Closed Bug 190394 Opened 22 years ago Closed 22 years ago

"website certified by an unknown authority'" - nssckbi not found breaks PKI trust

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Version:
Other Branch
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
critical

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: pascalc, Assigned: KaiE)

References

Details

Attachments

(2 files, 4 obsolete files)

Patch v3
3.10 KB, patch
Details | Diff | Splinter Review
Patch v3 ignoring whitespace
1.79 KB, patch
KaiE
: review+
darin.moz
: superreview+
asa
: approval1.3b+
Details | Diff | Splinter Review 
build 2003012315 WinXP

Steps :

1 go to a secure server like https://www.bnpnet.bnp.fr/ or
snews://secnews.netscape.com

expected result : enter site without problem
actual result : you get a "website certified by an unknown authority" message

build 2003012105 does not have this problem
Please read the component description first security holes belong in
security:general but not crypto
Assignee: mstoltz → ssaux
Component: Security: General → Client Library
Product: Browser → PSM
QA Contact: bsharma → junruh
Version: Trunk → unspecified
I can see this also on Win98 2003-01-23-15-trunk installer build 
(mozilla-win32-installer-sea.exe) with new profile.
It has not any authorities' certificates.
Confirming with the 1/24 WinXP build. There are no CA's in the Authorities tab.
Priority: -- → P3
Version: unspecified → 2.4
*** Bug 190430 has been marked as a duplicate of this bug. ***
seeing this on win2k also with commercial trunk build 2003-01-24-04-trunk

this dialog is appearing in place of the brief security dialog that is expected
to  pop up when entering a secure site.  depending on the site, the dialog may
pop up several times before actually entering the site.
Severity: normal → critical
Priority: P3 → --
Version: 2.4 → unspecified
adding chak to the CC: list in case he's seen this in the past.
Kaie, any ideas....thanks

I suspect this bug is caused by the repacking that seems to have been done.

There is one shared library used by PSM/NSS which contains the storage for known
and trusted root CA certificates. The library is "nssckbi".

This library is not linked with the other code (by design of NSS, as far as I
understand it).

Instead of a link time dependency, PSM/NSS try to open that library dynamically
during initialization. The logic tries to find the nssckbi library in the
directory where mozilla-bin is stored (I think).

Did you change the location where nssckbi can be found? That would explain the
failure. I'm not sure how to make it work again by any other approach than
moving it back to the previous location.

Note there is another behaviour (by design of NSS, I'm unsure what the reason
was), that can influence the problem reported in this bug.

NSS remembers the place where the last successfully loaded nssckbi was found.
This location is stored in file secmod.db, contained in the profile directory.
Note, however, that secmod.db stores other data, too.


If you can confirm the place where nssckbi is stored has changed, I suggest to
either undo that change, or to consult with the NSS team (wtc and relyea cc'ed)
what other solution could be used to allow the Mozilla application to find it.


Another snippet of information: This special handling of nssckbi seems to be a
common pitfall. I discovered that the creators of SuSE Linux 8.1 made a similar
mistake, trying to "optimize" the distribution of shared libraries on their
system, with the same bad consequence that on those systems, no CAs are trusted.
Depends on: 190357
I confirmed the problem. It is not a code problem, but it is a packaging problem.

On Windows, when installing Mozilla using a installer, file nssckbi.dll is not
getting installed. If I understand correctly, during the last days the packaging
structure of Mozilla has changed. Do you know the bug that tracked this change,
and who could point us to the new files that control what files are getting
installed? We must ensure that we add nssckbi back on all platforms.

As a separate test, I downloaded the same build, but not using an installer, but
in zip file format. This package contains the nssckbi.dll and everything works
correctly.


Not that not everybody might run into this problem, if you install the latest
builds into a separate directory, because your profile will remember the place
of a nssckbi.dll, and if you haven't deleted the older build, everything will
still appear to work.
Keywords: helpwanted
-> me
Status: NEW → ASSIGNED
Flags: blocking1.3b?
I see the nssckbi library now lives in the GRE directory.
I discussed the issue with nelsonb, to confirm it makes sense to have this
library in the GRE, as opposed to the application. We agreed the GRE is the
right place.

PSM has code that tries to find nssckbi if its location is not yet known.
As of today, it only searches in the application process directory. This was
fine in the day where there was no separation between GRE and application, but
now we must extend this strategy.

I saw it is possible to query the path of the GRE. I will attach a patch that
tries to load the nssckbi from the GRE directory first. Should that fail, it
falls back to the old strategy, looking in the application's directory.
Assignee: ssaux → kaie
Status: ASSIGNED → NEW
oops, found a bug in the patch, of course I should divide by sizeof(char*), not
by sizeof(char)...
Attached patch Patch v2 (obsolete) — Splinter Review 

        Attachment #112605 -
        Attachment is obsolete: true

    
    

    
  


  

        Attachment #112607 -
        Attachment is obsolete: true

    
  

        Attachment #112607 -
        Attachment is obsolete: false

    
  

        Attachment #112606 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 112608 [details] [diff] [review]
Patch v2 (ignoring whitespace for easier reviewing)

I've test the patch, it fixes the problem on Windows.

Could you please review? Any reviews welcome, in the attempt to get this fixed
soon for 1.3 beta.

        Attachment #112608 -
        Flags: review?(dougt)
Flags: blocking1.3b? → blocking1.3b+

    
    

    
  
Reproduced with 2003-01-25-08...

Patch looks nice to me...
Shouldn't break anything.

    
    

    
  
*** Bug 190689 has been marked as a duplicate of this bug. ***

    
    

    
  
Comment on attachment 112608 [details] [diff] [review]
Patch v2 (ignoring whitespace for easier reviewing)

This looks okay.  do you expect mozFile to be valid at any point after the new
continue statement?

I think that you might have some spacing issues at the tail of this patch.  

i would have used an int instead of a size_t and named my variable i rather
than il, but that really isnt too important. :-)

assumping an okay answer for the "is mozFile expected to be valid" question.

        Attachment #112608 -
        Flags: review?(dougt) → review+

    
    

    
  
> This looks okay.  do you expect mozFile to be valid at any point after the new
> continue statement?

mozFile only has to be valid within the loop. Oh, good point. I have moved the
declaration of nsCOMPtr mozFile into the loop, to make sure the value from
earlier iterations won't get reused. I'll attach a slightly updated patch.


> I think that you might have some spacing issues at the tail of this patch.  

What you reviewed was created with "diff -w", the spacing should be fine in the
real patch.


> i would have used an int instead of a size_t and named my variable i rather
> than il, but that really isnt too important. :-)

When I used int, I got a "signed/unsigned warning", because the result of
sizeof/sizeof is unsigned.
I don't want to use i, because in the same function scope there is already
another loop using i.


    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v3Splinter Review
      

    


  
Updated patch, moved declaration of nsCOMPtr into loop.

        Attachment #112607 -
        Attachment is obsolete: true

    
    

    
  


  

        Attachment #112608 -
        Attachment is obsolete: true

    
    

    
  
Comment on attachment 112748 [details] [diff] [review]
Patch v3 ignoring whitespace

carrying forward r=dougt
Darin, could you sr=?

        Attachment #112748 -
        Flags: superreview?(darin)

        Attachment #112748 -
        Flags: review+

    
    

    
  
*** Bug 190606 has been marked as a duplicate of this bug. ***

    
    

    
  
should this be a topembed bug? Should this be a 1.3b blocker?

    
    

    
  
Comment on attachment 112748 [details] [diff] [review]
Patch v3 ignoring whitespace

sr=darin

        Attachment #112748 -
        Flags: superreview?(darin) → superreview+

    
    

    
  
ssu: it is already a 1.3b blocker.


    
  

        Attachment #112748 -
        Flags: approval1.3b?

    
    

    
  
*** Bug 190861 has been marked as a duplicate of this bug. ***

    
    

    
  
Comment on attachment 112748 [details] [diff] [review]
Patch v3 ignoring whitespace

a=asa (on behalf of drivers) for checkin to 1.3beta.

        Attachment #112748 -
        Flags: approval1.3b? → approval1.3b+

    
  
Summary: "website certified by an unknown authority'" on all secure servers → "website certified by an unknown authority'" - nssckbi not found breaks PKI trust

    
    

    
  
Let us know if it is already checked into the trunk..  I have no way of knowing
it myself.

    
    

    
  
Checked in, marking fixed.

Status: NEW → RESOLVED
Closed: 22 years ago
Keywords: helpwanted
Resolution: --- → FIXED

    
    

    
  
*** Bug 190689 has been marked as a duplicate of this bug. ***

    
    

    
  
verified fixed with windows commercial trunk build 2003-01-28-04-trunk
Status: RESOLVED → VERIFIED

    
    

    
  
So far, so good for Win2000 using same build as Tracy reported.  This is for
some who reported problem with Win2000 even though the OS is reported as WinXP.

    
    

    
  
*** Bug 191097 has been marked as a duplicate of this bug. ***

    
  
Product: PSM → Core
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: