Closed Bug 1683525 Opened 4 years ago Closed 4 years ago

SEC_ERROR_REVOKED_CERTIFICATE on hetzner.com due to security.pki.crlite_mode=2 (Nightly default)

Categories

(Core :: Security: PSM, defect, P1)

Firefox 86
defect

Tracking

()

RESOLVED FIXED
86 Branch
Tracking Status
firefox-esr78 --- unaffected
firefox84 --- disabled
firefox85 --- disabled
firefox86 --- fixed

People

(Reporter: bugzilla, Assigned: keeler)

References

(Blocks 1 open bug, Regression)

Details

(Keywords: nightly-community, regression, Whiteboard: [psm-assigned])

Attachments

(1 file)

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:86.0) Gecko/20100101 Firefox/86.0

Steps to reproduce:

Visit https://www.hetzner.com in Firefox Nightly 86.0a1 (2020-12-18) (64-bit) on macOS 10.15.7

Actual results:

I get an error that the certificate was revoked:

Secure Connection Failed

An error occurred during a connection to www.hetzner.com. Peer’s Certificate has been revoked.

Error code: SEC_ERROR_REVOKED_CERTIFICATE

The page you are trying to view cannot be shown because the authenticity of the received data could not be verified.
Please contact the website owners to inform them of this problem.

The connection is fine in Chrome (stable) on the same laptop. Someone else in #nightly also confirms that they see the same error, so it's not just my connection, and that it's fine in Firefox release channel.

Expected results:

The site should work, I think.

Also, maybe it should get me some details on what the cert is? I don't see any option for it to tell me what it saw or why it decided it was revoked.

Let me know if you want a pcap or something.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Security: PSM
Product: Firefox → Core
Status: UNCONFIRMED → NEW
Ever confirmed: true

Can reproduce in 86.0a1 (2020-12-20) on Win64.

I can't reproduce this on OSX - about:support gives me version 86.0a1 build 20201220093524
If you can get me a pcap with the certificate chain, that would be great, yes please.

Flags: needinfo?(bugzilla)

I'm still getting this on 20201220093524. I've uploaded a pcap to https://kerberos.club/tmp/hetzner-revoked.pcap. Looks like this is the chain, assuming I'm reading the pcap right:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            08:c1:ad:80:c1:f5:03:a6:0a:3a:42:22:cd:79:4c:b8
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte EV RSA CA 2018
        Validity
            Not Before: Jul  9 00:00:00 2020 GMT
            Not After : Aug 22 12:00:00 2021 GMT
        Subject: businessCategory=Private Organization/jurisdictionCountryName=DE/jurisdictionStateOrProvinceName=Bayern/jurisdictionLocalityName=Ansbach/serialNumber=HRB 6089, C=DE, ST=Bayern, L=Gunzenhausen, O=Hetzner Online GmbH, CN=www.hetzner.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:ab:e5:5e:df:b4:4d:c1:bf:62:f6:7a:dd:3b:37:
                    17:04:0e:20:29:fe:32:71:ad:6f:7d:35:9c:dd:76:
                    bc:c2:05:9b:a7:6a:b0:71:17:0e:86:dc:ad:65:fe:
                    14:0d:09:4a:54:f2:5a:8e:7d:94:07:82:2b:c1:1c:
                    f6:dd:51:05:17:72:43:0b:c9:12:b2:c6:49:33:d6:
                    8a:34:4d:e6:f5:1f:6b:2f:1c:08:14:c1:b2:12:15:
                    a7:7e:34:cb:9c:03:61:b2:af:11:a0:a6:75:21:f9:
                    62:34:a3:6b:3a:a6:e0:18:c6:21:d1:e8:89:c3:b2:
                    17:dc:33:2c:1a:2b:b7:68:c6:f3:f8:3a:a2:19:75:
                    40:57:39:70:41:df:32:f1:45:e3:8a:81:24:e5:8a:
                    aa:61:80:08:9d:a1:38:3f:cc:88:4d:85:97:5e:db:
                    09:a1:85:78:bd:63:b4:24:2e:a1:de:d3:45:73:30:
                    57:3b:e5:10:74:81:c1:ea:f3:df:bb:d4:ed:a7:f5:
                    7a:c2:d4:27:46:de:ee:57:b1:c4:87:94:20:fc:79:
                    10:c7:da:4f:69:4c:af:10:44:83:89:9c:0c:51:f8:
                    fd:ca:0e:68:33:68:00:d5:95:50:84:a6:d3:0c:fb:
                    27:01:0e:79:68:06:28:72:b4:9c:1a:75:c0:41:64:
                    71:0f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Authority Key Identifier: 
                keyid:E7:01:FC:0C:16:18:CA:7D:B2:8C:EC:87:27:A3:6F:61:81:3B:84:39

