Closed Bug 1779973 Opened 2 years ago Closed 2 years ago

Unable to connect to HP printer https management interface with SEC_ERROR_LIBRARY_FAILURE

Categories

(Core :: Security: PSM, defect, P1)

Product:
Core
Component:
Security: PSM
Type:
defect

Tracking

()

Status:
RESOLVED FIXED
Milestone:
104 Branch
Tracking Flags:
Tracking Status
firefox-esr91 --- unaffected
firefox-esr102 --- fixed
firefox102 --- wontfix
firefox103 --- fixed
firefox104 --- fixed

People

(Reporter: gerard-majax, Assigned: keeler)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [psm-assigned])

Attachments

(5 files)

Capture d’écran du 2022-07-17 17-53-11.png
224.42 KB, image/png
Details
Capture d’écran du 2022-07-17 17-53-48.png
277.56 KB, image/png
Details
Capture d’écran du 2022-07-17 17-56-17.png
195.97 KB, image/png
Details
hpoj8610.pem
1.26 KB, application/x-x509-ca-cert
Details
Bug 1779973 - treat failure to parse certificate validity as a time error r?djackson
48 bytes, text/x-phabricator-request
dmeehan
: approval-mozilla-release+
RyanVM
: approval-mozilla-esr102+
Details | Review

Repro with latest firefox stable, Ubuntu 22.04 (both snap and our binaries), HP OfficeJet Pro 8615

STR:

  • Change printer name via web interface
  • Wait for restart
  • Try to access https-only admin parts

Expected:
I am presented warning that self-signed certificate is harmful etc., I can override and continue using my printer

Actual:
Error message with SEC_ERROR_LIBRARY_FAILURE, totally impossible to override

Adding an exception in about:preferences#privacy does not help. Chromium shows warning but allows to override.

Certificate details, showing weird end date (14 april 1904). My guess is that our nss code refuses to parse that or throws a bad error and we dont recover gently to allow overriding.

Certificate was added to the exceptions but this did not help.

Attached file hpoj8610.pem

Broken certificate

IMHO we have several problems here:
(1) We should allow overriding like Chromium does. Once I could access https management on Chromium, I could re-generate a self-signed cert and this time the end validity date was fine
(2) We should have had a better error handling, somehow: I lost quite some time investigating this generic error code, unable to know whether it was because of a too old TLS or something else
(3) HP OfficeJet Pro 8615 is on its latest firmware, and I doubt a fix can be expected
(4) HTTPS is required for many simple-admin level steps, breaking its access makes the printer basically unusable quite soon

Hi Alexandre,

Thank you for reporting this bug and providing the certificate.

As a rule, we don't ever want to show SEC_ERROR_LIBRARY_FAILURE to the user. It is a catch-all generic response which is shown when our other error-handling code paths fail. We will take a look and see what we need to add in order to show the correct error code to the user and allow an override if suitable.

(In reply to Dennis Jackson from comment #5)

Hi Alexandre,

Thank you for reporting this bug and providing the certificate.

As a rule, we don't ever want to show SEC_ERROR_LIBRARY_FAILURE to the user. It is a catch-all generic response which is shown when our other error-handling code paths fail. We will take a look and see what we need to add in order to show the correct error code to the user and allow an override if suitable.

Thanks! Do we have telemetry on how much we present SEC_ERROR_LIBRARY_FAILURE ? It might be interesting to have a look, I'm 100% certain this was not showing a few months ago (I had no time yesterday to perform a mozregression)

Assignee: nobody → dkeeler
Severity: -- → S4
Component: Libraries → Security: PSM
Priority: -- → P1
Product: NSS → Core
Regressed by: 1751078
Whiteboard: [psm-assigned]
Version: other → unspecified

Set release status flags based on info from the regressing bug 1751078

status-firefox102: --- → affected
status-firefox103: --- → affected
status-firefox104: --- → affected
status-firefox-esr102: --- → affected
status-firefox-esr91: --- → unaffected

(In reply to Alexandre LISSY :gerard-majax from comment #6)

(In reply to Dennis Jackson from comment #5)
Thanks! Do we have telemetry on how much we present SEC_ERROR_LIBRARY_FAILURE ? It might be interesting to have a look, I'm 100% certain this was not showing a few months ago (I had no time yesterday to perform a mozregression)

We do. This probe shows a noticable uptick in the latest beta, although the absolute number of impacted connections is pretty small. Given that those users will be unable to override the error, this might be a frustrating issue for them.

Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/6e70f908fb5c
treat failure to parse certificate validity as a time error r=djackson

https://hg.mozilla.org/mozilla-central/rev/6e70f908fb5c

Status: NEW → RESOLVED
Closed: 2 years ago
status-firefox104: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → 104 Branch

The patch landed in nightly and beta is affected.
:keeler, is this bug important enough to require an uplift?

  • If yes, please nominate the patch for beta approval.
  • If no, please set status-firefox103 to wontfix.

For more information, please visit auto_nag documentation.

Flags: needinfo?(dkeeler)

Comment on attachment 9286344 [details]
Bug 1779973 - treat failure to parse certificate validity as a time error r?djackson

Beta/Release Uplift Approval Request

  • User impact if declined: Unintuitive, non-overridable certificate error in some cases.
  • Is this code covered by automated tests?: Yes
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: No
  • If yes, steps to reproduce:
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change is small and doesn't do anything risky.
  • String changes made/needed: none
  • Is Android affected?: Yes

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: Users may not be able to access devices to configure them if they have certificates with dates from before the unix epoch.
  • User impact if declined: Unintuitive, non-overridable certificate error in some cases.
  • Fix Landed on Version: 104
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): The change is small and doesn't do anything risky.
Flags: needinfo?(dkeeler)
Attachment #9286344 - Flags: approval-mozilla-esr102?
Attachment #9286344 - Flags: approval-mozilla-beta?

Comment on attachment 9286344 [details]
Bug 1779973 - treat failure to parse certificate validity as a time error r?djackson

Converting to release uplift request, 103 is in RC. Will consider this in a dot release ridealong.

Attachment #9286344 - Flags: approval-mozilla-beta? → approval-mozilla-release?

Comment on attachment 9286344 [details]
Bug 1779973 - treat failure to parse certificate validity as a time error r?djackson

Approved for 103.0.2, thanks.

Attachment #9286344 - Flags: approval-mozilla-release? → approval-mozilla-release+

Comment on attachment 9286344 [details]
Bug 1779973 - treat failure to parse certificate validity as a time error r?djackson

Approved for 102.2esr.

Attachment #9286344 - Flags: approval-mozilla-esr102? → approval-mozilla-esr102+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: