Closed Bug 362980 Opened 18 years ago Closed 18 years ago

Unable to verify the identity of [www.something.com] as a trusted site

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: Peter6, Assigned: KaiE)

References

Details

(Keywords: regression)

Attachments

(2 files, 1 obsolete file)

screenshot
10.65 KB, image/png
Details
Patch v2
2.16 KB, patch
KaiE
: review+
Details | Diff | Splinter Review 
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20061206 Minefield/3.0a1 ID:2006120608 [cairo]

for every https site I open I get the above message

(screenshot next)
Attached image screenshot 

    
    

    
  
I can confirm this bug.

After some initial debugging on Windows, our code to load the roots module nssckbi.dll runs without failures in NSS, but still, cert manager does not display any root certs.

On Linux the patch from bug 176501 seems to work correct, and I still get all the roots.

Backing out the patch from bug 176501 makes it work again.
If I don't find the reason shortly, I'll back it out from cvs.

Status: NEW → ASSIGNED

    
    

    
  
Although the call to SECMOD_LoadUserModule does not fail on Windows, it seems to be the culprit. Well, at least the way we call it does not work.

We call it with params
  name="Builtins Root Module" library="full-path-to-dll"

But when I change this to call use SECMOD_AddNewModule with the same full-path-to-dll, it works correctly.


    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v1 (obsolete)
        — Splinter Review
      

    


  
We need to escape backslashes in the parameter string passed on to NSS!

        Attachment #247740 -
        Flags: review?(rrelyea)

    
    

    
  
Comment on attachment 247740 [details] [diff] [review]
Patch v1

r+= relyea

This will get the tree working as is correct.
Since you are in C++, you may want a version of addEscape that works with C++ strings and avoid the C alloc (optional).

        Attachment #247740 -
        Flags: review?(rrelyea) → review+

    
    

    
  
Comment on attachment 247740 [details] [diff] [review]
Patch v1

For better style, you should use the exact same expression (i.e.,
reorder one of the expressions) in both of these if statements:

>+        if ((*src == quote) || (*src == '\\')) escapes++;

>+        if ((*src == '\\') || (*src == quote)) {
>+            *dest++ = '\\';
>+        }

I don't understand why nss_addEscape needs the 'quote' argument because that
argument is always '\"'.  Also, do you really need to quote "?  I don't see
how 'fullLibraryPath' (the return value of PR_GetLibraryName) can contain ".

        Attachment #247740 -
        Flags: review?(rrelyea)

    
    

    
  
I didn't mean to remove Bob's review+ on patch v1.  It's caused
by a bug in Bugzilla when two people review a patch at the same time.

    
    

    
  
(In reply to comment #6)
> Since you are in C++, you may want a version of addEscape that works with C++
> strings and avoid the C alloc (optional).

Since we already have a function that is known to work, I think using it is fine. I think C++ code that inserts escape chars would require one additional allocation, too.


(In reply to comment #7)
> For better style, you should use the exact same expression (i.e.,
> reorder one of the expressions) in both of these if statements:
> 
> >+        if ((*src == quote) || (*src == '\\')) escapes++;
> 
> >+        if ((*src == '\\') || (*src == quote)) {
> >+            *dest++ = '\\';
> >+        }

ok, changed


> I don't understand why nss_addEscape needs the 'quote' argument because that
> argument is always '\"'.  Also, do you really need to quote "?  I don't see
> how 'fullLibraryPath' (the return value of PR_GetLibraryName) can contain ".

Wan-Teh, I did not write this function, I copied it over from NSS. This is a general purpose function.


    
    

    
  
Comment on attachment 247740 [details] [diff] [review]
Patch v1

setting back r=rrelyea

        Attachment #247740 -
        Flags: review?(rrelyea) → review+

    
    

    
  

      
      
      
      

        Attached patch
          
          
        Patch v2Splinter Review
      

    


  
Slightly improved patch as proposed by Wan-Teh, this patch has r=rrelyea and r=wtchang

        Attachment #247740 -
        Attachment is obsolete: true

        Attachment #247813 -
        Flags: review+

    
  
No longer blocks: 176501
Depends on: 176501

    
    

    
  
fixed on trunk
Status: ASSIGNED → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED

    
    

    
  
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20061207 Minefield/3.0a1 ID:2006120705 [cairo]

VERIFIED/FIXED

thanks
Status: RESOLVED → VERIFIED

    
    

    
  
(In reply to comment #13)
> Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.9a1) Gecko/20061207
> Minefield/3.0a1 ID:2006120705 [cairo]
> 
> VERIFIED/FIXED
> 
> thanks

Still not working for me with build 2006-12-07-20 of SeaMonkey trunk on Windows XP (stub installer); why the disparity here? 



    
    

    
  
(In reply to comment #14)
> Still not working for me with build 2006-12-07-20 of SeaMonkey trunk on Windows
> XP (stub installer); why the disparity here? 

I confirm this. But I hope the machine who builds that seamonkey package pulled to late, and did not yet include the patch. Can not think of any other reason currently.

While I'm writing this, the latest windows seamonkey stub installer in latest-trunk is still 2006-12-07-08, from yesterday.

Don't understand where you got a newer 2006-12-07-20 from!

Let's wait until a newer seamonkey package shows up in latest-trunk.


    
    

    
  
(In reply to comment #9)

OK, I now understand why the double quote (") needs to be escaped.

Since you only call nss_addEscape with quote='\"', nss_addEscape
doesn't need the 'quote' parameter.  I did suspect that you copied
nss_addEscape from NSS.  When nss_addEscape is taken from its original
context, the 'quote' parameter serves no purpose and may confuse people.
This is just a nit, so feel free to ignore it.

    
    

    
  
(In reply to comment #14)
> Still not working for me with build 2006-12-07-20 of SeaMonkey trunk on Windows
> XP (stub installer); why the disparity here? 

This is now working for me.
It looks like the earlier builds indeed had not picked up the patch.


    
    

    
  
As of right now, this does not appear to be fixed for me. I checked out from trunk this morning and verified that this patch is applied to the sources, however I still get the listed error.

Gentoo Linux (2.6.19) AMD64

    
    

    
  
Dustin, do you get this error message with a particular site only, or with any https sites?

You build yourself?
How do you run your build? cd dist/bin/; ./firefox ?
Does your dist/bin directory contain the libnssckbi.so file?


    
    

    
  
(In reply to comment #19)
> Dustin, do you get this error message with a particular site only, or with any
> https sites?
> 
> You build yourself?
> How do you run your build? cd dist/bin/; ./firefox ?
> Does your dist/bin directory contain the libnssckbi.so file?
> 
This error comes up on all HTTPS websites.

I built Minefield myself from CVS code.
Gentoo uses a stub script to call firefox.  I modified it slightly to call minefield. See:

#!/bin/sh
#
# Stub script to run mozilla-launcher.  We used to use a symlink here
# but OOo brokenness makes it necessary to use a stub instead:
# http://bugs.gentoo.org/show_bug.cgi?id=78890

export MOZILLA_LAUNCHER=firefox
export MOZILLA_LIBDIR=/usr/lib64/minefield
export MOZ_PLUGIN_PATH=${MOZ_PLUGIN_PATH:-/usr/lib64/nsbrowser/plugins}
exec /usr/libexec/mozilla-launcher "$@"

I don't have a dist/bin directory, and nowhere else exists "libnssckbi.so" in my firefox installation directory.  I do however, have the file under /usr/lib64/nss/, though this belongs to a package called "dev-libs/nss-3.11.4," upon which firefox, thunderbird, and minefield all depend.

    
    

    
  
This might be a packaging issue.

I'm not a Gentoo user, but the location you quote does not sound right.

Could you please verify the directory that contains file libnssckbi.so is in the library search path?

For example on Fedora Linux, which also packages the NSS library files in a package separately from the applications, the file libnssckbi.so gets installed in /usr/lib



    
    

    
  
(In reply to comment #21)
> This might be a packaging issue.
> 
> I'm not a Gentoo user, but the location you quote does not sound right.
> 
> Could you please verify the directory that contains file libnssckbi.so is in
> the library search path?
> 
> For example on Fedora Linux, which also packages the NSS library files in a
> package separately from the applications, the file libnssckbi.so gets installed
> in /usr/lib
> 
Clearly, this is not an issue with Minefield. I symlinked /usr/lib/nss/libnssckbi.so into /usr/lib64/minefield and the problem was corrected. I will look into the problem with Gentoo. Thanks for your help.

Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: