421 response code from `icloud.com` not handled well with a proxy
Categories
(Core :: Networking: HTTP, defect, P2)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox80 | --- | affected |
People
(Reporter: svw, Assigned: kershaw)
Details
(Whiteboard: [necko-triaged][ntlm])
Attachments
(9 files)
|
340.04 KB,
application/x-7z-compressed
|
Details | |
|
2.14 MB,
application/octet-stream
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
6.37 MB,
application/octet-stream
|
Details | |
|
387.82 KB,
application/octet-stream
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
Details | Review | |
|
859.35 KB,
application/octet-stream
|
Details | |
|
1.03 MB,
application/octet-stream
|
Details | |
|
48 bytes,
text/x-phabricator-request
|
Details | Review |
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Steps to reproduce:
In our company network one of our employees tried to log into icloud.com. The website loads but the login screen doesn´t show up. Instead he recieves a Networkerror message.
Actual results:
We use a Mcafee Proxy in our company network. After analyzing the issue we recognized that with internet explorer and firefox on a laptop without using a proxy the website loads the way it should be. Thats because while the connection is established the following link : "setup.icloud.com/setup/ws/1/validate?clientBuildNumber=1923Hotfix2&clientMasteringNumber=1923Hotfix2&clientId=7969427a-aee8-49d1-88d0-5802bb246184" recieves a 421 statuscode in internet explorer and firefox without a proxy. When useing a proxy firefox receives a 200 statuscode and the connection can´t be established. But the proxy does transmit the correct statuscode (421).
Expected results:
While using a proxy firefox should recieve the correct statuscode (as mentioned above) as the proxy transmits the correct one.
|
||
Comment 1•4 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Updated•4 years ago
|
|
|
||
Comment 2•4 years ago
|
||
I can see the proxy is using NTLM authentication. Not sure this is important, but tentatively marking as NTLM related bug.
|
|
||
Comment 3•4 years ago
|
||
svw, can you please provide HTTP logs for the (minimal, if possible) use case according https://developer.mozilla.org/en-US/docs/Mozilla/Debugging/HTTP_logging?
Thanks.
Sorry it took me so long to provide the needed information.
I uploaded the logfile you requested.
|
|
||
Updated•4 years ago
|
|
|
||
Comment 5•4 years ago
|
||
Thanks. The proxy is requiring NTLM authentication, the auth is successful, we get 200 Connected. The end-server sends back 421, we see it and set the transaction to restart, but we actually don't restart it because (I believe - this is unconfirmed) the NS_HTTP_CONNECTION_RESTARTABLE caps flag is not set (or NS_HTTP_STICKY_CONNECTION unset) on that transaction after we have finished the HTML auth with the proxy (by getting 200 Connected).
I believe we can set the NS_HTTP_CONNECTION_RESTARTABLE (or unset the STICKY) flag at https://searchfox.org/mozilla-central/rev/557a0e222dd104c5d805ba344c45d6abc27d3db0/netwerk/protocol/http/nsHttpTransaction.cpp#2541.
I can have an experimental build to test with.
Thank you for your feedback.
Should we test your experimental build?
Where can we download it?
|
|
||
Comment 7•4 years ago
|
||
I didn't get to working on this bug so far, sorry. I will add comments when anything to test with is available.
|
|
||
Comment 8•4 years ago
|
||
|
|
||
Comment 9•4 years ago
|
||
|
|
||
Comment 10•4 years ago
|
||
Sorry for such a lag, this was considered a lower priority bug.
svw, here is a test build based of Firefox Nightly that you can test with. Please let me know how it goes.
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/NfQrwmHMTV2dhXECea24sA/runs/0/artifacts/public/build/install/sea/target.installer.exe
|
||
Comment 11•4 years ago
|
||
Pushed by honzab.moz@firemni.cz: https://hg.mozilla.org/integration/autoland/rev/d6d8e1c341f5 Allow restart of an HTTP transaction with 421 HTTP end-server response made through a newly authenticated NTLM proxy connection by unsticking the connection, r=kershaw,necko-reviewers
|
||
Comment 12•4 years ago
|
||
| bugherder | ||
|
Reporter | |
Comment 13•4 years ago
|
||
We tested the provided nightly version. When we try to open icloud.com, a proxy authentication window displayed and a manualy login fails (proxy settings in firefox on auto-detect). And the browser reported a error message (connectionerror). If we use our workaround and set no authentication on the proxy settings for setup.icloud.com, then the website opens.
|
|
||
Comment 14•4 years ago
|
||
(In reply to svw from comment #13)
Created attachment 9162125 [details]
log.txt-main.6464.moz_logWe tested the provided nightly version. When we try to open icloud.com, a proxy authentication window displayed and a manualy login fails (proxy settings in firefox on auto-detect). And the browser reported a error message (connectionerror). If we use our workaround and set no authentication on the proxy settings for setup.icloud.com, then the website opens.
