Closed
Bug 402602
Opened 17 years ago
Closed 17 years ago
https://paypal.com doesn't trigger the netError page that allows exceptions
Categories
(Core Graveyard :: Security: UI, defect, P2)
Core Graveyard
Security: UI
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: beltzner, Assigned: KaiE)
References
()
Details
Attachments
(1 file)
|
1.62 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
Bug 401575 added a special Firefox-only netError page for SSL errors which allowed users to add exceptions.
That page is triggered by https://amazon.com, but not by https://paypal.com
STR:
1. Get a Firefox trunk build from Nov 3 or later
2. Go to https://paypal.com
Expected: UI allowing me to add an exception from that page
Actual: stone-wall UI with different netError page
|
||
Comment 1•17 years ago
|
||
It looks from the longDesc text as though paypal.com is triggering an nssFailure2 error instead of nssBadCert? Maybe there are other errors with the certificate as well? It seems odd that we would get the mismatch error shortDesc text in that case, though.
Adding an alert to netError.xhtml confirms that for paypal.com, the error code is nssFailure2, not nssBadCert.
OS: Mac OS X → All
Hardware: PC → All
|
Assignee | |
Comment 2•17 years ago
|
||
I have a fix
|
|
Assignee | |
Comment 3•17 years ago
|
||
This is what happened:
- we detect the bad cert
- we set the error code (bad_cert_domain)
- we set the error string (that shows up on the error page)
In the past, producing the error string was a trivial operation.
It did not involve calls to NSS.
But recently we changed the code that produces the error message to be more complex. It makes calls into NSS to obtain the list of valid names. As part of this, we try to query the subject alt name extension. If that's not available, NSS will set an error code.
So, NSS will overwrite our earlier error code, set it to SEC_ERROR_UNRECOGNIZED_OID, which was treated as a protocol error code (thus the other error page).
The solution is to complete all the error message logic, and set the error code for external reporting as the last action.
|
|
Assignee | |
Comment 4•17 years ago
|
||
Attachment #287458 -
Flags: review?(rrelyea)
|
Reporter | |
Updated•17 years ago
|
Flags: blocking1.9?
|
|
Assignee | |
Comment 6•17 years ago
|
||
Raising priority, because there is a trivial fix available.
Priority: P3 → P2
|
||
Updated•17 years ago
|
Attachment #287458 -
Flags: review?(rrelyea) → review+
|
|
Assignee | |
Comment 7•17 years ago
|
||
fixed
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
|
||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•