Closed Bug 312669 Opened 20 years ago Closed 17 years ago

FIPS enabled, no Master Password prompt & Updates fail

Categories

(Toolkit :: Application Update, defect)

Product:
Toolkit
Component:
Application Update
Version:
1.8 Branch
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla1.9

People

(Reporter: t3chnomanc3r, Unassigned)

References

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.12) Gecko/20050915 Firefox/1.0.7 FIPS enabled, Homepage is about:blank. Tools->Options->Advanced or Tools->Extensions. "Update" will fail and no prompt will be made to enter master password. Hit a page that causes prompt for Master Password, enter correctly, updates work fine. Manually Log In under Tools->Options->Advanced->Manage Security Devices, then run updates. This works fine, so it must be lack of access to whatever FIPS is protecting that causes updates fail. Didn't see problem until upgrade to FF 1.0.7, had not been using FIPS prior to FF 1.0.6. Problem appeared after doing 1.0.7 upgrade, restarting & checking for extension updates. Reproducible: Always Steps to Reproduce: Scenario #1: 1. Set master password. 2. Enable FIPS. 3. Set Homepage to about:blank (thus no prompt for master password). 4. restart browser. 5. Tools->Options->Advanced->Software Update->Check Now. Worse, Scenario #2: 1. Set master password. 2. Enable FIPS. 3. Set Homepage to about:blank (thus no prompt for master password). 4. restart browser. 5. Tools->Extensions. 6. Unselect all extensions. 7. Click Update. Actual Results: Scenario #1: Update will fail stating Firefox is having problems getting updates. Scenario #2: Update will show blank list of available updates (if any). Or An error stating Firefox is having problems getting updates. Both scenario's no prompting is made to enter Master Password. Expected Results: Prompt for Master Password and then do update check. Better, prompt for master password on start of browser rather than waiting for whatever event(s) it currently waits for.
Reporter, do you still see this problem with the latest Firefox 2? If not, can you please close this bug as WORKSFORME. Thanks!
Whiteboard: CLOSEME 07/20
Version: unspecified → 1.0 Branch
I am sure I'm one of the few people using the FIPS security feature which is why it's not gotten more attention. The problem still exists in latest FF 2.0.0.4 and given 1.5.x & 1.0.x are being retired I've updated the affected version info above. Problem: Clicking "Find Updates" in "Extensions" & "Themes" before doing an action that triggers FIPS authentication results in "An error occurred while trying to find updates for ...." error message. To avoid the error, automatically: 1. Access a site that needs acess to secured data (stored login credentials?) 2. Authenticate with FIPS password when prompted. 3. Run update function, works fine. To avoid the error, manually: 1. Open "Options" (alt-o). 2. Click "Advanced". 3. Click "Security Devices". 4. Under "NSS Internal FIPS PKCS #11 Module" select "PSM Internal FIPS-140-1 Cryptogr". 6. Click "Log In". 7. Authenticate with FIPS password when prompted. 8. OK back out of dialogs to main window. 9. Run update function, works fine. Fix: As I said before the fix should be that if you have FIPS enabled, FF should prompt you to FIPS authenticate at start up before doing anything else NOT as needed like it does now. The alternative is a kludge of verifying all "as needed" FIPS protected data accesses trigger proper handling which could be a problem if a section of code does not obviously touch something FIPS protected as seems to be the case with the update function.
Version: 1.0 Branch → 2.0 Branch
t3chnomanc3r, is this just Add-ons update ? (Tools > Options > Find Updates) Or the Application update too ? (Help > Check for Updates).
Just confirmed this bug in the latest version of Firefox (Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.8.1.6) Gecko/20070725 Firefox/2.0.0.6). It does happen here in the Application update, too. When choosing (Help > Check for updates) I get an error message telling me that it could not check for updates because "AUS: Update XML File Malformed (200)". Neither do the updates for Add-ons (Extensions/Themes) work; there is an error message for each installed Add-on in the list. I think, the reason the update check fails is that it is trying to connect to a https: server and maybe therefore needs the FIPS module to be logged into with the master password. Which it never asks for during the update check and so it fails. It seems to me that Bug #358734 is a duplicate of this one.
Product: Firefox → Toolkit
This bug is still valid in Firefox 2.0.0.16 with FIPS enabled and without having entered a master password fails. Manually checking for software updates (help -> check for updates) for the application fails with the following error in a popup: AUS: Update XML File Malformed (200) Manually checking for updates for add-ons (tools -> add-ons -> find updates) fails without a popup, but shows "No updates were found." info line and under each extension: "An error occured while trying to find updates for <extension name>." With extensions.logging.enabled you see it's checking for https://... and failing with status 4.
Status: UNCONFIRMED → NEW
Ever confirmed: true
In Firefox 3.0.1 you *do* get prompted for the master password before. You only get the errors if you don't enter your master password.
Whiteboard: CLOSEME 07/20
As I said in comment #6 this is fixed on Toolkit 1.9, so for both FX3 and TB3. If this is not a security issue, this issue can probably be resolved, fixed. If it is a security issue, it should probably be blocking next 1.8 release?
Indeed it's working properly for me in FF3.01, kudos to the developers!
Status: NEW → RESOLVED
Closed: 17 years ago
OS: Windows XP → All
Hardware: PC → All
Resolution: --- → FIXED
Target Milestone: --- → mozilla1.9
You need to log in before you can comment on or make changes to this bug.