Closed Bug 1625785 Opened 5 years ago Closed 5 years ago

Page info doesn't show "View Certificate" button when FPN is enabled

Categories

(Firefox :: Security, defect, P2)

Product:
Firefox
Component:
Security
Version:
76 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1627654

People

(Reporter: chris.cushman, Unassigned)

References

Details

Attachments

(7 files)

scrollError.png
77.13 KB, image/png
Details
GetTheAddonButton.png
253.91 KB, image/png
Details
SecurityTab.png
185.40 KB, image/png
Details
StillGettingErrorUnfortunately.png
574.14 KB, image/png
Details
SeeCertWhenFPNisDisabled.png
572.12 KB, image/png
Details
SeeCertForFirstLookbutUnableToCopy.png
559.78 KB, image/png
Details
AbleToSeeCertWithFPNon.png
733.29 KB, image/png
Details
Attached image scrollError.png

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:76.0) Gecko/20100101 Firefox/76.0

Steps to reproduce:

  1. Go to https://scroll.com/ and click on the Setup tab at the top right hand corner.
  2. Then scroll to the "Get the Add-on" button and click it.
  3. You'll be prompted with the "Allow scroll.com to to install an add-on?" click "Continue to Installation"

Actual results:

I get prompted with an error "The add-on could not be downloaded due to a connection failure"

Expected results:

The add-on should've been installed.

See Also: → 1625718

I tried to reproduce this but I don't see the text "Get the Add-on" on the setup page.

Flags: needinfo?(chris.cushman)
Attached image GetTheAddonButton.png

Here is the "Get the Add-on" button.

Flags: needinfo?(chris.cushman)

The whole "Firefox Better Web with Scroll" card isn't present when I visit that page. Perhaps because I'm not in the U.S. Can you provide the link from the "Get the add-on" button?

Component: General → Add-ons Manager
Product: WebExtensions → Toolkit
Flags: needinfo?(chris.cushman)

(In reply to Andrew Swan [:aswan] from comment #3)

The whole "Firefox Better Web with Scroll" card isn't present when I visit that page. Perhaps because I'm not in the U.S. Can you provide the link from the "Get the add-on" button?

Yes I didn't think about that. Are you with Mozilla? If not, then you may not have access as well because this is a paid service. See if this link works: https://firstlook.firefox.com/betterweb/fbw-ext.xpi

Flags: needinfo?(chris.cushman)

The link from comment 4 works fine for me.
Can you load https://firstlook.firefox.com/ in a tab then open Tools -> Page Info, click to the Security tab, click the "View Certificate" button, then cut&paste the certificate chain details into a comment or attachment on this bug? (or a screenshot if that's easier...)

Flags: needinfo?(chris.cushman)
Attached image SecurityTab.png

I don't see a "View Certificate" button

Flags: needinfo?(chris.cushman)

I'm out of my depth here, moving to Firefox:Security where hopefully somebody else can help diagnose this.

Component: Add-ons Manager → Security
Product: Toolkit → Firefox
Summary: Can't download Scroll extension from https://scroll.com/ works in regular Firefox → No TLS certificate information for firstlook.firefox.com in Nightly

Interesting! I wasn't able to reproduce this at first and then I tried to test it with FPN on and indeed it doesn't show the connection details. Gives me the following error:

[Exception... "Component returned failure code: 0x80040111 (NS_ERROR_NOT_AVAILABLE) [nsITransportSecurityInfo.isExtendedValidation]" nsresult: "0x80040111 (NS_ERROR_NOT_AVAILABLE)" location: "JS frame :: resource://gre/modules/SecurityInfo.jsm :: getSecurityInfo :: line 159" data: no]

So for some reason isExtendedValidation doesn't work with proxy extensions? Seems phishy. Looking at github.com (which has a valid EV cert) things work as expected, so it seems like this throws only in the combination of non-EV cert + FPN. Strange.

I'll look into it :)

Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(jhofmann)
Priority: -- → P2
Summary: No TLS certificate information for firstlook.firefox.com in Nightly → Page info doesn't show "View Certificate" button when FPN is enabled

Just to confirm, are you using FPN? Can you try turning it off and reloading the page to see if the problem persists?

Flags: needinfo?(jhofmann) → needinfo?(chris.cushman)
Flags: needinfo?(jhofmann)

Dana, it seems like we're failing the mHasIsEVStatus here. Is that a bug (and would you happen to know how it could be connected to network proxy extensions) or do we need to update consuming code to deal with NS_ERROR_NOT_AVAILABLE? Alternatively we could also return false if mHasIsEVStatus is false...

Thanks!

Flags: needinfo?(jhofmann) → needinfo?(dkeeler)

Thats odd, turned off the FPN, loaded scroll.com/ and clicked on the "get the add-on" button and still got the error.

Flags: needinfo?(chris.cushman)

At the risk of sounding like a tech support, did you try restarting the browser?

This seems like a bug. If mHasIsEVStatus is false, verifying the peer's certificate hasn't completed. That said, from what I can tell on my machine, the peer's certificate does get verified. So somewhere there's a disconnect between the TransportSecurityInfo used for that verification and the TransportSecurityInfo that the front-end is seeing. I'll keep looking. You could also ask the networking team if they know why this could be happening.

Flags: needinfo?(dkeeler)

I do see the certificate when I turn off the FPN like you said but I still can't download the extension for some reason. I tried restarting without all extensions but still get the same error unfortunately.

Are you able to see certificate details for firstlook.firefox.com with FPN disabled?
Sounds like there may be two separate issues here, but if you can paste the cert details for firstlook.firefox.com maybe we can figure out the addon install problem while Johann and Dana are tracking down the Page Info issue.

Flags: needinfo?(chris.cushman)

Yes, although I'm unable to copy the info, I can't even highlight the whole page and just copy it. Is there a better way?

Flags: needinfo?(chris.cushman)
Blocks: 1627292

Forked bug 1627292 for the addon installation discussion so this bug can continue on with the certificate viewer issue...

No longer blocks: 1627292

Any information I can provide in the meantime?

Kershaw, could this be the same issue as bug 1627654? Can you take a look at whether your patch fixes it?

Flags: needinfo?(kershaw)

(In reply to Johann Hofmann [:johannh] from comment #19)

Kershaw, could this be the same issue as bug 1627654? Can you take a look at whether your patch fixes it?

Could be. I can't reproduce by the steps in comment 5.

Hi Reporter,

Could you try this build and see if the issue is fixed?

Flags: needinfo?(kershaw) → needinfo?(chris.cushman)

Good news, I'm able to see the certificate even if I have FPN on. Bad new, I still can't download the extension.

Flags: needinfo?(chris.cushman)

(In reply to chris.cushman from comment #21)

Created attachment 9139331 [details]
AbleToSeeCertWithFPNon.png

Good news, I'm able to see the certificate even if I have FPN on. Bad new, I still can't download the extension.

Not sure the reason why the connection is failed.
Could you try to get the http log? To reduce uncertainty, please capture the log with a clean profile and also turn off FPN.

Thanks.

Flags: needinfo?(chris.cushman)

Ok, thank you for confirming this. I'm duping this so you should probably continue the discussion in bug 1627292.

Thanks!

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE

I'll be posting the results of my testing in Bug 1627292

Flags: needinfo?(chris.cushman)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: