build ID:20180821100053, on Ubuntu 18.04 x64.

I can confirm this issue is fixed, I verified using Fx 65.0b8, build ID: 20190103150357, on Ubuntu 18.04 LTS, Windows 10 x64 and macOS X 10.13.6.
Flags: qe-verify+
Depends on: 1520483
Depends on: 1563695
Regressions: 1563695
You need to log in before you can comment on or make changes to this bug.