Page info doesn't show "View Certificate" button when FPN is enabled
Categories
(Firefox :: Security, defect, P2)
Tracking
()
People
(Reporter: chris.cushman, Unassigned)
References
Details
Attachments
(7 files)
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0
Steps to reproduce:
- Go to https://scroll.com/ and click on the Setup tab at the top right hand corner.
- Then scroll to the "Get the Add-on" button and click it.
- You'll be prompted with the "Allow scroll.com to to install an add-on?" click "Continue to Installation"
Actual results:
I get prompted with an error "The add-on could not be downloaded due to a connection failure"
Expected results:
The add-on should've been installed.
Comment 1•5 years ago
|
||
I tried to reproduce this but I don't see the text "Get the Add-on" on the setup page.
Reporter | ||
Comment 2•5 years ago
|
||
Here is the "Get the Add-on" button.
Comment 3•5 years ago
|
||
The whole "Firefox Better Web with Scroll" card isn't present when I visit that page. Perhaps because I'm not in the U.S. Can you provide the link from the "Get the add-on" button?
Updated•5 years ago
|
Reporter | ||
Comment 4•5 years ago
|
||
(In reply to Andrew Swan [:aswan] from comment #3)
The whole "Firefox Better Web with Scroll" card isn't present when I visit that page. Perhaps because I'm not in the U.S. Can you provide the link from the "Get the add-on" button?
Yes I didn't think about that. Are you with Mozilla? If not, then you may not have access as well because this is a paid service. See if this link works: https://firstlook.firefox.com/betterweb/fbw-ext.xpi
Comment 5•5 years ago
|
||
The link from comment 4 works fine for me.
Can you load https://firstlook.firefox.com/ in a tab then open Tools -> Page Info, click to the Security tab, click the "View Certificate" button, then cut&paste the certificate chain details into a comment or attachment on this bug? (or a screenshot if that's easier...)
Reporter | ||
Comment 6•5 years ago
|
||
I don't see a "View Certificate" button
Comment 7•5 years ago
|
||
I'm out of my depth here, moving to Firefox:Security where hopefully somebody else can help diagnose this.
Comment 8•5 years ago
|
||
Interesting! I wasn't able to reproduce this at first and then I tried to test it with FPN on and indeed it doesn't show the connection details. Gives me the following error:
[Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsITransportSecurityInfo.isExtendedValidation]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: resource://gre/modules/SecurityInfo.jsm :: getSecurityInfo :: line 159" data: no]
So for some reason isExtendedValidation doesn't work with proxy extensions? Seems phishy. Looking at github.com (which has a valid EV cert) things work as expected, so it seems like this throws only in the combination of non-EV cert + FPN. Strange.
I'll look into it :)
Comment 9•5 years ago
|
||
Just to confirm, are you using FPN? Can you try turning it off and reloading the page to see if the problem persists?
Updated•5 years ago
|
Comment 10•5 years ago
|
||
Dana, it seems like we're failing the mHasIsEVStatus
here. Is that a bug (and would you happen to know how it could be connected to network proxy extensions) or do we need to update consuming code to deal with NS_ERROR_NOT_AVAILABLE
? Alternatively we could also return false if mHasIsEVStatus
is false...
Thanks!
Reporter | ||
Comment 11•5 years ago
|
||
Thats odd, turned off the FPN, loaded scroll.com/ and clicked on the "get the add-on" button and still got the error.
Comment 12•5 years ago
|
||
At the risk of sounding like a tech support, did you try restarting the browser?
Comment 13•5 years ago
|
||
This seems like a bug. If mHasIsEVStatus
is false
, verifying the peer's certificate hasn't completed. That said, from what I can tell on my machine, the peer's certificate does get verified. So somewhere there's a disconnect between the TransportSecurityInfo
used for that verification and the TransportSecurityInfo
that the front-end is seeing. I'll keep looking. You could also ask the networking team if they know why this could be happening.
Reporter | ||
Comment 14•5 years ago
|
||
I do see the certificate when I turn off the FPN like you said but I still can't download the extension for some reason. I tried restarting without all extensions but still get the same error unfortunately.
Comment 15•5 years ago
|
||
Are you able to see certificate details for firstlook.firefox.com with FPN disabled?
Sounds like there may be two separate issues here, but if you can paste the cert details for firstlook.firefox.com maybe we can figure out the addon install problem while Johann and Dana are tracking down the Page Info issue.
Reporter | ||
Comment 16•5 years ago
|
||
Yes, although I'm unable to copy the info, I can't even highlight the whole page and just copy it. Is there a better way?
Comment 17•5 years ago
|
||
Forked bug 1627292 for the addon installation discussion so this bug can continue on with the certificate viewer issue...
Reporter | ||
Comment 18•5 years ago
|
||
Any information I can provide in the meantime?
Comment 19•5 years ago
|
||
Kershaw, could this be the same issue as bug 1627654? Can you take a look at whether your patch fixes it?
Comment 20•5 years ago
|
||
(In reply to Johann Hofmann [:johannh] from comment #19)
Kershaw, could this be the same issue as bug 1627654? Can you take a look at whether your patch fixes it?
Could be. I can't reproduce by the steps in comment 5.
Hi Reporter,
Could you try this build and see if the issue is fixed?
Reporter | ||
Comment 21•5 years ago
|
||
Good news, I'm able to see the certificate even if I have FPN on. Bad new, I still can't download the extension.
Comment 22•5 years ago
|
||
(In reply to chris.cushman from comment #21)
Created attachment 9139331 [details]
AbleToSeeCertWithFPNon.pngGood news, I'm able to see the certificate even if I have FPN on. Bad new, I still can't download the extension.
Not sure the reason why the connection is failed.
Could you try to get the http log? To reduce uncertainty, please capture the log with a clean profile and also turn off FPN.
Thanks.
Comment 23•5 years ago
|
||
Ok, thank you for confirming this. I'm duping this so you should probably continue the discussion in bug 1627292.
Thanks!
Reporter | ||
Comment 24•5 years ago
|
||
I'll be posting the results of my testing in Bug 1627292
Description
•