Unable to connect to HP printer https management interface with SEC_ERROR_LIBRARY_FAILURE
Categories
(Core :: Security: PSM, defect, P1)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr91 | --- | unaffected |
firefox-esr102 | --- | fixed |
firefox102 | --- | wontfix |
firefox103 | --- | fixed |
firefox104 | --- | fixed |
People
(Reporter: gerard-majax, Assigned: keeler)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [psm-assigned])
Attachments
(5 files)
224.42 KB,
image/png
|
Details | |
277.56 KB,
image/png
|
Details | |
195.97 KB,
image/png
|
Details | |
1.26 KB,
application/x-x509-ca-cert
|
Details | |
48 bytes,
text/x-phabricator-request
|
dmeehan
:
approval-mozilla-release+
RyanVM
:
approval-mozilla-esr102+
|
Details | Review |
Repro with latest firefox stable, Ubuntu 22.04 (both snap and our binaries), HP OfficeJet Pro 8615
STR:
- Change printer name via web interface
- Wait for restart
- Try to access https-only admin parts
Expected:
I am presented warning that self-signed certificate is harmful etc., I can override and continue using my printer
Actual:
Error message with SEC_ERROR_LIBRARY_FAILURE, totally impossible to override
Adding an exception in about:preferences#privacy
does not help. Chromium shows warning but allows to override.
Reporter | ||
Comment 1•2 years ago
|
||
Certificate details, showing weird end date (14 april 1904). My guess is that our nss code refuses to parse that or throws a bad error and we dont recover gently to allow overriding.
Reporter | ||
Comment 2•2 years ago
|
||
Certificate was added to the exceptions but this did not help.
Reporter | ||
Comment 3•2 years ago
|
||
Broken certificate
Reporter | ||
Comment 4•2 years ago
|
||
IMHO we have several problems here:
(1) We should allow overriding like Chromium does. Once I could access https management on Chromium, I could re-generate a self-signed cert and this time the end validity date was fine
(2) We should have had a better error handling, somehow: I lost quite some time investigating this generic error code, unable to know whether it was because of a too old TLS or something else
(3) HP OfficeJet Pro 8615 is on its latest firmware, and I doubt a fix can be expected
(4) HTTPS is required for many simple-admin level steps, breaking its access makes the printer basically unusable quite soon
Comment 5•2 years ago
|
||
Hi Alexandre,
Thank you for reporting this bug and providing the certificate.
As a rule, we don't ever want to show SEC_ERROR_LIBRARY_FAILURE
to the user. It is a catch-all generic response which is shown when our other error-handling code paths fail. We will take a look and see what we need to add in order to show the correct error code to the user and allow an override if suitable.
Reporter | ||
Comment 6•2 years ago
|
||
(In reply to Dennis Jackson from comment #5)
Hi Alexandre,
Thank you for reporting this bug and providing the certificate.
As a rule, we don't ever want to show
SEC_ERROR_LIBRARY_FAILURE
to the user. It is a catch-all generic response which is shown when our other error-handling code paths fail. We will take a look and see what we need to add in order to show the correct error code to the user and allow an override if suitable.
Thanks! Do we have telemetry on how much we present SEC_ERROR_LIBRARY_FAILURE
? It might be interesting to have a look, I'm 100% certain this was not showing a few months ago (I had no time yesterday to perform a mozregression)
Assignee | ||
Updated•2 years ago
|
Updated•2 years ago
|
Comment 7•2 years ago
|
||
Set release status flags based on info from the regressing bug 1751078
Updated•2 years ago
|
Comment 8•2 years ago
|
||
(In reply to Alexandre LISSY :gerard-majax from comment #6)
(In reply to Dennis Jackson from comment #5)
Thanks! Do we have telemetry on how much we presentSEC_ERROR_LIBRARY_FAILURE
? It might be interesting to have a look, I'm 100% certain this was not showing a few months ago (I had no time yesterday to perform a mozregression)
We do. This probe shows a noticable uptick in the latest beta, although the absolute number of impacted connections is pretty small. Given that those users will be unable to override the error, this might be a frustrating issue for them.
Assignee | ||
Comment 9•2 years ago
|
||
Comment 10•2 years ago
|
||
Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6e70f908fb5c treat failure to parse certificate validity as a time error r=djackson
Comment 11•2 years ago
|
||
bugherder |
Comment 12•2 years ago
|
||
The patch landed in nightly and beta is affected.
:keeler, is this bug important enough to require an uplift?
- If yes, please nominate the patch for beta approval.
- If no, please set
status-firefox103
towontfix
.
For more information, please visit auto_nag documentation.
Assignee | ||
Comment 13•2 years ago
|
||
Comment on attachment 9286344 [details]
Bug 1779973 - treat failure to parse certificate validity as a time error r?djackson
Beta/Release Uplift Approval Request
- User impact if declined: Unintuitive, non-overridable certificate error in some cases.
- Is this code covered by automated tests?: Yes
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: No
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is small and doesn't do anything risky.
- String changes made/needed: none
- Is Android affected?: Yes
ESR Uplift Approval Request
- If this is not a sec:{high,crit} bug, please state case for ESR consideration: Users may not be able to access devices to configure them if they have certificates with dates from before the unix epoch.
- User impact if declined: Unintuitive, non-overridable certificate error in some cases.
- Fix Landed on Version: 104
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): The change is small and doesn't do anything risky.
Comment 14•2 years ago
|
||
Comment on attachment 9286344 [details]
Bug 1779973 - treat failure to parse certificate validity as a time error r?djackson
Converting to release uplift request, 103 is in RC. Will consider this in a dot release ridealong.
Comment 15•2 years ago
|
||
Comment on attachment 9286344 [details]
Bug 1779973 - treat failure to parse certificate validity as a time error r?djackson
Approved for 103.0.2, thanks.
Comment 16•2 years ago
|
||
bugherder uplift |
Comment 17•2 years ago
|
||
Comment on attachment 9286344 [details]
Bug 1779973 - treat failure to parse certificate validity as a time error r?djackson
Approved for 102.2esr.
Comment 18•2 years ago
|
||
bugherder uplift |
Description
•