Thanks. What was exactly the setting for logging you used? It seems to be missing some information, seems like you used nsHttp:4 instead of nsHttp:5.
|
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 15•4 years ago
|
||
The setting was at nsHTTP:3. Here are the new logging with nsHTTP:5.
|
|
||
Comment 16•4 years ago
|
||
Thanks for the log. I will have to write a test for this code path to catch all things we are still missing here. Unfortunatelly, NTLM et al are very undertested.
|
|
||
Comment 17•4 years ago
|
||
I see two things to do here:
- drop Proxy-Authrorization request header on the restarted transaction to not confuse the proxy with a no longer valid value and rather reathenticate
- tell the HTTP authenticator of the http channel to reset the proxy auth identity and start over.
|
|
||
Comment 18•4 years ago
|
||
|
|
||
Comment 19•4 years ago
|
||
svw, please check this test build, based of the current Nightly as before:
https://firefox-ci-tc.services.mozilla.com/api/queue/v1/task/BH0qbs_4Te2Xu_ZowMQk1w/runs/0/artifacts/public/build/install/sea/target.installer.exe
Thanks!
|
|
||
Comment 20•4 years ago
|
||
|
|
Reporter | |
Comment 21•4 years ago
|
||
Thanks for the new Testversion.
Now when we try to open icloud.com, the proxy authentication window displayed only one time. After a manually login the window doesn't popup anymore, but the website doesn't load completely (see the screenshot). If we clear the cache, the proxy authentication window will no longer appear.
|
|
||
Comment 22•4 years ago
|
||
Thanks.
The request:
POST /setup/ws/1/validate?clientBuildNumber=2013Project42&clientMasteringNumber=2013B29&clientId=1b1524d3-30ce-422f-a8de-a159f5bad847 HTTP/1.1
Host: setup.icloud.com
loops, we are getting 421 on and on, but proxy auth works as expected. This is then yet a different bug.
I don't see any request in the log from comment 21 that would popup the auth dialog for proxy auth.
|
|
||
Comment 23•4 years ago
|
||
Note that the icloud server receiving the POST is talking HTTP/1.1 and there seems to be no alternative way to talk to the server. So I'm quite puzzled what happens here.
|
|
||
Comment 24•4 years ago
|
||
I would be interested in a log when you exclude setup.icloud.com from proxy authentication. I'd like to compare with a "correct" flow.
|
|
Reporter | |
Comment 25•4 years ago
|
||
If we exclude setup.icloud.com from proxy authentication, the website opens correctly. In the attechment you will find the logs with exlude proxy authentication and the normally situation with proxy authentication. The proxy does not block setup.icloud and the client also comes with the correct user. But the HTTP-Status was 421, as you wrote from comment 22.
|
|
||
Updated•4 years ago
|
|
|
||
Comment 26•4 years ago
|
||
(In reply to svw from comment #25)
Created attachment 9168402 [details]
Logs06082020.7z
Thanks. In the log I can see the server responses with 421 to the second, restarted request. So, the only problem that my patch is causing is the loop. I don't have much time right now to attend this bug, though.
Thanks for all the logs and responses, I'll get back to this bug sometime later.
|
|
||
Comment 27•4 years ago
|
||
Pushed by honzab.moz@firemni.cz: https://hg.mozilla.org/integration/autoland/rev/3f59e3e8b36d Clear used proxy identity in nsHttpChannelAuthProvider to prevent authentication prompt pop-up on transaction internal restart, r=kershaw,necko-reviewers
|
||
Comment 28•4 years ago
|
||
| bugherder | ||
|
|
||
Updated•4 years ago
|
|
|
||
Comment 29•3 years ago
|
||
The leave-open keyword is there and there is no activity for 6 months.
:jstutte, maybe it's time to close this bug?
|
||
Comment 30•3 years ago
|
||
Hi Kershaw, is there anything left todo here? Thanks!
|
Assignee | |
Comment 31•3 years ago
|
||
(In reply to Jens Stutte [:jstutte] from comment #30)
Hi Kershaw, is there anything left todo here? Thanks!
Yes, the problem is not fixed yet. I'll look at this.
|
|
Assignee | |
Comment 32•3 years ago
|
||
Hello Reporter,
Could you use this build to test again?
Please also try to get the http log if you still see the same problem.
Thanks.
|
|
Reporter | |
Comment 33•3 years ago
|
||
Hello,
it seems to be good in your build.
The test in Firefox ESR 78.7.1 was successfully, too.
|
|
Reporter | |
Comment 34•3 years ago
|
||
Hello,
sorry for the false information.
We have call the website without proxy authentification.
If we call the website with proxy authentification, only in the nightly version it works correct.
Thank you very much.
|
|
Assignee | |
Comment 35•3 years ago
|
||
|
|
||
Comment 36•3 years ago
|
||
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/f45dc6a2bafc When receiving 421, don't restart the transaction that has a sticky connection r=necko-reviewers,dragana
|
||
Comment 37•3 years ago
|
||
| bugherder | ||
|
|
Assignee | |
Updated•3 years ago
|
|
|
Assignee | |
Updated•3 years ago
|
Description
•