SSL token cache doesn't handle connections with overridden errors well
Categories
(Core :: Networking: Cache, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox107 | --- | fixed |
People
(Reporter: david.balazic, Assigned: keeler)
References
(Blocks 1 open bug)
Details
(Whiteboard: qa-not-reproducible,[necko-triaged])
Attachments
(4 files)
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Steps to reproduce:
Visit a (non-public) website that uses HTTPS and has it's certificate expired.
Try to view certificate information (Page Info -> View Certificate)
Actual results:
this URL is opened: about:certificate? page is empty
Expected results:
actual certificate information should be shown
Reporter | ||
Comment 1•3 years ago
|
||
MS Edge behaves similar (I did not explore it, I'm still getting used to its GUI).
MS IE shows the certificate info normally.
Additional information:
- the web page itself is displayed by FF, as I added an exception for the invalid site certificate
- the web page allows client certificate authentication, which I use
- the site certificate is from a private (self signed) CA
- the site certificate expired in december 2020
Comment 2•3 years ago
|
||
The Bugbug bot thinks this bug should belong to the 'Firefox::Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.
Comment 3•3 years ago
|
||
Works for me on https://expired.badssl.com/, can you share the full URL of the about:certificate? page?
Reporter | ||
Comment 4•3 years ago
|
||
this is the actual URL used: about:certificate?
There is no more of it. It ends at the question mark.
Reporter | ||
Comment 5•3 years ago
|
||
It also works for me correctly on https://expired.badssl.com/
Must be something else than expiration affecting it.
Strange, I visited another very similar internal website, that also has an expired certificate from the same CA and it does not show this problem.
Wait, now I tried again (with the second website), and it happened: the opened URL is about:certificate? and it shows and empty page
Strange. Can't see what makes a difference.
Reporter | ||
Comment 6•3 years ago
|
||
Another thing: my website is an older development server and it uses weak encryption, TLS 1.0 , RSA AES 128 CBC SHA 128bit key
Updated•3 years ago
|
Comment 7•3 years ago
|
||
Hi,
Thanks for your report. https://expired.badssl.com/ is working on my end as well.
Could you please answer the following questions in order to further investigate this issue?
1- Does this issue happen with a new profile? Here is a link on how to create a new profile: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles
2- Are you using add-ons? If so could you please list them? (you can try the issue while in Safe Mode. You can find helpful info here : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode .)
3- Does this issue occur in the latest nightly version of firefox? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/
Thanks!
Clara
Comment 8•3 years ago
|
||
Okay, thanks for reporting this, it would be great if we had a way to reproduce this on a public page :)
Assignee | ||
Updated•3 years ago
|
Reporter | ||
Comment 9•3 years ago
|
||
(In reply to Clara Guerrero from comment #7)
Hi,
Thanks for your report. https://expired.badssl.com/ is working on my end as well.
Could you please answer the following questions in order to further investigate this issue?1- Does this issue happen with a new profile? Here is a link on how to create a new profile: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles
Yes, it does. But again, not on first try. I opened the "Page Info" dialog several times, browsed around on the expired website, onyl after about 5 tries did the certificate info show up empty.
2- Are you using add-ons? If so could you please list them? (you can try the issue while in Safe Mode. You can find helpful info here : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode .)
Settings/Plugins shows:
OpenH264 Video Codec provided by Cisco Systems, Inc.
Widevine Content Decryption Module provided by Google Inc.
Settings/Extensions shows nothing.
If add-ons are another category of things, please say where they are listed.
3- Does this issue occur in the latest nightly version of firefox? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/
Will test. The above is using 90.0.
Reporter | ||
Comment 10•3 years ago
|
||
Nightly test:
could not reproduce (it can not be reliably reproduced on regular release either, but I tried about 10 times... so)
Another thing: if I open https://expired.badssl.com/ , the page info shows a certificate issued by ESET (the antivirus software I have installed), while https://www.ssllabs.com/ssltest/analyze.html?d=expired.badssl.com shows the issuer is COMODO. The same thing happens with Intenet Explorer (it shows ESET instead of COMODO)
Reporter | ||
Updated•3 years ago
|
Comment 11•3 years ago
|
||
Are you not getting the empty page anymore?
Best,
Clara
Reporter | ||
Comment 12•3 years ago
|
||
v90.0.2: yes, I get it
nightly: after installing Nightly and starting it, actually a new window of Firefox 90.0.2 opens. I installed Nightly 3 times in last month and it worked until fine now. Please remind me in a few days and I'll try Nightly again then.
Comment 13•3 years ago
|
||
Hi David, please let me know if is still working fine on Nightly. If that's the case it means that this bug has already been resolved and it will eventually work on future Firefox Release versions.
When Release reaches Beta's actual version (92), you'll be able to see the fix. As per the Firefox Release Calendar, Release is expected to ship on 2021-09-07. You can find more info here: https://wiki.mozilla.org/Release_Management/Calendar
I'll wait for your confirmation to mark this ticket as resolved since once the natural cycle is complete you wouldn't have this bug.
Best,
Clara
Comment 14•3 years ago
|
||
Comment 15•3 years ago
|
||
Comment 16•3 years ago
|
||
(In reply to David Balažic from comment #10)
Nightly test:
could not reproduce (it can not be reliably reproduced on regular release either, but I tried about 10 times... so)
Another thing: if I open https://expired.badssl.com/ , the page info shows a certificate issued by ESET (the antivirus software I have installed), while https://www.ssllabs.com/ssltest/analyze.html?d=expired.badssl.com shows the issuer is COMODO. The same thing happens with Intenet Explorer (it shows ESET instead of COMODO)
I'm seeing COMODO for both examples, screenshots above
Comment 17•3 years ago
|
||
(In reply to Clara Guerrero from comment #13)
Hi David, please let me know if is still working fine on Nightly. If that's the case it means that this bug has already been resolved and it will eventually work on future Firefox Release versions.
When Release reaches Beta's actual version (92), you'll be able to see the fix. As per the Firefox Release Calendar, Release is expected to ship on 2021-09-07. You can find more info here: https://wiki.mozilla.org/Release_Management/Calendar
I'll wait for your confirmation to mark this ticket as resolved since once the natural cycle is complete you wouldn't have this bug.
Best,
Clara
I'm marking this as Resolved-Incomplete due to lack of response. If the issue is still reproducible with the latest Firefox version, feel free to reopen the bug with more information.
Regards, Clara.
Updated•3 years ago
|
Reporter | ||
Comment 18•2 years ago
|
||
I got this again.
Firefox version 102.0 64-bit
Clean profile.
Steps:
- start Firefox with newly created profile (note: Firefox using other older profile still running in my case)
- open https://expired.badssl.com/
- click "Advanced... Accept the risk.." until the page is shown
- left of URL bar click the padlock icon to open the menu and then open the Page Info dialog
- in the dialog click "View Certificate"
- close the certificate info tab and the Page Info dialog
- click around in the web page (no links there, just to "shake" things)
- open page source by ctrl+u
- close the page source tab
- reload by F5, then ctrl+F5
- repeat the steps 4 and 5 to get the certificate info tab
Result:
after a few tries the certificate info tab will be empty, and its URL will be about:certificate?
Assignee | ||
Comment 19•2 years ago
|
||
The SSL token cache doesn't really handle situations where certificate errors have been overridden. For example, it doesn't save and restore the failed cert chain, which is what you're seeing here. It also doesn't save the error bits, which could be useful in terms of getting rid of the old mechanism that saves the cert error bits across resumed connections (RememberCertErrorsTable
).
Kershaw - thoughts on how to approach this?
Assignee | ||
Updated•2 years ago
|
Comment 20•2 years ago
|
||
(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #19)
The SSL token cache doesn't really handle situations where certificate errors have been overridden. For example, it doesn't save and restore the failed cert chain, which is what you're seeing here. It also doesn't save the error bits, which could be useful in terms of getting rid of the old mechanism that saves the cert error bits across resumed connections (
RememberCertErrorsTable
).
Kershaw - thoughts on how to approach this?
I'd be happy to make toke cache store error bits and the failed cert chain.
I might add two following members in SessionCacheInfo.
Maybe<nsTArray<nsTArray<uint8_t>>> mFailedCertChainBytes;
Maybe<CertStateBits> mErrorBits;
Do you think if this is enough?
Assignee | ||
Comment 21•2 years ago
|
||
Yes, that sounds good. Like I mentioned in the meeting, bug 1781104 may have an effect on this if it lands first, though.
Updated•2 years ago
|
Updated•2 years ago
|
Assignee | ||
Comment 22•2 years ago
|
||
Updated•2 years ago
|
Assignee | ||
Comment 23•2 years ago
|
||
Depends on D158792
Comment 25•2 years ago
|
||
Comment 26•2 years ago
|
||
Backed out for causing Hybrid bustages on nsHashtablesFwd.h
- Backout link
- Push with failures
- Failure Log
- Failure line: /builds/worker/workspace/obj-build/dist/include/nsHashtablesFwd.h:83:1: error: implicit instantiation of undefined template 'mozilla::detail::nsKeyClass<nsCStringHashKey>'
Comment 27•2 years ago
|
||
Comment 28•2 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/ce139e6cb2ca
https://hg.mozilla.org/mozilla-central/rev/81de17138505
Assignee | ||
Updated•2 years ago
|
Description
•