            X509v3 Subject Key Identifier: 
                1E:97:FB:19:06:44:B4:28:A3:F5:08:06:11:A4:90:C9:95:B8:16:3A
            X509v3 Subject Alternative Name: 
                DNS:hetzner.com, DNS:www.hetzner.com
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://cdp.thawte.com/ThawteEVRSACA2018.crl

            X509v3 Certificate Policies: 
                Policy: 2.16.840.1.114412.2.1
                  CPS: https://www.digicert.com/CPS
                Policy: 2.23.140.1.1

            Authority Information Access: 
                OCSP - URI:http://status.thawte.com
                CA Issuers - URI:http://cacerts.thawte.com/ThawteEVRSACA2018.crt

            X509v3 Basic Constraints: critical
                CA:FALSE
            1.3.6.1.4.1.11129.2.4.2: 
                ......u..\./.w0".T..0.V..M..3.../ ..N.d....s2........F0D. L....D_.\..Q..[j.2.Je.t..n....... ;U....<;,.U.:,p..x........'1...Q.v.\.C....ED.^..V..7...G..s..^........s2........G0E. F=![ U..."...d...Ym*x.)q)....g...!....Z."...Qs...GU).Lv.({9^.A....-
    Signature Algorithm: sha256WithRSAEncryption
         25:ad:d3:1f:28:3b:dd:7e:62:94:eb:c9:6e:07:6b:e7:13:e4:
         df:f7:63:2b:88:4d:02:8c:08:88:fa:e7:6a:a4:dc:99:da:26:
         01:76:1c:a9:60:15:82:e3:e1:f8:83:7e:11:40:72:d5:72:d6:
         c0:5a:11:cd:ee:07:d0:6c:b0:b5:27:68:26:30:97:a0:ab:06:
         92:6b:fe:ed:e8:a3:7b:05:fb:9c:ca:10:29:c4:04:b0:ec:f9:
         e5:78:71:98:b6:14:b3:47:9c:fc:44:d6:b3:59:eb:4f:67:cd:
         ed:25:2d:c7:40:9d:f0:32:0e:d9:74:71:77:e5:9e:d9:74:9b:
         5c:73:95:73:a8:44:c8:e8:70:c0:5a:9b:cd:03:8e:03:eb:74:
         2b:7c:aa:13:c3:d1:fc:85:72:a6:39:68:1e:e7:a5:61:7a:ee:
         15:83:d7:09:6d:1c:09:88:63:28:d6:e4:39:cc:ce:c2:f3:f4:
         36:5c:2b:88:07:fa:43:3a:5c:30:ae:bb:86:a9:2b:6b:f0:ac:
         50:ae:a7:c6:3b:92:c6:54:db:59:d4:63:1c:4e:fc:b1:84:48:
         61:d0:aa:d3:1e:bc:b4:62:5e:2a:58:0b:36:9d:aa:82:2b:fb:
         b5:fd:8b:a1:58:eb:3e:ac:be:a1:a6:34:d1:e7:82:14:4e:f1:
         d3:e4:9c:79
-----BEGIN CERTIFICATE-----
MIIGgjCCBWqgAwIBAgIQCMGtgMH1A6YKOkIizXlMuDANBgkqhkiG9w0BAQsFADBf
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMR4wHAYDVQQDExVUaGF3dGUgRVYgUlNBIENBIDIwMTgw
HhcNMjAwNzA5MDAwMDAwWhcNMjEwODIyMTIwMDAwWjCB5zEdMBsGA1UEDwwUUHJp
dmF0ZSBPcmdhbml6YXRpb24xEzARBgsrBgEEAYI3PAIBAxMCREUxFzAVBgsrBgEE
AYI3PAIBAhMGQmF5ZXJuMRgwFgYLKwYBBAGCNzwCAQETB0Fuc2JhY2gxETAPBgNV
BAUTCEhSQiA2MDg5MQswCQYDVQQGEwJERTEPMA0GA1UECBMGQmF5ZXJuMRUwEwYD
VQQHEwxHdW56ZW5oYXVzZW4xHDAaBgNVBAoTE0hldHpuZXIgT25saW5lIEdtYkgx
GDAWBgNVBAMTD3d3dy5oZXR6bmVyLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEP
ADCCAQoCggEBAKvlXt+0TcG/YvZ63Ts3FwQOICn+MnGtb301nN12vMIFm6dqsHEX
DobcrWX+FA0JSlTyWo59lAeCK8Ec9t1RBRdyQwvJErLGSTPWijRN5vUfay8cCBTB
shIVp340y5wDYbKvEaCmdSH5YjSjazqm4BjGIdHoicOyF9wzLBort2jG8/g6ohl1
QFc5cEHfMvFF44qBJOWKqmGACJ2hOD/MiE2Fl17bCaGFeL1jtCQuod7TRXMwVzvl
EHSBwerz37vU7af1esLUJ0be7lexxIeUIPx5EMfaT2lMrxBEg4mcDFH4/coOaDNo
ANWVUISm0wz7JwEOeWgGKHK0nBp1wEFkcQ8CAwEAAaOCAq8wggKrMB8GA1UdIwQY
MBaAFOcB/AwWGMp9sozshyejb2GBO4Q5MB0GA1UdDgQWBBQel/sZBkS0KKP1CAYR
pJDJlbgWOjAnBgNVHREEIDAeggtoZXR6bmVyLmNvbYIPd3d3LmhldHpuZXIuY29t
MA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIw
PAYDVR0fBDUwMzAxoC+gLYYraHR0cDovL2NkcC50aGF3dGUuY29tL1RoYXd0ZUVW
UlNBQ0EyMDE4LmNybDBLBgNVHSAERDBCMDcGCWCGSAGG/WwCATAqMCgGCCsGAQUF
BwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BTMAcGBWeBDAEBMHEGCCsG
AQUFBwEBBGUwYzAkBggrBgEFBQcwAYYYaHR0cDovL3N0YXR1cy50aGF3dGUuY29t
MDsGCCsGAQUFBzAChi9odHRwOi8vY2FjZXJ0cy50aGF3dGUuY29tL1RoYXd0ZUVW
UlNBQ0EyMDE4LmNydDAMBgNVHRMBAf8EAjAAMIIBAwYKKwYBBAHWeQIEAgSB9ASB
8QDvAHUA9lyUL9F3MCIUVBgIMJRWjuNNExkzv98MLyALzE7xZOMAAAFzMrvZ9gAA
BAMARjBEAiBMA5SuokRfrVzVBFHm6FtqAjKjSmWOdIOxbo7E8pjzhAIgO1UIowSk
PDsshVW4OixwGbd46PS8r6+X2h8nMR8ZnVEAdgBc3EOS/uarRUSxXprUVuYQN/vV
+kfcoXOUsl7m9scOygAAAXMyu9oeAAAEAwBHMEUCIEY9IVsgVbrqDCLaHdNk9dOM
WW0qeOIpcSmv/60cZ7+QAiEAqsSZWhMisx+AUXPS8ZJHVSnqTHb+KHs5XthBwYuA
yy0wDQYJKoZIhvcNAQELBQADggEBACWt0x8oO91+YpTryW4Ha+cT5N/3YyuITQKM
CIj652qk3JnaJgF2HKlgFYLj4fiDfhFActVy1sBaEc3uB9BssLUnaCYwl6CrBpJr
/u3oo3sF+5zKECnEBLDs+eV4cZi2FLNHnPxE1rNZ609nze0lLcdAnfAyDtl0cXfl
ntl0m1xzlXOoRMjocMBam80DjgPrdCt8qhPD0fyFcqY5aB7npWF67hWD1wltHAmI
YyjW5DnMzsLz9DZcK4gH+kM6XDCuu4apK2vwrFCup8Y7ksZU21nUYxxO/LGESGHQ
qtMevLRiXipYCzadqoIr+7X9i6FY6z6svqGmNNHnghRO8dPknHk=
-----END CERTIFICATE-----

