Open Bug 1639914 Opened 3 months ago Updated 1 month ago

SEC_ERROR_OCSP_SERVER_ERROR with most https websites when security.OCSP.require is set to true and a https .pac file is used

Categories

(Core :: Security: PSM, defect, P3)

76 Branch
defect

Tracking

()

Tracking Status
firefox78 --- affected

People

(Reporter: vincent-moz, Unassigned)

Details

(Whiteboard: [necko-triaged])

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0

Steps to reproduce:

  1. Start Firefox with a new profile (via "firefox -P").

  2. In Preferences → General → Network Settings, set "Automatic proxy configuration URL" and enter https://istpac.inria.fr/pac/roc.pac

  3. In about:config, toggle security.OCSP.require to true.

  4. Quit Firefox.

  5. Start firefox with the same profile.

  6. Open the URL https://www.google.com/ or https://bugzilla.mozilla.org/

Actual results:

I get a connection failure, e.g.

Secure Connection Failed

An error occurred during a connection to www.google.com. The OCSP
server experienced an internal error.

Error code: SEC_ERROR_OCSP_SERVER_ERROR

Expected results:

I should get the web page.

Note: If I download https://istpac.inria.fr/pac/roc.pac and use the local version (with a "file:" URL) instead of the https URL, and restart Firefox, then everything works fine!

Note: This .pac file contains a FindProxyForURL function that returns a proxy for some particular domains (not including google.com), and this proxy requires an authentication. But with the above test, the function should always return "DIRECT". And indeed, its use as a "file:" URL shows that everything is OK.

I was able to reproduce this issue on latest Nightly version 78.0a1 (2020-05-28) on Ubuntu 18.04. I'll change flags accordingly.

Status: UNCONFIRMED → NEW
Component: Untriaged → Security: PSM
Ever confirmed: true
Product: Firefox → Core

If you wait a bit for the pac to load before loading google/bugzilla, does it work?

Flags: needinfo?(vincent-moz)

It doesn't: If I wait 1 minute after starting Firefox, I get the error. And if I wait another minute before loading another web page, I still get an error.

Flags: needinfo?(vincent-moz)

From what I can tell, the proxy auto-config never seems to think it's done, so the call to GetIsPACLoading in https://searchfox.org/mozilla-central/rev/8827278483c337667cdfb238112eb1be397dd102/security/manager/ssl/nsNSSCallbacks.cpp#242 always returns true, so DoOCSPRequest always returns an error.

Component: Security: PSM → Networking

Nhi, can you fine someone to look into this?

Severity: -- → S3
Flags: needinfo?(nhnguyen)
Priority: -- → P2
Whiteboard: [necko-triaged]
Assignee: nobody → honzab.moz
Flags: needinfo?(nhnguyen)

We are killing the PAC request (it's HTTPS) because we are trying to do OCSP for it. This is a known bug, actually.

2020-06-28 17:39:36.738 ⁃ nsHttpChannel ⁃ 1de6f3de000 ⁃ released ⁃ status=805a1f87 ⁃ http-status=n/a ⁃ url=https://istpac.inria.fr/pac/roc.pac

805a1f87 == SEC_ERROR_OCSP_SERVER_ERROR

I think the proper fix is to have a flag on the PAC channel to go with a separate connection that will bypass OCSP even when forced by the pref. This is for a non-standard pref value in PSM.

I'm moving back to PSM and lowering the priority, although, some of the work may actually happen in Necko, too.

Component: Networking → Security: PSM
Priority: P2 → P3
Assignee: honzab.moz → nobody

I think in CertVerifier::VerifyCert we should have propagate the information if this is bound to a PAC request or not.

 	xul.dll!mozilla::psm::CertVerifier::VerifyCert(0x000001a512847820, 2, {...}, 0x000001a51286d6a0, 0x000001a50b8799e8, {...}, 0, {...}, {...}, {...}, {...}, 0x000000451170ee6c, 0x000000451170f0ec, 0x000000451170f0e8, 0x000000451170f0e4, 0x000000451170f0c8, 0x000000451170f040, 0x000000451170f0a0) Line 533	C++
 	xul.dll!mozilla::psm::CertVerifier::VerifySSLServerCert({...}, {...}, 0x000001a51286d6a0, {...}, {...}, 0, {...}, {...}, {...}, {...}, {...}, , 0x000000451170f074, 0x000000451170f0ec, 0x000000451170f0e8, 0x000000451170f0e4, 0x000000451170f0c8, 0x000000451170f040, 0x000000451170f0a0, 0x000000451170f03f) Line 928	C++
 	[Inline Frame] xul.dll!mozilla::psm::`anonymous namespace'::AuthCertificate(, 0x000001a51286d6a0, {...}, {...}, {...}, {...}, {...}, {...}, {...}, 247141464, {...}, 247141440, , , , ) Line 1108	C++
>	xul.dll!mozilla::psm::SSLServerCertVerificationJob::Run() Line 1306	C++
 	xul.dll!nsThreadPool::Run() Line 301	C++

You need to log in before you can comment on or make changes to this bug.