"ssl_error_rx_malformed_server_hello" on some major websites (including twitter)

RESOLVED INVALID

Status

--
blocker
RESOLVED INVALID
7 months ago
5 months ago

People

(Reporter: thelastlin, Unassigned, NeedInfo)

Tracking

({regression, site-compat})

other
regression, site-compat

Firefox Tracking Flags

(geckoview62 unaffected, firefox-esr60 unaffected, firefox62 wontfix, firefox63 wontfix, firefox64- wontfix)

Details

Attachments

(4 attachments)

(Reporter)

Description

7 months ago
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:63.0) Gecko/20100101 Firefox/63.0
Build ID: 20180830123124

Steps to reproduce:

( Try to access https://www.ifanr.com/ and found some resource in https://images.ifanr.cn/ isn't 'available' )
Try to access "https://images.ifanr.cn/" and it doesn't work.
But "https://dev.ssllabs.com/ssltest/analyze.html?d=images.ifanr.cn&latest" and other browsers reports no error.


Actual results:

Suddenly I receive the error infomation in GUI:
SSL_ERROR_RX_MALFORMED_SERVER_HELLO
(Reporter)

Updated

7 months ago
OS: Unspecified → Windows 10
Hardware: Unspecified → x86_64
Should be the same as bug 1487150 but I'm unsure if this page is hosted by akamai.
Assignee: nobody → nobody
Blocks: 1470914
Status: UNCONFIRMED → NEW
Component: Untriaged → Libraries
Ever confirmed: true
Product: Firefox → NSS
Version: 63 Branch → other

Comment 2

7 months ago
(In reply to Matthias Versen [:Matti] from comment #1)
> Should be the same as bug 1487150 but I'm unsure if this page is hosted by
> akamai.

No it is not akamai, but aicdn.com:

> ;; QUESTION SECTION:
> ;images.ifanr.cn.               IN      A
> 
> ;; ANSWER SECTION:
> images.ifanr.cn.        21599   IN      CNAME   ifanr-cdn.b0.aicdn.com.

Comment 3

7 months ago
I think this may be related to your cdn provider: upyun.com.
Because I found another domain with the same problem:
https://www.kancloud.cn/
And also, the cdn provider is upyun.com. This may be the case.

Comment 4

7 months ago
I was able to reproduce the issue with site with TLS 1.3 draft 18 enabled.
* imworld.rediff.com
* newsimg.rediff.com
* 1.www.s81c.com
* www.ibm.com
Most sites here work for me. With the different TLS 1.3 draft versions out there and Firefox only supporting one (from version 63 that's the RFC version), some breakage is to expect.
This is not correct. There should not be any breakage. If there is, there's a bug somewhere. Current evidence is that this is a server-side problem.
QA Contact: franziskuskiefer
Starting today on Nightly I'm seeing this same problem on Twitter and on https://www.gog.com, where they're unable to load some of their static assets. mozregression brought me here, or rather to bug 1470914. I go to both of these sites every day, so I know the problem started today.

I did find that turning security.tls.version.max down to 3 makes the problem go away. Unfortunately I don't have any error code, there isn't one on the error page I get when I try to load one of the failing resources directly in a tab.

Since bug 1470914 obviously did not land in today's Nightly, that also indicates a server-side change as the source of the problem.
Since last night I've had issues loading assets from many different CDNs in Nightly on two different machines that I don't have with Release or Chrome on the same two machines.

assets from ap.rdcpix.com were blocked, per the network devtools, when visiting realtor.com and several, if not all, assets from pbs.twimg.com were blocked when visiting twitter
Can you please provide a specific URL that wasn't working?
I am not able to reproduce this on either Nightly or Beta. What platform are you on? Specifically, do you have some kind of AV?
Windows 10 for me, and no AV beyond the built-in Defender stuff.
Hmm... I am unable to reproduce this on a Mac. Can you please provide a PCAP file?
Posted file twitter.pcapng
Here's an attempt to load twitter.com from a fresh profile (probably with a bunch of noise in it because I'm not quite sure what's relevant and what isn't).

Comment 16

6 months ago
I also have this problem with twitter.com, tumblr.com, and komonews.com. Seems to have started today.

firefox-62.0-3.fc28.x86_64 (Fedora 28 64-bit)

Comment 17

6 months ago
Posted image ssl error message

Comment 18

6 months ago
major site breakage starting today in nightly (don't see it in a new profile in 63.0b).
status-firefox64: --- → affected
tracking-firefox64: --- → ?

Updated

6 months ago
Duplicate of this bug: 1498702

Updated

6 months ago
Duplicate of this bug: 1498631

Updated

6 months ago
Duplicate of this bug: 1498666

Updated

6 months ago
Duplicate of this bug: 1498718
Keywords: site-compat
Confirmed the regression range.

Ctrl+F5, repeat.
mozregression --good 2018-08-10 --bad 2018-10-12 --pref network.http.request.max-attempts:1 -a https://abs.twimg.com/a/1539134078/css/t1/twitter_core.bundle.css
> 7:04.90 INFO: Last good revision: b5ebdb085efaf31a4f00159334c2d23679e5fa27
> 7:04.90 INFO: First bad revision: 4a4b97e9087ca8ebed570bbc8591e4515eebee93
> 7:04.90 INFO: Pushlog:
> https://hg.mozilla.org/integration/mozilla-inbound/pushloghtml?fromchange=b5ebdb085efaf31a4f00159334c2d23679e5fa27&tochange=4a4b97e9087ca8ebed570bbc8591e4515eebee93

> 4a4b97e9087c	Kai Engert — Bug 1470914, NSS_3_39_BETA2, r=me
status-firefox62: --- → unaffected
status-firefox63: --- → affected
status-firefox-esr60: --- → unaffected
status-geckoview62: --- → unaffected
Keywords: regression
OS: Windows 10 → All
Hardware: x86_64 → All

Comment 24

6 months ago
Another site: https://www.geforce.com fails to load. This apparently uses EdgeCast CDN.

One thing I noticed with all these domains is that they still have the green lock icon even though the body of the window says the secure connection failed. It seems that if the browser can't securely connect to a site it should maybe not have a green lock on it?

Comment 25

6 months ago
This is now in the Web Compatibility bug list - https://github.com/webcompat/web-bugs/issues/19694 and https://webcompat.com/issues/19700
[Tracking Requested - why for this release]: Twitter connection error. (comment 23)

Beta 63.0b14, 20181011200118 @ Debian Testing, KDE, Xorg
Easily reproducible with network.http.request.max-attempts;1.
tracking-firefox63: --- → ?
This capture is a single failed connection for https://abs.twimg.com/favicons/favicon.ico. Hopefully this is easier to read than the other one with the full twitter.com page load.
(In reply to Jan Andre Ikenmeyer [:darkspirit] from comment #26)
> [Tracking Requested - why for this release]: Twitter connection error.
> (comment 23)
> 
> Beta 63.0b14, 20181011200118 @ Debian Testing, KDE, Xorg
> Easily reproducible with network.http.request.max-attempts;1.

Hmm... I just tried exactly this on Ubuntu and it worked fine.


:mhowell @c27: that pcap is kind of messed up, but it doesn't look like there is a bogus ServerHello.
Hmm.... Can someone who is experiencing this confirm that they are seeing ssl_error_rx_malformed_server_hello as opposed to some other error? Because otherwise this may be a different defect and we should open a new bug.
:darkspirit, :mhowell, are you able to try with NSS directly? Might be able to get some traction there.

If you can, try this:

## The following is all prep
# Build NSS
hg clone https://hg.mozilla.org/projects/nss
hg clone https://hg.mozilla.org/projects/nspr
cd nss
make nss_build_all

export PLATFORM=`cat $NSS_ROOT/dist/latest`
export DYLD_LIBRARY_PATH=$NSS_ROOT/dist/$PLATFORM/lib
export LD_LIBRARY_PATH=$NSS_ROOT/dist/$PLATFORM/lib

# Run NSS tests (this creates the cert db. Sorry about that).
cd tests/ssl_gtests
./ssl_gtests.sh


# Now run the test
../dist/$PLATFORM/bin/tstclnt -d ../tests_results/security/$HOST/ssl_gtests/ -V tls1.2:tls1.3 -o -h <hostname> -p port

Comment 31

6 months ago
(In reply to Matt Howell [:mhowell] from comment #8)
> Starting today on Nightly I'm seeing this same problem on Twitter and on
> https://www.gog.com, where they're unable to load some of their static
> assets. mozregression brought me here, or rather to bug 1470914. I go to
> both of these sites every day, so I know the problem started today.
> 
> I did find that turning security.tls.version.max down to 3 makes the problem
> go away. Unfortunately I don't have any error code, there isn't one on the
> error page I get when I try to load one of the failing resources directly in
> a tab.
> 
> Since bug 1470914 obviously did not land in today's Nightly, that also
> indicates a server-side change as the source of the problem.

This setting fixed it for me - Nightly installed locally from Mozilla download, 64 bit, Arch Linux
Comment hidden (typo)
(In reply to Eric Rescorla (:ekr) from comment #29)
> Hmm.... Can someone who is experiencing this confirm that they are seeing ssl_error_rx_malformed_server_hello as opposed to some other error? Because otherwise this may be a different defect and we should open a new bug.

In comment 23 I see the error from comment 17.
security.tls.version.max;3 seems to fix this, but also network.http.spdy.enabled.http2;false.

> $ ../dist/$PLATFORM/bin/tstclnt -d ../tests_results/security/nss.1/ssl_gtests/ -V tls1.2:tls1.3 -o -h abs.twimg.com -p 443
> Bad server certificate: -8179, Peer's Certificate issuer is not recognized.
> subject DN: CN=*.twimg.com,OU=Twitter Security,O="Twitter, Inc.",L=San Francisco,ST=California,C=US
> issuer  DN: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
> 0 cache hits; 0 cache misses, 0 cache not reusable
> 0 stateless resumes
> Received 0 Cert Status items (OCSP stapled data)
:darkspirit, can you confirm for me that if you leave security.tls.version.max;4 and set network.http.spdy.enabled.http2;false then it works? Because if so that's a real clue!
Flags: needinfo?(jan)
I can verify that setting just network.http.spdy.enabled.http2;false and leaving security.tls.version.max at 4 does work for me.
Yep
Flags: needinfo?(jan)
:mhowell, :darkspirit, that's interesting!

I've hackily modified the NSS test programs to do ALPN. Branch at:

  https://github.com/ekr/nss/commits/alpn_in_tctclnt

No promises this code isn't messed up, but it worked for me...

Can you try the same test but with the additional command line flag to tstclnt: -B h2:http/1.1

If it works, you should get something like:

  ALPN negotiated: h2

As part of the output.
But even better news if it doesn't work!
Flags: needinfo?(mhowell)
Flags: needinfo?(jan)
I believe the problem here is on the Twitter side. We're negotiating
TLS 1.3, but for some reason it thinks that the cipher we're
negotiating isn't permissible (e.g., it's one of the banned ciphers
from HTTP/2) and sending us INADEQUATE_SECURITY.

Here are the relevant pieces of the Firefox network traces

   [Parent 28876: Socket Thread]: I/nsHttp Http2Session::ConfirmTLSProfile 0x13517f000 mConnection=0x13eecb260
   [Parent 28876: Socket Thread]: I/nsHttp Http2Session::ConfirmTLSProfile 0x13517f000 sslsocketcontrol=0x1427c40f8
   [Parent 28876: Socket Thread]: I/nsHttp Http2Session::ConfirmTLSProfile 0x13517f000 version=304
   [Parent 28876: Socket Thread]: I/nsHttp Http2Session::ConfirmTLSProfile 0x13517f000 MAC Algortihm (aead==6) 6

This here means we negotiated TLS 1.3 All the TLS 1.3 algorithms are
acceptable for HTTP2. In a separate packet trace from NSS we see that
we are negotiating TLS_AES_256_GCM_SHA384


   [Parent 28876: Socket Thread]: I/nsHttp Http2Session::RecvGoAway 0x13517f000 GOAWAY Last-Good-ID 0x0 status 0xC live streams=0

And this is us receiving a GoAway with an INADEQUATE_SECURITY(0xc)
error and tearing down the connection.
Flags: needinfo?(mhowell)
Flags: needinfo?(jan)
Comment hidden (me-too)

Comment 41

6 months ago
Trying to understand the scope of this so we can better escalate. Is this a sporadic problem or is it for a certain set of users? We haven't heard too many reports so I'm wondering what triggered it. Is it only present in Firefox Beta?
(In reply to charlie.croom from comment #41)
> Trying to understand the scope of this so we can better escalate. Is this a
> sporadic problem or is it for a certain set of users? We haven't heard too
> many reports so I'm wondering what triggered it. Is it only present in
> Firefox Beta?

Hi Charlie, thanks for jumping on this.

It seems to be confined to a certain set of users for whom it happens reliably. Our hypothesis is that they are getting differently configured CDN nodes (with TLS 1.3 on). So perhaps you have some sort of partial rollout going on? When I connect myself I get no problems but also TLS 1.2. Based on c9, I believe the problem is confined to Beta and Nightly.

With that said, Firefox 64 (Beta) goes to Release 10/22, so this is going to be a problem in Release shortly.

Comment 43

6 months ago
Thanks for the context. Given that, I won't wake anyone up over this. But I'll make sure it gets in front of the right people on Monday so that we can convey the issue to edge cast.

Comment 44

6 months ago
Anyone visiting Twitter or TweetDeck from Firefox will see this, I think - I had it show up on both Nightly 64 and Firefox 62. It also showed up on https://webcompat.com/ - I filed a bug there but it wasn't the first. That's why you're seeing all the interest and duplicate bugs on this suddenly.

Comment 45

6 months ago
There is also a thread about this going on the firefox subreddit at https://www.reddit.com/r/firefox/comments/9nmnio/twitter_css_does_not_seem_to_load_properly_in/ but I don't know how may of those posts are duplicated in the above duplicated bugs or in webcompat.com.

Updated

6 months ago
Duplicate of this bug: 1498752
(In reply to charlie.croom from comment #43)
> Thanks for the context. Given that, I won't wake anyone up over this. But
> I'll make sure it gets in front of the right people on Monday so that we can
> convey the issue to edge cast.

All images are broken on Twitter for me, since this morning. Basically unable to make use of Twitter, to rephrase it.

Comment 48

6 months ago
It brokoke armorgames.com site loading static resources from cache.armorgames.com ect.

BUT
why does the result differ based on ISP I try?
While it's broken on my fast ethernet connection, when tethering mobile Internet site loads properly...?
Different CDN server? Timeouts?
Duplicate of this bug: 1498799
Charlie: based on c8 above, it sounds like there may be a problem with Release. znmeb can you re-confirm it happens in 62?

c48: it seems like the problem here is that CDN nodes are broken and others are not.
Flags: needinfo?(znmeb)
Flags: needinfo?(charlie.croom)
Severity: normal → blocker
Summary: Get "ssl_error_rx_malformed_server_hello" since 63.0b2 in some site → "ssl_error_rx_malformed_server_hello" on some major websites (including twitter)
I can't repro on Twitter anymore/at the moment, but still on https://wac.edgecastcdn.net/ with Nightly 64, Beta 63.0b14 and OpenSSL 1.1.1, but (so far) not with Release 62.0.3.

Comment 52

5 months ago
Here you go - it's still there. I did a "Refresh Firefox" before the screenshot.

Application Basics
------------------

Name: Firefox
Version: 62.0.3
Build ID: 20181003120558
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:62.0) Gecko/20100101 Firefox/62.0
OS: Linux 4.18.12-arch1-1-ARCH
Multiprocess Windows: 2/2 (Enabled by default)
Web Content Processes: 4/4
Enterprise Policies: Inactive
Google Key: Found
Mozilla Location Service Key: Found
Safe Mode: false

Crash Reports for the Last 3 Days
---------------------------------

All Crash Reports     Firefox Features
--------------------------------------

Name: Activity Stream
Version: 2018.08.22.1219-93becf29
ID: activity-stream@mozilla.org

Name: Application Update Service Helper
Version: 2.0
ID: aushelper@mozilla.org

Name: Firefox Screenshots
Version: 33.0.0
ID: screenshots@mozilla.org

Name: Form Autofill
Version: 1.0
ID: formautofill@mozilla.org

Name: Photon onboarding
Version: 1.0
ID: onboarding@mozilla.org

Name: Pocket
Version: 1.0.5
ID: firefox@getpocket.com

Name: Web Compat
Version: 2.0
ID: webcompat@mozilla.org

Name: WebCompat Reporter
Version: 1.0.0
ID: webcompat-reporter@mozilla.org

Extensions
----------

Security Software
----------------- Type:

Type:

Type:

Graphics
--------

Features
Compositing: Basic
Asynchronous Pan/Zoom: wheel input enabled; scrollbar drag enabled; keyboard enabled; autoscroll enabled
WebGL 1 Driver WSI Info: GLX 1.4 GLX_VENDOR(client): Mesa Project and SGI GLX_VENDOR(server): SGI Extensions: GLX_ARB_create_context GLX_ARB_create_context_profile GLX_ARB_create_context_robustness GLX_ARB_fbconfig_float GLX_ARB_framebuffer_sRGB GLX_ARB_get_proc_address GLX_ARB_multisample GLX_EXT_buffer_age GLX_EXT_create_context_es2_profile GLX_EXT_create_context_es_profile GLX_EXT_fbconfig_packed_float GLX_EXT_framebuffer_sRGB GLX_EXT_import_context GLX_EXT_texture_from_pixmap GLX_EXT_visual_info GLX_EXT_visual_rating GLX_INTEL_swap_event GLX_MESA_copy_sub_buffer GLX_MESA_query_renderer GLX_MESA_swap_control GLX_OML_swap_method GLX_OML_sync_control GLX_SGIS_multisample GLX_SGIX_fbconfig GLX_SGIX_pbuffer GLX_SGIX_visual_select_group GLX_SGI_make_current_read GLX_SGI_swap_control GLX_SGI_video_sync
WebGL 1 Driver Renderer: X.Org -- AMD Radeon HD 7700 Series (BONAIRE, DRM 3.26.0, 4.18.12-arch1-1-ARCH, LLVM 7.0.0)
WebGL 1 Driver Version: 4.4 (Compatibility Profile) Mesa 18.2.2
WebGL 1 Driver Extensions: GL_AMD_conservative_depth GL_AMD_draw_buffers_blend GL_AMD_performance_monitor GL_AMD_pinned_memory GL_AMD_seamless_cubemap_per_texture GL_AMD_shader_stencil_export GL_AMD_shader_trinary_minmax GL_AMD_vertex_shader_layer GL_AMD_vertex_shader_viewport_index GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_APPLE_packed_pixels GL_ARB_ES2_compatibility GL_ARB_ES3_1_compatibility GL_ARB_ES3_compatibility GL_ARB_arrays_of_arrays GL_ARB_base_instance GL_ARB_bindless_texture GL_ARB_blend_func_extended GL_ARB_buffer_storage GL_ARB_clear_buffer_object GL_ARB_clear_texture GL_ARB_clip_control GL_ARB_color_buffer_float GL_ARB_compatibility GL_ARB_compressed_texture_pixel_storage GL_ARB_compute_shader GL_ARB_compute_variable_group_size GL_ARB_conditional_render_inverted GL_ARB_conservative_depth GL_ARB_copy_buffer GL_ARB_copy_image GL_ARB_cull_distance GL_ARB_debug_output GL_ARB_depth_buffer_float GL_ARB_depth_clamp GL_ARB_depth_texture GL_ARB_derivative_control GL_ARB_draw_buffers GL_ARB_draw_buffers_blend GL_ARB_draw_elements_base_vertex GL_ARB_draw_indirect GL_ARB_draw_instanced GL_ARB_enhanced_layouts GL_ARB_explicit_attrib_location GL_ARB_explicit_uniform_location GL_ARB_fragment_coord_conventions GL_ARB_fragment_layer_viewport GL_ARB_fragment_program GL_ARB_fragment_program_shadow GL_ARB_fragment_shader GL_ARB_framebuffer_no_attachments GL_ARB_framebuffer_object GL_ARB_framebuffer_sRGB GL_ARB_get_program_binary GL_ARB_get_texture_sub_image GL_ARB_gpu_shader5 GL_ARB_gpu_shader_fp64 GL_ARB_half_float_pixel GL_ARB_half_float_vertex GL_ARB_indirect_parameters GL_ARB_instanced_arrays GL_ARB_internalformat_query GL_ARB_internalformat_query2 GL_ARB_invalidate_subdata GL_ARB_map_buffer_alignment GL_ARB_map_buffer_range GL_ARB_multi_bind GL_ARB_multi_draw_indirect GL_ARB_multisample GL_ARB_multitexture GL_ARB_occlusion_query GL_ARB_occlusion_query2 GL_ARB_pipeline_statistics_query GL_ARB_pixel_buffer_object GL_ARB_point_parameters GL_ARB_point_sprite GL_ARB_polygon_offset_clamp GL_ARB_program_interface_query GL_ARB_provoking_vertex GL_ARB_query_buffer_object GL_ARB_robust_buffer_access_behavior GL_ARB_robustness GL_ARB_sample_shading GL_ARB_sampler_objects GL_ARB_seamless_cube_map GL_ARB_seamless_cubemap_per_texture GL_ARB_separate_shader_objects GL_ARB_shader_atomic_counter_ops GL_ARB_shader_atomic_counters GL_ARB_shader_ballot GL_ARB_shader_bit_encoding GL_ARB_shader_clock GL_ARB_shader_draw_parameters GL_ARB_shader_group_vote GL_ARB_shader_image_load_store GL_ARB_shader_image_size GL_ARB_shader_objects GL_ARB_shader_precision GL_ARB_shader_stencil_export GL_ARB_shader_storage_buffer_object GL_ARB_shader_subroutine GL_ARB_shader_texture_image_samples GL_ARB_shader_texture_lod GL_ARB_shader_viewport_layer_array GL_ARB_shading_language_100 GL_ARB_shading_language_420pack GL_ARB_shading_language_packing GL_ARB_shadow GL_ARB_sparse_buffer GL_ARB_stencil_texturing GL_ARB_sync GL_ARB_tessellation_shader GL_ARB_texture_barrier GL_ARB_texture_border_clamp GL_ARB_texture_buffer_object GL_ARB_texture_buffer_object_rgb32 GL_ARB_texture_buffer_range GL_ARB_texture_compression GL_ARB_texture_compression_bptc GL_ARB_texture_compression_rgtc GL_ARB_texture_cube_map GL_ARB_texture_cube_map_array GL_ARB_texture_env_add GL_ARB_texture_env_combine GL_ARB_texture_env_crossbar GL_ARB_texture_env_dot3 GL_ARB_texture_filter_anisotropic GL_ARB_texture_float GL_ARB_texture_gather GL_ARB_texture_mirror_clamp_to_edge GL_ARB_texture_mirrored_repeat GL_ARB_texture_multisample GL_ARB_texture_non_power_of_two GL_ARB_texture_query_levels GL_ARB_texture_query_lod GL_ARB_texture_rectangle GL_ARB_texture_rg GL_ARB_texture_rgb10_a2ui GL_ARB_texture_stencil8 GL_ARB_texture_storage GL_ARB_texture_storage_multisample GL_ARB_texture_swizzle GL_ARB_texture_view GL_ARB_timer_query GL_ARB_transform_feedback2 GL_ARB_transform_feedback3 GL_ARB_transform_feedback_instanced GL_ARB_transform_feedback_overflow_query GL_ARB_transpose_matrix GL_ARB_uniform_buffer_object GL_ARB_vertex_array_bgra GL_ARB_vertex_array_object GL_ARB_vertex_attrib_64bit GL_ARB_vertex_attrib_binding GL_ARB_vertex_buffer_object GL_ARB_vertex_program GL_ARB_vertex_shader GL_ARB_vertex_type_10f_11f_11f_rev GL_ARB_vertex_type_2_10_10_10_rev GL_ARB_viewport_array GL_ARB_window_pos GL_ATI_blend_equation_separate GL_ATI_draw_buffers GL_ATI_fragment_shader GL_ATI_meminfo GL_ATI_separate_stencil GL_ATI_texture_compression_3dc GL_ATI_texture_env_combine3 GL_ATI_texture_float GL_ATI_texture_mirror_once GL_EXT_abgr GL_EXT_bgra GL_EXT_blend_color GL_EXT_blend_equation_separate GL_EXT_blend_func_separate GL_EXT_blend_minmax GL_EXT_blend_subtract GL_EXT_compiled_vertex_array GL_EXT_copy_texture GL_EXT_depth_bounds_test GL_EXT_draw_buffers2 GL_EXT_draw_instanced GL_EXT_draw_range_elements GL_EXT_fog_coord GL_EXT_framebuffer_blit GL_EXT_framebuffer_multisample GL_EXT_framebuffer_multisample_blit_scaled GL_EXT_framebuffer_object GL_EXT_framebuffer_sRGB GL_EXT_gpu_program_parameters GL_EXT_memory_object GL_EXT_memory_object_fd GL_EXT_multi_draw_arrays GL_EXT_packed_depth_stencil GL_EXT_packed_float GL_EXT_packed_pixels GL_EXT_pixel_buffer_object GL_EXT_point_parameters GL_EXT_polygon_offset_clamp GL_EXT_provoking_vertex GL_EXT_rescale_normal GL_EXT_secondary_color GL_EXT_semaphore GL_EXT_semaphore_fd GL_EXT_separate_specular_color GL_EXT_shader_integer_mix GL_EXT_shadow_funcs GL_EXT_stencil_two_side GL_EXT_stencil_wrap GL_EXT_subtexture GL_EXT_texture GL_EXT_texture3D GL_EXT_texture_array GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_latc GL_EXT_texture_compression_rgtc GL_EXT_texture_compression_s3tc GL_EXT_texture_cube_map GL_EXT_texture_edge_clamp GL_EXT_texture_env_add GL_EXT_texture_env_combine GL_EXT_texture_env_dot3 GL_EXT_texture_filter_anisotropic GL_EXT_texture_integer GL_EXT_texture_lod_bias GL_EXT_texture_mirror_clamp GL_EXT_texture_object GL_EXT_texture_rectangle GL_EXT_texture_sRGB GL_EXT_texture_sRGB_decode GL_EXT_texture_shared_exponent GL_EXT_texture_snorm GL_EXT_texture_swizzle GL_EXT_timer_query GL_EXT_transform_feedback GL_EXT_vertex_array GL_EXT_vertex_array_bgra GL_IBM_multimode_draw_arrays GL_IBM_rasterpos_clip GL_IBM_texture_mirrored_repeat GL_INGR_blend_func_separate GL_KHR_blend_equation_advanced GL_KHR_context_flush_control GL_KHR_debug GL_KHR_no_error GL_KHR_robust_buffer_access_behavior GL_KHR_robustness GL_KHR_texture_compression_astc_ldr GL_MESA_pack_invert GL_MESA_shader_integer_functions GL_MESA_texture_signed_rgba GL_MESA_window_pos GL_NVX_gpu_memory_info GL_NV_blend_square GL_NV_conditional_render GL_NV_depth_clamp GL_NV_fog_distance GL_NV_light_max_exponent GL_NV_packed_depth_stencil GL_NV_primitive_restart GL_NV_texgen_reflection GL_NV_texture_barrier GL_NV_texture_env_combine4 GL_NV_texture_rectangle GL_NV_vdpau_interop GL_OES_EGL_image GL_OES_read_format GL_S3_s3tc GL_SGIS_generate_mipmap GL_SGIS_texture_border_clamp GL_SGIS_texture_edge_clamp GL_SGIS_texture_lod GL_SUN_multi_draw_arrays
WebGL 1 Extensions: ANGLE_instanced_arrays EXT_blend_minmax EXT_color_buffer_half_float EXT_frag_depth EXT_sRGB EXT_shader_texture_lod EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_element_index_uint OES_standard_derivatives OES_texture_float OES_texture_float_linear OES_texture_half_float OES_texture_half_float_linear OES_vertex_array_object WEBGL_color_buffer_float WEBGL_compressed_texture_astc WEBGL_compressed_texture_etc WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_depth_texture WEBGL_draw_buffers WEBGL_lose_context
WebGL 2 Driver WSI Info: GLX 1.4 GLX_VENDOR(client): Mesa Project and SGI GLX_VENDOR(server): SGI Extensions: GLX_ARB_create_context GLX_ARB_create_context_profile GLX_ARB_create_context_robustness GLX_ARB_fbconfig_float GLX_ARB_framebuffer_sRGB GLX_ARB_get_proc_address GLX_ARB_multisample GLX_EXT_buffer_age GLX_EXT_create_context_es2_profile GLX_EXT_create_context_es_profile GLX_EXT_fbconfig_packed_float GLX_EXT_framebuffer_sRGB GLX_EXT_import_context GLX_EXT_texture_from_pixmap GLX_EXT_visual_info GLX_EXT_visual_rating GLX_INTEL_swap_event GLX_MESA_copy_sub_buffer GLX_MESA_query_renderer GLX_MESA_swap_control GLX_OML_swap_method GLX_OML_sync_control GLX_SGIS_multisample GLX_SGIX_fbconfig GLX_SGIX_pbuffer GLX_SGIX_visual_select_group GLX_SGI_make_current_read GLX_SGI_swap_control GLX_SGI_video_sync
WebGL 2 Driver Renderer: X.Org -- AMD Radeon HD 7700 Series (BONAIRE, DRM 3.26.0, 4.18.12-arch1-1-ARCH, LLVM 7.0.0)
WebGL 2 Driver Version: 4.5 (Core Profile) Mesa 18.2.2
WebGL 2 Driver Extensions: GL_AMD_conservative_depth GL_AMD_draw_buffers_blend GL_AMD_performance_monitor GL_AMD_pinned_memory GL_AMD_seamless_cubemap_per_texture GL_AMD_shader_stencil_export GL_AMD_shader_trinary_minmax GL_AMD_vertex_shader_layer GL_AMD_vertex_shader_viewport_index GL_ANGLE_texture_compression_dxt3 GL_ANGLE_texture_compression_dxt5 GL_ARB_ES2_compatibility GL_ARB_ES3_1_compatibility GL_ARB_ES3_2_compatibility GL_ARB_ES3_compatibility GL_ARB_arrays_of_arrays GL_ARB_base_instance GL_ARB_bindless_texture GL_ARB_blend_func_extended GL_ARB_buffer_storage GL_ARB_clear_buffer_object GL_ARB_clear_texture GL_ARB_clip_control GL_ARB_color_buffer_float GL_ARB_compressed_texture_pixel_storage GL_ARB_compute_shader GL_ARB_compute_variable_group_size GL_ARB_conditional_render_inverted GL_ARB_conservative_depth GL_ARB_copy_buffer GL_ARB_copy_image GL_ARB_cull_distance GL_ARB_debug_output GL_ARB_depth_buffer_float GL_ARB_depth_clamp GL_ARB_derivative_control GL_ARB_direct_state_access GL_ARB_draw_buffers GL_ARB_draw_buffers_blend GL_ARB_draw_elements_base_vertex GL_ARB_draw_indirect GL_ARB_draw_instanced GL_ARB_enhanced_layouts GL_ARB_explicit_attrib_location GL_ARB_explicit_uniform_location GL_ARB_fragment_coord_conventions GL_ARB_fragment_layer_viewport GL_ARB_fragment_shader GL_ARB_framebuffer_no_attachments GL_ARB_framebuffer_object GL_ARB_framebuffer_sRGB GL_ARB_get_program_binary GL_ARB_get_texture_sub_image GL_ARB_gpu_shader5 GL_ARB_gpu_shader_fp64 GL_ARB_gpu_shader_int64 GL_ARB_half_float_pixel GL_ARB_half_float_vertex GL_ARB_indirect_parameters GL_ARB_instanced_arrays GL_ARB_internalformat_query GL_ARB_internalformat_query2 GL_ARB_invalidate_subdata GL_ARB_map_buffer_alignment GL_ARB_map_buffer_range GL_ARB_multi_bind GL_ARB_multi_draw_indirect GL_ARB_occlusion_query2 GL_ARB_pipeline_statistics_query GL_ARB_pixel_buffer_object GL_ARB_point_sprite GL_ARB_polygon_offset_clamp GL_ARB_program_interface_query GL_ARB_provoking_vertex GL_ARB_query_buffer_object GL_ARB_robust_buffer_access_behavior GL_ARB_robustness GL_ARB_sample_shading GL_ARB_sampler_objects GL_ARB_seamless_cube_map GL_ARB_seamless_cubemap_per_texture GL_ARB_separate_shader_objects GL_ARB_shader_atomic_counter_ops GL_ARB_shader_atomic_counters GL_ARB_shader_ballot GL_ARB_shader_bit_encoding GL_ARB_shader_clock GL_ARB_shader_draw_parameters GL_ARB_shader_group_vote GL_ARB_shader_image_load_store GL_ARB_shader_image_size GL_ARB_shader_objects GL_ARB_shader_precision GL_ARB_shader_stencil_export GL_ARB_shader_storage_buffer_object GL_ARB_shader_subroutine GL_ARB_shader_texture_image_samples GL_ARB_shader_texture_lod GL_ARB_shader_viewport_layer_array GL_ARB_shading_language_420pack GL_ARB_shading_language_packing GL_ARB_sparse_buffer GL_ARB_stencil_texturing GL_ARB_sync GL_ARB_tessellation_shader GL_ARB_texture_barrier GL_ARB_texture_buffer_object GL_ARB_texture_buffer_object_rgb32 GL_ARB_texture_buffer_range GL_ARB_texture_compression_bptc GL_ARB_texture_compression_rgtc GL_ARB_texture_cube_map_array GL_ARB_texture_filter_anisotropic GL_ARB_texture_float GL_ARB_texture_gather GL_ARB_texture_mirror_clamp_to_edge GL_ARB_texture_multisample GL_ARB_texture_non_power_of_two GL_ARB_texture_query_levels GL_ARB_texture_query_lod GL_ARB_texture_rectangle GL_ARB_texture_rg GL_ARB_texture_rgb10_a2ui GL_ARB_texture_stencil8 GL_ARB_texture_storage GL_ARB_texture_storage_multisample GL_ARB_texture_swizzle GL_ARB_texture_view GL_ARB_timer_query GL_ARB_transform_feedback2 GL_ARB_transform_feedback3 GL_ARB_transform_feedback_instanced GL_ARB_transform_feedback_overflow_query GL_ARB_uniform_buffer_object GL_ARB_vertex_array_bgra GL_ARB_vertex_array_object GL_ARB_vertex_attrib_64bit GL_ARB_vertex_attrib_binding GL_ARB_vertex_shader GL_ARB_vertex_type_10f_11f_11f_rev GL_ARB_vertex_type_2_10_10_10_rev GL_ARB_viewport_array GL_ATI_blend_equation_separate GL_ATI_meminfo GL_ATI_texture_float GL_ATI_texture_mirror_once GL_EXT_abgr GL_EXT_blend_equation_separate GL_EXT_depth_bounds_test GL_EXT_draw_buffers2 GL_EXT_draw_instanced GL_EXT_framebuffer_blit GL_EXT_framebuffer_multisample GL_EXT_framebuffer_multisample_blit_scaled GL_EXT_framebuffer_sRGB GL_EXT_memory_object GL_EXT_memory_object_fd GL_EXT_packed_depth_stencil GL_EXT_packed_float GL_EXT_pixel_buffer_object GL_EXT_polygon_offset_clamp GL_EXT_provoking_vertex GL_EXT_semaphore GL_EXT_semaphore_fd GL_EXT_shader_integer_mix GL_EXT_texture_array GL_EXT_texture_compression_dxt1 GL_EXT_texture_compression_rgtc GL_EXT_texture_compression_s3tc GL_EXT_texture_filter_anisotropic GL_EXT_texture_integer GL_EXT_texture_mirror_clamp GL_EXT_texture_sRGB GL_EXT_texture_sRGB_decode GL_EXT_texture_shared_exponent GL_EXT_texture_snorm GL_EXT_texture_swizzle GL_EXT_timer_query GL_EXT_transform_feedback GL_EXT_vertex_array_bgra GL_IBM_multimode_draw_arrays GL_KHR_blend_equation_advanced GL_KHR_context_flush_control GL_KHR_debug GL_KHR_no_error GL_KHR_robust_buffer_access_behavior GL_KHR_robustness GL_KHR_texture_compression_astc_ldr GL_MESA_pack_invert GL_MESA_shader_integer_functions GL_MESA_texture_signed_rgba GL_NVX_gpu_memory_info GL_NV_conditional_render GL_NV_depth_clamp GL_NV_packed_depth_stencil GL_NV_texture_barrier GL_NV_vdpau_interop GL_OES_EGL_image GL_S3_s3tc
WebGL 2 Extensions: EXT_color_buffer_float EXT_texture_filter_anisotropic EXT_disjoint_timer_query OES_texture_float_linear WEBGL_compressed_texture_astc WEBGL_compressed_texture_etc WEBGL_compressed_texture_s3tc WEBGL_compressed_texture_s3tc_srgb WEBGL_debug_renderer_info WEBGL_debug_shaders WEBGL_lose_context
GPU #1
Active: Yes
Description: X.Org -- AMD Radeon HD 7700 Series (BONAIRE, DRM 3.26.0, 4.18.12-arch1-1-ARCH, LLVM 7.0.0)
Vendor ID: X.Org
Device ID: AMD Radeon HD 7700 Series (BONAIRE, DRM 3.26.0, 4.18.12-arch1-1-ARCH, LLVM 7.0.0)
Driver Version: 4.4 (Compatibility Profile) Mesa 18.2.2

Diagnostics
AzureCanvasAccelerated: 0
AzureCanvasBackend: skia
AzureContentBackend: skia
AzureFallbackCanvasBackend: none
CairoUseXRender: 0
Decision Log
HW_COMPOSITING:
blocked by default: Acceleration blocked by platform
OPENGL_COMPOSITING:
unavailable by default: Hardware compositing is disabled
WEBRENDER:
opt-in by default: WebRender is an opt-in feature
unavailable by runtime: Hardware compositing is disabled
OMTP:
disabled by default: Disabled by default




Media
-----

Audio Backend: remote
Max Channels: 2
Preferred Sample Rate: 44100
Output Devices
Name: Group
Built-in Audio Digital Stereo (IEC958): /devices/pci0000:00/0000:00:14.2/sound/card0
Input Devices
Name: Group
Monitor of Built-in Audio Digital Stereo (IEC958): /devices/pci0000:00/0000:00:14.2/sound/card0
Built-in Audio Analog Stereo: /devices/pci0000:00/0000:00:14.2/sound/card0

Important Modified Preferences
------------------------------

browser.cache.disk.capacity: 1048576
browser.cache.disk.filesystem_reported: 1
browser.cache.disk.smart_size.first_run: false
browser.places.smartBookmarksVersion: 8
browser.startup.homepage_override.buildID: 20181003120558
browser.startup.homepage_override.mstone: 62.0.3
browser.urlbar.placeholderName: Google
extensions.lastAppVersion: 62.0.3
media.gmp.storage.version.observed: 1
network.cookie.prefsMigrated: true
places.history.expiration.transient_current_max_pages: 144831
plugin.disable_full_page_plugin_for_types: application/pdf
privacy.sanitize.pending: [{"id":"newtab-container","itemsToClear":[],"options":{}}]
security.sandbox.content.tempDirSuffix: 4f4612d0-9db5-438e-a164-80ca03db1458
signon.importedFromSqlite: true

Important Locked Preferences
----------------------------

Places Database
---------------

JavaScript
----------

Incremental GC: true

Accessibility
-------------

Activated: false
Prevent Accessibility: 0

Library Versions
----------------

NSPR
Expected minimum version: 4.20
Version in use: 4.20

NSS
Expected minimum version: 3.39
Version in use: 3.39

NSSSMIME
Expected minimum version: 3.39
Version in use: 3.39

NSSSSL
Expected minimum version: 3.39
Version in use: 3.39

NSSUTIL
Expected minimum version: 3.39
Version in use: 3.39

Sandbox
-------

Seccomp-BPF (System Call Filtering): true
Seccomp Thread Synchronization: true
User Namespaces for privileged processes: true
User Namespaces: false
Content Process Sandboxing: true
Media Plugin Sandboxing: true
Content Process Sandbox Level: 4
Effective Content Process Sandbox Level: 4

Rejected System Calls
---------------------

Internationalization & Localization
-----------------------------------

Application Settings
Requested Locales: ["en-US"]
Available Locales: ["en-US"]
App Locales: ["en-US","und"]
Regional Preferences: ["en-US"]
Default Locale: "und"
Operating System
System Locales: ["en-US"]
Regional Preferences: ["en-US"]
Flags: needinfo?(znmeb)

Comment 53

5 months ago
(In reply to Eric Rescorla (:ekr) from comment #50)
> Charlie: based on c8 above, it sounds like there may be a problem with
> Release. znmeb can you re-confirm it happens in 62?
> 
> c48: it seems like the problem here is that CDN nodes are broken and others
> are not.

I'm not znmeb, but I can confirm it happens on 62.0.3, Debian unstable.

Comment 54

5 months ago
(In reply to braiamp from comment #53)
> (In reply to Eric Rescorla (:ekr) from comment #50)
> > Charlie: based on c8 above, it sounds like there may be a problem with
> > Release. znmeb can you re-confirm it happens in 62?
> > 
> > c48: it seems like the problem here is that CDN nodes are broken and others
> > are not.
> 
> I'm not znmeb, but I can confirm it happens on 62.0.3, Debian unstable.

Confirmed on 62 on Arch Linux - see screenshot
status-firefox62: unaffected → affected
Comment hidden (typo)
(In reply to znmeb from comment #52)
> NSPR
> Expected minimum version: 4.20
> Version in use: 4.20
> 
> NSS
> Expected minimum version: 3.39
> Version in use: 3.39

https://download-installer.cdn.mozilla.net/pub/firefox/releases/62.0.3/linux-x86_64/de/firefox-62.0.3.tar.bz2
Official Firefox 62.0.3 has a different NSS version. That might be why I can't repro.

NSPR
Minimal vorausgesetzte Version: 4.19
Verwendete Version: 4.19

NSS
Minimal vorausgesetzte Version: 3.38
Verwendete Version: 3.38

NSSSMIME
Minimal vorausgesetzte Version: 3.38
Verwendete Version: 3.38

NSSSSL
Minimal vorausgesetzte Version: 3.38
Verwendete Version: 3.38

NSSUTIL
Minimal vorausgesetzte Version: 3.38
Verwendete Version: 3.38

Comment 58

5 months ago
Hi, TLS team lead for VDMS here. We've rolled back the change that creates this issue and we're investigating on our side. Thanks for the info and apologies for the disruption.
Now it works for me on both twitter and tutorialspoint. Thanks Marcus!

Comment 60

5 months ago
Now works for me on my-verizon: https://www.verizonwireless.com/my-verizon/
Franziskus, please take the lead on this.
Assignee: nobody → franziskuskiefer
Status: NEW → ASSIGNED
Tracking for 63 in case we have a dot release between 63 and 64 and we would have to take a ride-along fix.
tracking-firefox63: ? → +
Un-assigning from Franziskus, as the legwork was already done and per Comment 58 there's an upstream update. We'll see if we need to make any changes on our side.
Assignee: franziskuskiefer → nobody
Status: ASSIGNED → NEW
Untracking and wontfix for 63 since this is fixed upstream.
status-firefox63: affected → wontfix
tracking-firefox63: + → ---
status-firefox62: affected → wontfix
status-firefox64: affected → wontfix
tracking-firefox64: ? → -
Resolving as invalid, since as far as I can tel this wasn't our bug.
Status: NEW → RESOLVED
Last Resolved: 5 months ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.