SEC_ERROR_OCSP_SERVER_ERROR with most https websites when security.OCSP.require is set to true and a https .pac file is used
Categories
(Core :: Security: PSM, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox78 | --- | affected |
People
(Reporter: vincent-moz, Unassigned)
Details
(Whiteboard: [necko-triaged])
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:76.0) Gecko/20100101 Firefox/76.0
Steps to reproduce:
-
Start Firefox with a new profile (via "firefox -P").
-
In Preferences → General → Network Settings, set "Automatic proxy configuration URL" and enter https://istpac.inria.fr/pac/roc.pac
-
In about:config, toggle security.OCSP.require to true.
-
Quit Firefox.
-
Start firefox with the same profile.
-
Open the URL https://www.google.com/ or https://bugzilla.mozilla.org/
Actual results:
I get a connection failure, e.g.
Secure Connection Failed
An error occurred during a connection to www.google.com. The OCSP
server experienced an internal error.
Error code: SEC_ERROR_OCSP_SERVER_ERROR
Expected results:
I should get the web page.
Note: If I download https://istpac.inria.fr/pac/roc.pac and use the local version (with a "file:" URL) instead of the https URL, and restart Firefox, then everything works fine!
Note: This .pac file contains a FindProxyForURL function that returns a proxy for some particular domains (not including google.com), and this proxy requires an authentication. But with the above test, the function should always return "DIRECT". And indeed, its use as a "file:" URL shows that everything is OK.
Comment 1•4 years ago
|
||
I was able to reproduce this issue on latest Nightly version 78.0a1 (2020-05-28) on Ubuntu 18.04. I'll change flags accordingly.
If you wait a bit for the pac to load before loading google/bugzilla, does it work?
Reporter | ||
Comment 3•4 years ago
|
||
It doesn't: If I wait 1 minute after starting Firefox, I get the error. And if I wait another minute before loading another web page, I still get an error.
From what I can tell, the proxy auto-config never seems to think it's done, so the call to GetIsPACLoading
in https://searchfox.org/mozilla-central/rev/8827278483c337667cdfb238112eb1be397dd102/security/manager/ssl/nsNSSCallbacks.cpp#242 always returns true
, so DoOCSPRequest
always returns an error.
Comment 5•4 years ago
|
||
Nhi, can you fine someone to look into this?
Updated•4 years ago
|
Comment 6•4 years ago
•
|
||
We are killing the PAC request (it's HTTPS) because we are trying to do OCSP for it. This is a known bug, actually.
2020-06-28 17:39:36.738 ⁃ nsHttpChannel ⁃ 1de6f3de000 ⁃ released ⁃ status=805a1f87 ⁃ http-status=n/a ⁃ url=https://istpac.inria.fr/pac/roc.pac
805a1f87 == SEC_ERROR_OCSP_SERVER_ERROR
I think the proper fix is to have a flag on the PAC channel to go with a separate connection that will bypass OCSP even when forced by the pref. This is for a non-standard pref value in PSM.
I'm moving back to PSM and lowering the priority, although, some of the work may actually happen in Necko, too.
Updated•4 years ago
|
Comment 7•4 years ago
•
|
||
I think in CertVerifier::VerifyCert we should have propagate the information if this is bound to a PAC request or not.
xul.dll!mozilla::psm::CertVerifier::VerifyCert(0x000001a512847820, 2, {...}, 0x000001a51286d6a0, 0x000001a50b8799e8, {...}, 0, {...}, {...}, {...}, {...}, 0x000000451170ee6c, 0x000000451170f0ec, 0x000000451170f0e8, 0x000000451170f0e4, 0x000000451170f0c8, 0x000000451170f040, 0x000000451170f0a0) Line 533 C++
xul.dll!mozilla::psm::CertVerifier::VerifySSLServerCert({...}, {...}, 0x000001a51286d6a0, {...}, {...}, 0, {...}, {...}, {...}, {...}, {...}, , 0x000000451170f074, 0x000000451170f0ec, 0x000000451170f0e8, 0x000000451170f0e4, 0x000000451170f0c8, 0x000000451170f040, 0x000000451170f0a0, 0x000000451170f03f) Line 928 C++
[Inline Frame] xul.dll!mozilla::psm::`anonymous namespace'::AuthCertificate(, 0x000001a51286d6a0, {...}, {...}, {...}, {...}, {...}, {...}, {...}, 247141464, {...}, 247141440, , , , ) Line 1108 C++
> xul.dll!mozilla::psm::SSLServerCertVerificationJob::Run() Line 1306 C++
xul.dll!nsThreadPool::Run() Line 301 C++
Description
•