Open Bug 1726025 Opened 3 years ago Updated 2 years ago

When displaying a certificate's validity period and DST will change during this period, Firefox displays the wrong timezone description.

Categories

(Firefox :: Security, defect)

Product:
Firefox
Component:
Security
Version:
78 Branch
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: andreas.ley, Unassigned)

Details

Attachments

(5 files)

opsi.scc.kit.edu certificate (for reference)
2.16 KB, application/x-x509-ca-cert
Details
certificate.JPG
101.91 KB, image/jpeg
Details
Screenshot of about:certificate with incorrect timezone description
76.80 KB, image/png
Details
timezone.JPG
87.28 KB, image/jpeg
Details
certificate.JPG
97.64 KB, image/jpeg
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Steps to reproduce:

Visit an https website with a certificate with notBefore during DST and notAfter when DST is no longer in effect, e.g. (currently) https://opsi.scc.kit.edu/
Select Tools / Page Info / Security / View Certificate

I'm using firefox-esr 78.13.0esr-1~deb10u1 on Debian 10.10

Actual results:

Certificate is show with e.g. this validity period (currently, from the afforementioned site):

Validity
Not Before 8/16/2021, 12:04:35 AM (Central European Summer Time)
Not After 11/13/2021, 11:04:33 PM (Central European Summer Time)

Expected results:

The actual dates on this certificate, as shown by OpenSSL, are:
notBefore=Aug 15 22:04:35 2021 GMT
notAfter=Nov 13 22:04:33 2021 GMT

so the conversion to localtime strings is actually correct (I know the locale issues with about:certificate) and the notAfter time shown takes into account that DST will have ended then; however, the textual timezone still suggests DST being in effect then. I would have expected something like

Not After 11/13/2021, 11:04:33 PM (Central European Time)

The Bugbug bot thinks this bug should belong to the 'Core::Security: PSM' component, and is moving the bug to that component. Please revert this change in case you think the bot is wrong.

Component: Untriaged → Security: PSM
Product: Firefox → Core
Component: Security: PSM → Security
Product: Core → Firefox
Attached image certificate.JPG

Hi, thanks for the report!

I'm trying to replicate on my end, and this is what's displayed when following your steps. Can you confirm my attachment is incorrect as you describe on your report?

Best,
Clara

Flags: needinfo?(andreas.ley)

Your attachment is not incorrect due to several reasons:

  1. Your validity period is displayed in gmtime, so it has no timezone to display incorrectly. However, I don't know how to control wether gmtime or localtime is displayed here :-(
  2. Out of dozens of websites on my server suitable as an example, Murphy drove me to choose the only one that isn't accessible worldwide – I'm sorry. You were redirected to an error message on another VHost with a certificate within the DST period, so even if your display would have been in localtime, it wouldn't have shown the error.

Please use https://www.mze.kit.edu/ as a better example. I'm attaching a screenshot of the display I'm getting. notAfter is 11/13/2021, 11:21:04 PM which is not CEST but CET, so the timezone description is incorrect.

To reproduce, you will have to change your certificate display to localtime. If this is dependent on locale, here are my settings:

LANG=en_US.UTF-8
LANGUAGE=en_US:en
LC_CTYPE=en_US.UTF-8

If its dependent on /etc/timezone: it contains "Europe/Berlin".

Flags: needinfo?(andreas.ley)

I am not able to change the timezone successfully, any other suggestions?
Attaching what I'm seeing with https://www.mze.kit.edu/

Thanks and my apologies for the inconveniences!
Clara

Flags: needinfo?(andreas.ley)

Thanks for the effort you put into this!

I did not do anything at all to set or change the timezone; this is an out-of-the-box Debian buster with the default firefox-esr package – thus I don't know how to change this either :-(

Obviously, the time zone can be set/changed, and then exhibits the bug. Is there a User Manual or a Reference Manual for Firefox, like software had in the good old days? I've only found FAQs and KBs so far, but no real Manual :-/

Flags: needinfo?(andreas.ley)

Just to be sure, I created a fresh profile, and the bug (and the timezone display) stays, so it's not releated to any (profile) setting or add-on.

I succeeded changing the display using the TZ environment variable, so you could try: env TZ=Europe/Berlin firefox

Some more tests: The current beta 92.0b6 as well as the current stable 91.0.1 have a different design (the horizontal rulers) and a different display (all times in GMT, did not succeed to change to localtime). However the ESR (either from Debian or directly downloaded from Mozilla) are able to display localtime, but do this wrong.

So to reproduce the bug, you might have to use the ESR (or find the documentation how to set the stable branch to localtime again).

Would this happen to be related to https://bugzilla.mozilla.org/show_bug.cgi?id=1302750 ?

In regards to your comment 3 :

To reproduce, you will have to change your certificate display to localtime. If this is dependent on locale, here are my settings:

LANG=en_US.UTF-8
LANGUAGE=en_US:en
LC_CTYPE=en_US.UTF-8

Is this for about:config within ff or within windows' settings?
Best,
Clara

Flags: needinfo?(andreas.ley)

Would this happen to be related to https://bugzilla.mozilla.org/show_bug.cgi?id=1302750 ?

Might or might not have a common cause – both exhibit a false timezone description, but while 1302750 has its time in UTC while displaying a non-UTC timezone description, in my case it's actually using localtime, but the timezone description is that for the current time (with DST in effect) while for the displayed notAfter time, DST will no longer be in effect, so the timezone description should describe the timezone that will be in effect then.

I don't know where in the code this happens, but there must be a subroutine that translates FFs internal timezone representation into a human-readable timezone description, and this translation has to take into account the actual point in time for which it is translating. Seems this always uses either current time or notBefore (or it only translates once and uses this description for both timestamps, which is an over-optimization).

To reproduce, you will have to change your certificate display to localtime. If this is dependent on locale, here are my settings:

LANG=en_US.UTF-8
LANGUAGE=en_US:en
LC_CTYPE=en_US.UTF-8

Is this for about:config within ff or within windows' settings?

Neither; this is Linux, and these are the locale-related environment variables. So you would use a command like "env LANG=en_US.UTF-8 LANGUAGE=en_US:en LC_CTYPE=en_US.UTF-8 firefix-esr"

Flags: needinfo?(andreas.ley)
Severity: -- → S3
QA Whiteboard: qa-not-actionable, qa-not-reproducible
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: