Closed Bug 1535559 Opened 6 years ago Closed 6 years ago

Firefox sometimes send requests to wrong server based on SSL SAN

Categories

(Core :: Networking, defect)

Product:
Core
Component:
Networking
Version:
66 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1420777

People

(Reporter: maxence, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/72.0.3626.121 Chrome/72.0.3626.121 Safari/537.36

Steps to reproduce:

We have 2 domains :

corresponding DNS are :

www.site.fr IN A 1.1.1.1
www.site.fr IN A 2.2.2.2

media.site.fr IN A 1.1.1.1
media.site.fr IN A 2.2.2.2
media.site.fr IN A 3.3.3.3

Note that IP 3.3.3.3 is only used for media.site.fr, it has never been used for www.

We also share a Let's Encrypt certificate for both domains :

openssl x509 -in cert.pem -noout -text | grep -A 1 'X509v3 Subject Alternative Name'

        X509v3 Subject Alternative Name:
            DNS:www.site.fr, DNS:media.site.fr

(main certificate subject is site.fr).

Actual results:

sometimes, the media server behind 3.3.3.3 received requests to www. While analyzing we found that :

  • it affects almost all version of Firefox (see under), Safari and Qwant
  • it does not seem to affect Chromium / Chrome / IE
  • it only happens from time to time

Some numbers :

  • We got 25812 'failed' requests out of 3185798 requests, so it seems to happen only very sporadically
  • Browser (from UA) are mostly firefox (based):

zgrep 3.3.3.3 varnishncsa.log.gz |grep 'GET http://www' | cut -d '"' -f 12 | awk '{ print $NF }'|sort |uniq -c

  3 Firefox/23.0
  1 Firefox/38.0
  1 Firefox/44.0
 11 Firefox/45.0
  4 Firefox/47.0
  3 Firefox/48.0
 13 Firefox/50.0
 50 Firefox/51.0
624 Firefox/52.0
 46 Firefox/53.0
 21 Firefox/54.0
 12 Firefox/55.0
 51 Firefox/56.0
 40 Firefox/57.0
 25 Firefox/58.0
 37 Firefox/59.0
893 Firefox/60.0
104 Firefox/61.0
384 Firefox/62.0
203 Firefox/63.0
325 Firefox/64.0

22594 Firefox/65.0
67 Firefox/66.0
1 Lightning/6.2.5.3
7 NetType/WIFI
1 PTST/SpeedCurve/190307.140307
1 QwantBrowser/57.0
1 QwantBrowser/59.0.3
2 QwantBrowser/62.0.4
50 QwantBrowser/63.0.1
8 Safari
223 Safari/537.36
1 Safari/605.1.15

We suspected that, for some reason, Firefox use the Certificate SAN to decide, under some circumstance, that 3.3.3.3 is a valid host for www.site.fr, even if it does not appear in dns.
So we created another certificate only for media.site.fr and indeed, no more bad requests since.

Expected results:

Looks like firefox should not consider a server valid for a given domain only based on SSL SAN, and we should not receive requests for www.site.fr on 3.3.3.3

Also, all OS seems to be impacted :

$ zgrep 3.3.3.3 varnishncsa.log.gz |grep 'GET http://www' | cut -d '"' -f 12 | grep -o '.*rv'|sort |uniq -c
1 Mozilla/5.0 (Android 4.1.2; Tablet; rv
2 Mozilla/5.0 (Android 4.2.2; Mobile; rv
6 Mozilla/5.0 (Android 4.2.2; Tablet; rv
11 Mozilla/5.0 (Android 4.4.2; Mobile; rv
6 Mozilla/5.0 (Android 4.4.2; Tablet; rv
2 Mozilla/5.0 (Android 5.0.1; Mobile; rv
4 Mozilla/5.0 (Android 5.0.2; Mobile; rv
3 Mozilla/5.0 (Android 5.0.2; Tablet; rv
13 Mozilla/5.0 (Android 5.1.1; Mobile; rv
5 Mozilla/5.0 (Android 5.1.1; Tablet; rv
117 Mozilla/5.0 (Android 6.0.1; Mobile; rv
2 Mozilla/5.0 (Android 6.0.1; Tablet; rv
24 Mozilla/5.0 (Android 6.0; Mobile; rv
6 Mozilla/5.0 (Android 6.0; Tablet; rv
54 Mozilla/5.0 (Android 7.0; Mobile; rv
11 Mozilla/5.0 (Android 7.0; Tablet; rv
18 Mozilla/5.0 (Android 7.1.1; Mobile; rv
12 Mozilla/5.0 (Android 7.1.1; Tablet; rv
2 Mozilla/5.0 (Android 7.1.2; Mobile; rv
280 Mozilla/5.0 (Android 8.0.0; Mobile; rv
63 Mozilla/5.0 (Android 8.1.0; Mobile; rv
16 Mozilla/5.0 (Android 8.1.0; Tablet; rv
50 Mozilla/5.0 (Android 9; Mobile; rv
165 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.10; rv
358 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.11; rv
238 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv
253 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.13; rv
348 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv
1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv
95 Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv
165 Mozilla/5.0 (Windows NT 10.0; rv
12091 Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv
1036 Mozilla/5.0 (Windows NT 10.0; WOW64; rv
118 Mozilla/5.0 (Windows NT 5.1; rv
4 Mozilla/5.0 (Windows NT 5.1; WOW64; rv
9 Mozilla/5.0 (Windows NT 5.2; rv
38 Mozilla/5.0 (Windows NT 6.0; rv
16 Mozilla/5.0 (Windows NT 6.0; WOW64; rv
741 Mozilla/5.0 (Windows NT 6.1; rv
5647 Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv
825 Mozilla/5.0 (Windows NT 6.1; WOW64; rv
63 Mozilla/5.0 (Windows NT 6.2; rv
140 Mozilla/5.0 (Windows NT 6.2; Win64; x64; rv
24 Mozilla/5.0 (Windows NT 6.2; WOW64; rv
87 Mozilla/5.0 (Windows NT 6.3; rv
1453 Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv
110 Mozilla/5.0 (Windows NT 6.3; WOW64; rv
20 Mozilla/5.0 (X11; Fedora; Linux x86_64; rv
302 Mozilla/5.0 (X11; Linux armv7l; rv
104 Mozilla/5.0 (X11; Linux x86_64; rv
36 Mozilla/5.0 (X11; Ubuntu; Linux i686; rv
312 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv
1 Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:65.0) Gecko/20100101 Firefox/65.0 PTST/SpeedCurv
20 Qwant/2.5 (Android 4.4.2; Mobile; rv
3 QwantMobile/2.0 (Android 6.0.1; Mobile; rv
1 QwantMobile/2.0 (Android 7.0; Mobile; rv
1 QwantMobile/2.5 (Android 6.0.1; Mobile; rv
2 QwantMobile/2.5 (Android 6.0; Mobile; rv
4 QwantMobile/2.5 (Android 7.0; Mobile; rv
4 QwantMobile/2.5 (Android 7.1.1; Mobile; rv
13 QwantMobile/2.5 (Android 8.0.0; Mobile; rv
6 QwantMobile/2.5 (Android 8.1.0; Mobile; rv

I am attempting to confirm this bug, but the technical knowledge needed here is a bit above my own.
I do not understand the exact issue. The best way to go about this is to write a list of unambiguous steps to reproduce the problem with Actual and Expected results so I can reproduce and give it a corresponding component. Can you help?

Thank you or your contribution!

Flags: needinfo?(maxence)

Hi,

here are the steps (this is the way we reproduced it).

  1. get 3 servers, 1.1.1.1, 2.2.2.2, 3.3.3.3

  2. Define 2 domains on DNS:

  • www.domain.tld IN A 1.1.1.1

  • www.domain.tld IN A 2.2.2.2

  • media.domain.tld IN A 1.1.1.1

  • media.domain.tld IN A 2.2.2.2

  • media.domain.tld IN A 3.3.3.3

  1. Get a (let's encrypt in our case) SSL certificate with 2 SAN:
  1. Configure a ssl vhost for:
  • www.domain.tld on 1.1.1.1 and 2.2.2.2
  • media.domain.tld on 1.1.1.1, 2.2.2.2 AND 3.3.3.3

with the certificate you created in 2) (So you use the same cert for the 2 vhosts).

  1. Have a page on www.domain.tld which loads files from both www and media domains (ie: css from www/ pictures from media in our case).

when reaching the page, from time to time, firefox will request www.domain.tld on 3.3.3.3

Flags: needinfo?(maxence)

Valentin, can you help with this, please?

Flags: needinfo?(valentin.gosu)
Component: Untriaged → Networking
Product: Firefox → Core

(In reply to u408661 from bug 1420777 comment #1)

Both servers share at least some DNS, and both servers assert (via tls) that
they are authoritative for both A.e.c and B.e.c. This is 100% allowed per
7540. The 421 http error code is the proper way to handle this situation if
you have overlapping dns and tls.

Also see:
https://daniel.haxx.se/blog/2016/08/18/http2-connection-coalescing/

Status: UNCONFIRMED → RESOLVED
Closed: 6 years ago
Flags: needinfo?(valentin.gosu)
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.