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            06:96:8f:96:4a:e8:23:56:c7:4e:17:c2:b5:36:5b:00
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=DigiCert High Assurance EV Root CA
        Validity
            Not Before: Nov  6 12:22:57 2017 GMT
            Not After : Nov  6 12:22:57 2027 GMT
        Subject: C=US, O=DigiCert Inc, OU=www.digicert.com, CN=Thawte EV RSA CA 2018
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:a7:40:ae:e7:6c:e6:74:91:67:49:ec:d7:30:ab:
                    cb:d2:bb:28:5a:00:3f:d5:7e:ce:c6:33:10:1e:c0:
                    25:94:80:f5:78:31:bc:df:aa:6d:25:74:93:3e:0f:
                    83:a0:47:a7:1d:f9:0a:cb:0f:be:c1:7a:1b:81:a8:
                    6b:d1:c5:3f:da:ff:11:59:1d:df:20:3e:77:64:38:
                    44:18:7c:d2:f8:e9:7b:57:e1:d1:b5:91:b9:b5:e3:
                    16:09:8e:e0:95:db:41:40:7d:2b:ef:15:04:a7:fd:
                    c8:49:5b:19:51:50:6a:b5:49:8b:54:99:5f:f6:7c:
                    49:0f:a0:b1:a7:82:c1:95:c2:49:f3:e3:7a:91:29:
                    15:f9:f0:3e:59:d4:1c:d0:76:21:5d:28:37:3f:12:
                    4f:ed:74:94:db:c5:9c:ee:07:fa:cb:d9:19:cd:08:
                    4a:e1:6a:d9:2d:1a:c7:1d:b1:c2:d9:05:dd:a9:06:
                    14:c5:1f:76:ed:05:7e:50:23:57:9e:56:d3:71:9c:
                    b6:42:9c:56:4c:f2:f3:2b:ef:dc:29:75:f8:73:03:
                    fa:30:61:7b:fb:c4:67:52:01:e5:8a:3f:f9:57:69:
                    3f:b4:81:7d:7a:9e:01:ef:6b:9c:a9:a4:bf:52:11:
                    0f:a4:83:7f:4f:b0:37:38:0c:3d:f7:9c:ab:07:7f:
                    20:95
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E7:01:FC:0C:16:18:CA:7D:B2:8C:EC:87:27:A3:6F:61:81:3B:84:39
            X509v3 Authority Key Identifier: 
                keyid:B1:3E:C3:69:03:F8:BF:47:01:D4:98:26:1A:08:02:EF:63:64:2B:C3

            X509v3 Key Usage: critical
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Extended Key Usage: 
                TLS Web Server Authentication, TLS Web Client Authentication
            X509v3 Basic Constraints: critical
                CA:TRUE, pathlen:0
            Authority Information Access: 
                OCSP - URI:http://ocsp.digicert.com

            X509v3 CRL Distribution Points: 

                Full Name:
                  URI:http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl

            X509v3 Certificate Policies: 
                Policy: X509v3 Any Policy
                  CPS: https://www.digicert.com/CPS

    Signature Algorithm: sha256WithRSAEncryption
         16:1a:46:be:e5:f7:cb:a5:f1:6e:cd:3f:96:97:00:d1:c2:1c:
         93:65:2b:a7:9e:f7:9c:65:66:53:3c:f2:97:8a:9c:a7:8e:95:
         f1:e5:d2:bc:60:6f:b6:5e:81:fb:e3:6f:39:19:1d:54:00:1b:
         af:1c:c1:55:f7:85:de:0c:44:fd:3f:3c:f9:b3:f3:47:4b:5f:
         de:02:be:5e:19:dc:1f:06:5f:34:5f:03:e4:c1:76:98:ab:34:
         6d:c3:a2:78:44:0c:5e:2e:a7:1b:89:b8:54:42:ff:48:7a:ff:
         50:70:fd:24:34:fc:89:bb:8d:77:5e:8b:fb:ea:64:ae:26:51:
         93:84:ac:dc:ba:b2:4f:8a:f7:b6:78:b9:b0:9a:82:20:4c:f1:
         f5:d4:df:c8:20:ef:67:1c:b5:5e:f0:a4:e4:b7:e1:46:81:90:
         8e:58:70:37:91:b1:41:65:1d:fd:32:7d:a1:15:2f:7b:e2:b8:
         54:90:cf:95:4b:d2:9b:0a:24:10:e4:ec:24:7d:b6:7f:e8:12:
         0d:90:4d:42:32:d8:84:49:9d:96:91:bc:49:28:fb:05:dd:d3:
         7b:a7:d0:c5:61:68:90:49:b6:23:14:ff:ab:09:3d:3f:32:46:
         87:1d:85:24:12:f2:cd:3e:0c:89:eb:3d:bd:78:c7:f4:0e:32:
         ee:fd:25:c9
-----BEGIN CERTIFICATE-----
MIIEoDCCA4igAwIBAgIQBpaPlkroI1bHThfCtTZbADANBgkqhkiG9w0BAQsFADBs
MQswCQYDVQQGEwJVUzEVMBMGA1UEChMMRGlnaUNlcnQgSW5jMRkwFwYDVQQLExB3
d3cuZGlnaWNlcnQuY29tMSswKQYDVQQDEyJEaWdpQ2VydCBIaWdoIEFzc3VyYW5j
ZSBFViBSb290IENBMB4XDTE3MTEwNjEyMjI1N1oXDTI3MTEwNjEyMjI1N1owXzEL
MAkGA1UEBhMCVVMxFTATBgNVBAoTDERpZ2lDZXJ0IEluYzEZMBcGA1UECxMQd3d3
LmRpZ2ljZXJ0LmNvbTEeMBwGA1UEAxMVVGhhd3RlIEVWIFJTQSBDQSAyMDE4MIIB
IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAp0Cu52zmdJFnSezXMKvL0rso
WgA/1X7OxjMQHsAllID1eDG836ptJXSTPg+DoEenHfkKyw++wXobgahr0cU/2v8R
WR3fID53ZDhEGHzS+Ol7V+HRtZG5teMWCY7gldtBQH0r7xUEp/3ISVsZUVBqtUmL
VJlf9nxJD6Cxp4LBlcJJ8+N6kSkV+fA+WdQc0HYhXSg3PxJP7XSU28Wc7gf6y9kZ
zQhK4WrZLRrHHbHC2QXdqQYUxR927QV+UCNXnlbTcZy2QpxWTPLzK+/cKXX4cwP6
MGF7+8RnUgHlij/5V2k/tIF9ep4B72ucqaS/UhEPpIN/T7A3OAw995yrB38glQID
AQABo4IBSTCCAUUwHQYDVR0OBBYEFOcB/AwWGMp9sozshyejb2GBO4Q5MB8GA1Ud
IwQYMBaAFLE+w2kD+L9HAdSYJhoIAu9jZCvDMA4GA1UdDwEB/wQEAwIBhjAdBgNV
HSUEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwEgYDVR0TAQH/BAgwBgEB/wIBADA0
BggrBgEFBQcBAQQoMCYwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmRpZ2ljZXJ0
LmNvbTBLBgNVHR8ERDBCMECgPqA8hjpodHRwOi8vY3JsMy5kaWdpY2VydC5jb20v
RGlnaUNlcnRIaWdoQXNzdXJhbmNlRVZSb290Q0EuY3JsMD0GA1UdIAQ2MDQwMgYE
VR0gADAqMCgGCCsGAQUFBwIBFhxodHRwczovL3d3dy5kaWdpY2VydC5jb20vQ1BT
MA0GCSqGSIb3DQEBCwUAA4IBAQAWGka+5ffLpfFuzT+WlwDRwhyTZSunnvecZWZT
PPKXipynjpXx5dK8YG+2XoH74285GR1UABuvHMFV94XeDET9Pzz5s/NHS1/eAr5e
GdwfBl80XwPkwXaYqzRtw6J4RAxeLqcbibhUQv9Iev9QcP0kNPyJu413Xov76mSu
JlGThKzcurJPive2eLmwmoIgTPH11N/IIO9nHLVe8KTkt+FGgZCOWHA3kbFBZR39
Mn2hFS974rhUkM+VS9KbCiQQ5OwkfbZ/6BINkE1CMtiESZ2WkbxJKPsF3dN7p9DF
YWiQSbYjFP+rCT0/MkaHHYUkEvLNPgyJ6z29eMf0DjLu/SXJ
-----END CERTIFICATE-----
Flags: needinfo?(bugzilla)

Weirdly, the tab where I had it open appeared to load at some point while I was in another app, but now that I try again it's failing again.

Bug 1683547 has some more interesting details. It seems to be caused by CRLite, which is only in "enforce" mode in Nightly. Changing security.pki.crlite_mode in about:config to 0 or 1 makes the site work again.

Summary: Nightly claims that www.hetzner.com's certificate is revoked → Nightly claims that www.hetzner.com's certificate is revoked due to CRLite
Blocks: crlite
Has Regression Range: --- → yes
Has STR: --- → yes
Keywords: regression
OS: Unspecified → All
Regressed by: 1675138
Hardware: Unspecified → All
Summary: Nightly claims that www.hetzner.com's certificate is revoked due to CRLite → SEC_ERROR_REVOKED_CERTIFICATE on hetzner.com due to security.pki.crlite_mode=2 (Nightly default)

Interestingly this happens not on Nightly for Android.

(In reply to a.nolting from comment #10)

Interestingly this happens not on Nightly for Android.

I don't think CRLite is enabled on Android: https://bugzilla.mozilla.org/show_bug.cgi?id=1677157

I find it odd though, that the leaf certificate is only signed by a single log (https://crt.sh/?id=3073817518 and https://transparencyreport.google.com/https/certificates/hgDZTYv6YW%2FwX7jB1%2B5NptsLGAJTHWOwWG%2BbNp7MhMU%3D). It shouldn't be against the CT policy (AFAIK) and I'm not sure the "crlite fetch logic" check if the certificate is "CT Qualified", if it does, maybe that's the issue.

(In reply to Kristian Klausen from comment #11)

(In reply to a.nolting from comment #10)

Interestingly this happens not on Nightly for Android.

I don't think CRLite is enabled on Android: https://bugzilla.mozilla.org/show_bug.cgi?id=1677157

I find it odd though, that the leaf certificate is only signed by a single log (https://crt.sh/?id=3073817518 and https://transparencyreport.google.com/https/certificates/hgDZTYv6YW%2FwX7jB1%2B5NptsLGAJTHWOwWG%2BbNp7MhMU%3D). It shouldn't be against the CT policy (AFAIK) and I'm not sure the "crlite fetch logic" check if the certificate is "CT Qualified", if it does, maybe that's the issue.

CRLite is set to enforced mode (2) on Nightly for Android.

Hello,

I don't know if I should open a new bug report for this, but the same behaviour seems to be happening with https://fontawesome.com/ using Nightly 86.0a1 build 20210107040715 (64-bit) on Linux.
As with the original report, the issue appears to be with default security.pki.crlite_mode = 2 in Nightly. Changing the value to 1 or 0 results in the webpage loading correctly, and it loads fine in stable FF (which has default security.pki.crlite_mode = 1).

Hi all,
the update to Version 86.0, Build-ID 20210107213748 works for me.
I would like to say Thank you to all of you for your great support.
Best Alex

Flags: needinfo?(dkeeler)

I am also encountering the SEC_ERROR_REVOKED_CERTIFICATE with [ https://www.straitstimes.com/ ]. Setting security.pki.crlite_mode = 1 will let me see the site.

My Build ID: 20210108094818
My User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0

This is a backout of b635c277c9f4 (bug 1675138).

It seems that the CRLite certificate transparency ingestion machinery is
missing certificates it should know about, which means that false positives are
possible, which means that users are seeing revoked certificates where they
shouldn't. This patch sets CRLite back to telemetry-only mode while the
infrastructure gets fixed.

Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Severity: -- → S2
Flags: needinfo?(dkeeler)
Priority: -- → P1
Whiteboard: [psm-assigned]
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d6749ac7de51 set CRLite back to telemetry-only mode r=kjacobs
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
Resolution: --- → FIXED
Target Milestone: --- → 86 Branch

For posterity, our analysis of this bug was as follows:
Firefox was unexpectedly treating some sites as revoked when we enabled CRLite (turning CRLite off fixed the issue). The certificates in question were not revoked according to OCSP or CRL, and so they should not have been treated as revoked (i.e. CRLite evidently had false positives). The certificates were issued by issuers that are enrolled in CRLite, and the certificates had been disclosed to CT logs that CRLite ingests. Furthermore, the certificates were not "too new" to be covered by CRLite. Thus, CRLite should have been able to handle these certificates correctly.
Due to its construction, the only way CRLite can have false positives is if its set of not revoked certificates is missing otherwise valid and applicable certificates (or if a cosmic ray or bad hardware flipped some bits). Given that these certificates should have been present in the set of not revoked certificates (see previous paragraph), we concluded that there must be a bug whereby CRLite can either drop or never even process information about certificates that it should know about in order for it to maintain the property that CRLite not have false positives.
After some investigation, we have not determined how this bug occurs. We turned CRLite off again in the meantime.

You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: