Closed Bug 1821981 Opened 2 years ago Closed 2 years ago

Disable download of intermediate certificates to stop the error: "TypeError: NetworkError: Network request failed"

Categories

(Remote Protocol :: Agent, defect, P1)

Product:
Remote Protocol
Component:
Agent
Type:
defect
Points:
1

Tracking

(firefox-esr102 unaffected, firefox-esr115 fixed, firefox117 unaffected, firefox118 unaffected, firefox119 fixed)

Status:
RESOLVED FIXED
Milestone:
119 Branch
Tracking Flags:
Tracking Status
firefox-esr102 --- unaffected
firefox-esr115 --- fixed
firefox117 --- unaffected
firefox118 --- unaffected
firefox119 --- fixed

People

(Reporter: whimboo, Assigned: whimboo)

References

(Regression)

Details

(Keywords: regression, Whiteboard: [webdriver:m8])

Attachments

(2 files)

Bug 1821981 - [remote] Do not download intermediate certificates.
48 bytes, text/x-phabricator-request
Details | Review
Bug 1821981 - [wpt] Do not download intermediate certificates for wpt tests.
48 bytes, text/x-phabricator-request
Details | Review

There are lots and lots of those errors visible in the following wdspec job while Firefox is shutdown:

https://treeherder.mozilla.org/logviewer?job_id=408649751&repo=try&lineNumber=7756

[task 2023-03-12T11:45:43.524Z] 11:45:43     INFO - PID 1832 | console.error: RemoteSecuritySettings.jsm:
[task 2023-03-12T11:45:43.525Z] 11:45:43     INFO - PID 1832 |   Failed to download attachment: TypeError: NetworkError: Network request failed

The related line of source is:
https://searchfox.org/mozilla-central/rev/af78418c4b5f2c8721d1a06486cf4cf0b33e1e8d/security/manager/ssl/RemoteSecuritySettings.sys.mjs#446

I wonder if this caused the 2s delay during shutdown of this TSAN build.

Might make sense to set security.remote_settings.intermediates.enabled to false to disable intermediate preloading for those tests.

Severity: -- → S4
Priority: -- → P3
Whiteboard: [psm-backlog]

Thanks. Could you please explain what this pref is in detail for? Would any web-platform test be affected by changing its value? I'm asking because I see that this pref is not getting set to false for any other test beside xpcshell.

Flags: needinfo?(dkeeler)

That pref controls whether or not Firefox downloads the set of intermediate certificates for CAs in our root program. No web-platform test should be affected by changing it. It only helps with servers that are misconfigured and don't send the correct intermediate certificates in the TLS handshake.

Flags: needinfo?(dkeeler)

Thanks Dana! One more question through. In Marionette / WebDriver we allow to set a flag that toggles between accepting insecure certificates and not. Would setting this preference to false cause issues for tests when we only accept secure certificates, and there is no cert in the store? While wpt tests run isolated we do not know what users of WebDriver actually have in use for their browser testing or automation.

Flags: needinfo?(dkeeler)

The certificates used by marionette/webdriver wouldn't be in the intermediate preloading set anyway, so no, it should have no effect.

Flags: needinfo?(dkeeler)

Thanks Dana. So we can add this preference to Marionette for sure. Now I wonder if that is a PSM bug in general or just triggered due to the restricted environment in our CI so that the download fails and the error is correctly reported. If that is the case and nothing needs to be done on the PSM side lets move this bug back to Marionette. Otherwise I will file a new bug just for Marionette. Please let me know. Thanks.

Flags: needinfo?(dkeeler)

I think it's just a configuration issue - PSM is trying to download the intermediate certificates, but the environment isn't letting it. It's not a bug necessarily - PSM is just trying to do an operation that isn't going to succeed.

Flags: needinfo?(dkeeler)

Alright. Then lets move to Remote Agent and we can disable security.remote_settings.intermediates.enabled in the recommended preferences.

Severity: S4 → --
Component: Security: PSM → Agent
Priority: P3 → --
Product: Core → Remote Protocol
Summary: Console.error: RemoteSecuritySettings.jsm: Failed to download attachment: TypeError: NetworkError: Network request failed → Disable download of intermediate certificates to stop the error: "TypeError: NetworkError: Network request failed"

(In reply to Henrik Skupin [:whimboo][⌚️UTC+2] from comment #9)

Alright. Then lets move to Remote Agent and we can disable security.remote_settings.intermediates.enabled in the recommended preferences.

One questions through, when users of WebDriver want to have a specific intermediate certificate I assume it's still possible to install that in a pre-configured profile for testing? Setting this preference to false should then not affect testing specific websites for those users, right?

Flags: needinfo?(dkeeler)

Well, usually TLS servers include any necessary intermediates in the handshake. This feature is only for misconfigured servers, and generally not for testing scenarios.

Flags: needinfo?(dkeeler)

Ok, so lets see how it works. I pushed a try build for all wpt tests by also disabling this particular pref in /testing/profiles/web-platform:
https://treeherder.mozilla.org/jobs?repo=try&revision=55b94e796dbf06a4db1907395a94c8eba4d407ba

Assignee: nobody → hskupin
Status: NEW → ASSIGNED
Severity: -- → S3
Points: --- → 1
Priority: -- → P1
Whiteboard: [psm-backlog] → [webdriver:m8]
Pushed by hskupin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/86b12ab25b29 [remote] Do not download intermediate certificates. r=webdriver-reviewers,jdescottes https://hg.mozilla.org/integration/autoland/rev/04436061c3f1 [wpt] Do not download intermediate certificates for wpt tests. r=keeler,webdriver-reviewers,Sasha

https://hg.mozilla.org/mozilla-central/rev/86b12ab25b29
https://hg.mozilla.org/mozilla-central/rev/04436061c3f1

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
status-firefox119: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 119 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: