Disable download of intermediate certificates to stop the error: "TypeError: NetworkError: Network request failed"
Categories
(Remote Protocol :: Agent, defect, P1)
Tracking
(firefox-esr102 unaffected, firefox-esr115 fixed, firefox117 unaffected, firefox118 unaffected, firefox119 fixed)
| Tracking | Status | |
|---|---|---|
| firefox-esr102 | --- | unaffected |
| firefox-esr115 | --- | fixed |
| firefox117 | --- | unaffected |
| firefox118 | --- | unaffected |
| firefox119 | --- | fixed |
People
(Reporter: whimboo, Assigned: whimboo)
References
(Regression)
Details
(Keywords: regression, Whiteboard: [webdriver:m8])
Attachments
(2 files)
There are lots and lots of those errors visible in the following wdspec job while Firefox is shutdown:
https://treeherder.mozilla.org/logviewer?job_id=408649751&repo=try&lineNumber=7756
[task 2023-03-12T11:45:43.524Z] 11:45:43 INFO - PID 1832 | console.error: RemoteSecuritySettings.jsm:
[task 2023-03-12T11:45:43.525Z] 11:45:43 INFO - PID 1832 | Failed to download attachment: TypeError: NetworkError: Network request failed
|
Assignee | |
Comment 1•1 year ago
|
||
The related line of source is:
https://searchfox.org/mozilla-central/rev/af78418c4b5f2c8721d1a06486cf4cf0b33e1e8d/security/manager/ssl/RemoteSecuritySettings.sys.mjs#446
I wonder if this caused the 2s delay during shutdown of this TSAN build.
Might make sense to set security.remote_settings.intermediates.enabled to false to disable intermediate preloading for those tests.
|
|
Assignee | |
Comment 3•1 year ago
|
||
Thanks. Could you please explain what this pref is in detail for? Would any web-platform test be affected by changing its value? I'm asking because I see that this pref is not getting set to false for any other test beside xpcshell.
|
|
Assignee | |
Updated•1 year ago
|
That pref controls whether or not Firefox downloads the set of intermediate certificates for CAs in our root program. No web-platform test should be affected by changing it. It only helps with servers that are misconfigured and don't send the correct intermediate certificates in the TLS handshake.
|
|
Assignee | |
Comment 5•9 months ago
|
||
Thanks Dana! One more question through. In Marionette / WebDriver we allow to set a flag that toggles between accepting insecure certificates and not. Would setting this preference to false cause issues for tests when we only accept secure certificates, and there is no cert in the store? While wpt tests run isolated we do not know what users of WebDriver actually have in use for their browser testing or automation.
The certificates used by marionette/webdriver wouldn't be in the intermediate preloading set anyway, so no, it should have no effect.
|
|
Assignee | |
Comment 7•9 months ago
|
||
Thanks Dana. So we can add this preference to Marionette for sure. Now I wonder if that is a PSM bug in general or just triggered due to the restricted environment in our CI so that the download fails and the error is correctly reported. If that is the case and nothing needs to be done on the PSM side lets move this bug back to Marionette. Otherwise I will file a new bug just for Marionette. Please let me know. Thanks.
I think it's just a configuration issue - PSM is trying to download the intermediate certificates, but the environment isn't letting it. It's not a bug necessarily - PSM is just trying to do an operation that isn't going to succeed.
|
|
Assignee | |
Comment 9•9 months ago
|
||
Alright. Then lets move to Remote Agent and we can disable security.remote_settings.intermediates.enabled in the recommended preferences.
|
|
Assignee | |
Comment 10•9 months ago
|
||
(In reply to Henrik Skupin [:whimboo][⌚️UTC+2] from comment #9)
Alright. Then lets move to Remote Agent and we can disable
security.remote_settings.intermediates.enabledin the recommended preferences.
One questions through, when users of WebDriver want to have a specific intermediate certificate I assume it's still possible to install that in a pre-configured profile for testing? Setting this preference to false should then not affect testing specific websites for those users, right?
Well, usually TLS servers include any necessary intermediates in the handshake. This feature is only for misconfigured servers, and generally not for testing scenarios.
|
|
Assignee | |
Comment 12•9 months ago
|
||
Ok, so lets see how it works. I pushed a try build for all wpt tests by also disabling this particular pref in /testing/profiles/web-platform:
https://treeherder.mozilla.org/jobs?repo=try&revision=55b94e796dbf06a4db1907395a94c8eba4d407ba
|
|
Assignee | |
Comment 13•9 months ago
|
||
|
||
Updated•9 months ago
|
|
|
Assignee | |
Comment 14•9 months ago
|
||
Depends on D186967
|
|
Assignee | |
Updated•9 months ago
|
|
||
Comment 15•9 months ago
|
||
Pushed by hskupin@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/86b12ab25b29 [remote] Do not download intermediate certificates. r=webdriver-reviewers,jdescottes https://hg.mozilla.org/integration/autoland/rev/04436061c3f1 [wpt] Do not download intermediate certificates for wpt tests. r=keeler,webdriver-reviewers,Sasha
|
||
Comment 16•9 months ago
|
||
| bugherder | ||
https://hg.mozilla.org/mozilla-central/rev/86b12ab25b29
https://hg.mozilla.org/mozilla-central/rev/04436061c3f1
|
|
Assignee | |
Updated•8 months ago
|
|
|
||
Comment 17•7 months ago
|
||
| uplift | ||
https://hg.mozilla.org/releases/mozilla-esr115/rev/29bb401acd66 https://hg.mozilla.org/releases/mozilla-esr115/rev/dc2cce231ddb
|
||
Updated•7 months ago
|
Description
•