Closed Bug 1720118 Opened 3 years ago Closed 2 years ago

SSL token cache doesn't handle connections with overridden errors well

Categories

(Core :: Networking: Cache, defect, P3)

defect

Tracking

()

RESOLVED FIXED
107 Branch
Tracking Status
firefox107 --- fixed

People

(Reporter: david.balazic, Assigned: keeler)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: qa-not-reproducible,[necko-triaged])

Attachments

(4 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0

Steps to reproduce:

Visit a (non-public) website that uses HTTPS and has it's certificate expired.
Try to view certificate information (Page Info -> View Certificate)

Actual results:

this URL is opened: about:certificate? page is empty

Expected results:

actual certificate information should be shown

MS Edge behaves similar (I did not explore it, I'm still getting used to its GUI).

MS IE shows the certificate info normally.

Additional information:

  • the web page itself is displayed by FF, as I added an exception for the invalid site certificate
  • the web page allows client certificate authentication, which I use
  • the site certificate is from a private (self signed) CA
  • the site certificate expired in december 2020

The Bugbug bot thinks this bug should belong to the 'Firefox::Security' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Security

Works for me on https://expired.badssl.com/, can you share the full URL of the about:certificate? page?

Flags: needinfo?(david.balazic)

this is the actual URL used: about:certificate?

There is no more of it. It ends at the question mark.

Flags: needinfo?(david.balazic)

It also works for me correctly on https://expired.badssl.com/
Must be something else than expiration affecting it.

Strange, I visited another very similar internal website, that also has an expired certificate from the same CA and it does not show this problem.
Wait, now I tried again (with the second website), and it happened: the opened URL is about:certificate? and it shows and empty page

Strange. Can't see what makes a difference.

Another thing: my website is an older development server and it uses weak encryption, TLS 1.0 , RSA AES 128 CBC SHA 128bit key

Whiteboard: qa-not-reproducible

Hi,
Thanks for your report. https://expired.badssl.com/ is working on my end as well.
Could you please answer the following questions in order to further investigate this issue?

1- Does this issue happen with a new profile? Here is a link on how to create a new profile: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles
2- Are you using add-ons? If so could you please list them? (you can try the issue while in Safe Mode. You can find helpful info here : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode .)
3- Does this issue occur in the latest nightly version of firefox? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/

Thanks!
Clara

Flags: needinfo?(david.balazic)

Okay, thanks for reporting this, it would be great if we had a way to reproduce this on a public page :)

Blocks: cert-viewer
Summary: Firefox doe snot show data about expired server certificate → Firefox does not show data about expired server certificate

(In reply to Clara Guerrero from comment #7)

Hi,
Thanks for your report. https://expired.badssl.com/ is working on my end as well.
Could you please answer the following questions in order to further investigate this issue?

1- Does this issue happen with a new profile? Here is a link on how to create a new profile: https://support.mozilla.org/en-US/kb/profile-manager-create-remove-switch-firefox-profiles

Yes, it does. But again, not on first try. I opened the "Page Info" dialog several times, browsed around on the expired website, onyl after about 5 tries did the certificate info show up empty.

2- Are you using add-ons? If so could you please list them? (you can try the issue while in Safe Mode. You can find helpful info here : https://support.mozilla.org/en-US/kb/troubleshoot-firefox-issues-using-safe-mode .)

Settings/Plugins shows:
OpenH264 Video Codec provided by Cisco Systems, Inc.
Widevine Content Decryption Module provided by Google Inc.

Settings/Extensions shows nothing.

If add-ons are another category of things, please say where they are listed.

3- Does this issue occur in the latest nightly version of firefox? Here is a link from where you can download it: https://www.mozilla.org/en-US/firefox/channel/desktop/

Will test. The above is using 90.0.

Nightly test:

could not reproduce (it can not be reliably reproduced on regular release either, but I tried about 10 times... so)

Another thing: if I open https://expired.badssl.com/ , the page info shows a certificate issued by ESET (the antivirus software I have installed), while https://www.ssllabs.com/ssltest/analyze.html?d=expired.badssl.com shows the issuer is COMODO. The same thing happens with Intenet Explorer (it shows ESET instead of COMODO)

Flags: needinfo?(david.balazic)

Are you not getting the empty page anymore?
Best,
Clara

Flags: needinfo?(david.balazic)

v90.0.2: yes, I get it
nightly: after installing Nightly and starting it, actually a new window of Firefox 90.0.2 opens. I installed Nightly 3 times in last month and it worked until fine now. Please remind me in a few days and I'll try Nightly again then.

Flags: needinfo?(david.balazic)

Hi David, please let me know if is still working fine on Nightly. If that's the case it means that this bug has already been resolved and it will eventually work on future Firefox Release versions.
When Release reaches Beta's actual version (92), you'll be able to see the fix. As per the Firefox Release Calendar, Release is expected to ship on 2021-09-07. You can find more info here: https://wiki.mozilla.org/Release_Management/Calendar
I'll wait for your confirmation to mark this ticket as resolved since once the natural cycle is complete you wouldn't have this bug.
Best,
Clara

Flags: needinfo?(david.balazic)

(In reply to David Balažic from comment #10)

Nightly test:

could not reproduce (it can not be reliably reproduced on regular release either, but I tried about 10 times... so)

Another thing: if I open https://expired.badssl.com/ , the page info shows a certificate issued by ESET (the antivirus software I have installed), while https://www.ssllabs.com/ssltest/analyze.html?d=expired.badssl.com shows the issuer is COMODO. The same thing happens with Intenet Explorer (it shows ESET instead of COMODO)

I'm seeing COMODO for both examples, screenshots above

(In reply to Clara Guerrero from comment #13)

Hi David, please let me know if is still working fine on Nightly. If that's the case it means that this bug has already been resolved and it will eventually work on future Firefox Release versions.
When Release reaches Beta's actual version (92), you'll be able to see the fix. As per the Firefox Release Calendar, Release is expected to ship on 2021-09-07. You can find more info here: https://wiki.mozilla.org/Release_Management/Calendar
I'll wait for your confirmation to mark this ticket as resolved since once the natural cycle is complete you wouldn't have this bug.
Best,
Clara

I'm marking this as Resolved-Incomplete due to lack of response. If the issue is still reproducible with the latest Firefox version, feel free to reopen the bug with more information.

Regards, Clara.

Status: UNCONFIRMED → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE

I got this again.

Firefox version 102.0 64-bit

Clean profile.

Steps:

  • start Firefox with newly created profile (note: Firefox using other older profile still running in my case)
  • open https://expired.badssl.com/
  • click "Advanced... Accept the risk.." until the page is shown
  • left of URL bar click the padlock icon to open the menu and then open the Page Info dialog
  • in the dialog click "View Certificate"
  • close the certificate info tab and the Page Info dialog
  • click around in the web page (no links there, just to "shake" things)
  • open page source by ctrl+u
  • close the page source tab
  • reload by F5, then ctrl+F5
  • repeat the steps 4 and 5 to get the certificate info tab

Result:
after a few tries the certificate info tab will be empty, and its URL will be about:certificate?

The SSL token cache doesn't really handle situations where certificate errors have been overridden. For example, it doesn't save and restore the failed cert chain, which is what you're seeing here. It also doesn't save the error bits, which could be useful in terms of getting rid of the old mechanism that saves the cert error bits across resumed connections (RememberCertErrorsTable).
Kershaw - thoughts on how to approach this?

Status: RESOLVED → UNCONFIRMED
Component: Security → Networking: Cache
Flags: needinfo?(david.balazic) → needinfo?(kershaw)
Product: Firefox → Core
Resolution: INCOMPLETE → ---
Summary: Firefox does not show data about expired server certificate → SSL token cache doesn't handle connections with overridden errors well
Version: Firefox 89 → Trunk
Status: UNCONFIRMED → NEW
Ever confirmed: true

(In reply to Dana Keeler (she/her) (use needinfo) (:keeler for reviews) from comment #19)

The SSL token cache doesn't really handle situations where certificate errors have been overridden. For example, it doesn't save and restore the failed cert chain, which is what you're seeing here. It also doesn't save the error bits, which could be useful in terms of getting rid of the old mechanism that saves the cert error bits across resumed connections (RememberCertErrorsTable).
Kershaw - thoughts on how to approach this?

I'd be happy to make toke cache store error bits and the failed cert chain.
I might add two following members in SessionCacheInfo.

  Maybe<nsTArray<nsTArray<uint8_t>>> mFailedCertChainBytes;
  Maybe<CertStateBits> mErrorBits;

Do you think if this is enough?

Flags: needinfo?(kershaw) → needinfo?(dkeeler)

Yes, that sounds good. Like I mentioned in the meeting, bug 1781104 may have an effect on this if it lands first, though.

Flags: needinfo?(dkeeler)
Severity: -- → S4
Priority: -- → P3
Whiteboard: qa-not-reproducible → qa-not-reproducible,[necko-triagged]
Whiteboard: qa-not-reproducible,[necko-triagged] → qa-not-reproducible,[necko-triaged]
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/57b8a6400749
always use the TLS token cache r=kershaw,necko-reviewers,ci-and-tooling,jmaher
https://hg.mozilla.org/integration/autoland/rev/af570580e2f7
store certificate error override and failed certificate chain information in the TLS token cache r=kershaw,jschanck,necko-reviewers

Backed out for causing Hybrid bustages on nsHashtablesFwd.h

  • Backout link
  • Push with failures
  • Failure Log
  • Failure line: /builds/worker/workspace/obj-build/dist/include/nsHashtablesFwd.h:83:1: error: implicit instantiation of undefined template 'mozilla::detail::nsKeyClass<nsCStringHashKey>'
Flags: needinfo?(dkeeler)
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/ce139e6cb2ca
always use the TLS token cache r=kershaw,necko-reviewers,ci-and-tooling,jmaher
https://hg.mozilla.org/integration/autoland/rev/81de17138505
store certificate error override and failed certificate chain information in the TLS token cache r=kershaw,jschanck,necko-reviewers
Status: ASSIGNED → RESOLVED
Closed: 3 years ago2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 107 Branch
Flags: needinfo?(dkeeler)
Regressions: 1794950
Regressions: 1794886
Regressions: 1794883
Duplicate of this bug: 1584529
Depends on: 1873173
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: