Closed Bug 402602 Opened 17 years ago Closed 17 years ago

https://paypal.com doesn't trigger the netError page that allows exceptions

Categories

(Core Graveyard :: Security: UI, defect, P2)

Product:
Core Graveyard
Component:
Security: UI
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: beltzner, Assigned: KaiE)

References

(
URL
)

Details

Attachments

(1 file)

Patch v1
1.62 KB, patch
rrelyea
: review+
Details | Diff | Splinter Review 
Bug 401575 added a special Firefox-only netError page for SSL errors which allowed users to add exceptions.

That page is triggered by https://amazon.com, but not by https://paypal.com

STR:
1. Get a Firefox trunk build from Nov 3 or later
2. Go to https://paypal.com

Expected: UI allowing me to add an exception from that page
Actual: stone-wall UI with different netError page
It looks from the longDesc text as though paypal.com is triggering an nssFailure2 error instead of nssBadCert?  Maybe there are other errors with the certificate as well?  It seems odd that we would get the mismatch error shortDesc text in that case, though.

Adding an alert to netError.xhtml confirms that for paypal.com, the error code is nssFailure2, not nssBadCert.
OS: Mac OS X → All
Hardware: PC → All
I have a fix
This is what happened:

- we detect the bad cert
- we set the error code (bad_cert_domain)
- we set the error string (that shows up on the error page)

In the past, producing the error string was a trivial operation.
It did not involve calls to NSS.

But recently we changed the code that produces the error message to be more complex. It makes calls into NSS to obtain the list of valid names. As part of this, we try to query the subject alt name extension. If that's not available, NSS will set an error code.

So, NSS will overwrite our earlier error code, set it to SEC_ERROR_UNRECOGNIZED_OID, which was treated as a protocol error code (thus the other error page).


The solution is to complete all the error message logic, and set the error code for external reporting as the last action.
Attached patch Patch v1Splinter Review 

        Attachment #287458 -
        Flags: review?(rrelyea)
Flags: blocking1.9?

    
    

    
  
+'ing. P3.
Flags: blocking1.9? → blocking1.9+
Priority: -- → P3

    
    

    
  
Raising priority, because there is a trivial fix available.

Priority: P3 → P2

    
  

        Attachment #287458 -
        Flags: review?(rrelyea) → review+

    
    

    
  
fixed
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
Product: Core → Core Graveyard

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: