Closed Bug 439028 Opened 16 years ago Closed 16 years ago

Can not confirm SSL security exception (dialog instead of HTML page) on a domain whose name is translated to an IPv6 address

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 435558

People

(Reporter: l3g3nd4ryf0x, Assigned: KaiE)

References

Details

Attachments

(1 file)

The SSL popup that should not be.
74.31 KB, image/jpeg
Details 
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; it; rv:1.9) Gecko/2008061004 Firefox/3.0
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; it; rv:1.9) Gecko/2008061004 Firefox/3.0

If I connect to a website in my local network (https://castor.local/) there's a dialog (NOT an error page, a dialog) which says that the certificate isn't valid because self-signed (sec_error_untrusted_issue is the error code). There are four issues about this message:

1) I don't know why for every self-signed certificate there is a page, not a dialog, with the error.

2) The page gives me the ability to add a security exception, while the dialog does not.

3) The dialog contains some HTML code (an <a> link) that is displayed instead of interpreted.

4) When I browse the same website directly using its IP address (https://192.168.1.x) the security message appears in a page, as expected, with the ability to add a security exception.

This problem is tremendously annoying, because I can not basically browse the website because there's no possibility to add the exception! The certificate can not even be manually added in Preferences -> Advanced -> Security -> Show certificates (I don't know the exact translation, I use the Italian localization).

Reproducible: Always
I don't know why local names should cause different behaviour here.  Transferring to PSM.
Assignee: nobody → kaie
Component: Security → Security: PSM
Product: Firefox → Core
QA Contact: firefox → psm
The dialog comes up sometimes and usually only on the first SSL related error (or on a fairly new session after starting FF3). The dialog shouldn't appear, but besides that I think this bug is invalid. Perhaps we should change the title to relate to the wrongful popup window.
> 3) The dialog contains some HTML code (an <a> link) that is displayed instead
> of interpreted.

That's bug 439062

Kai, I think that bug 439062 isn't related. More specific:

Sometimes and only during first SSL error a dialog window pops up which looks weird with links in it. Once closed the regular page is displayed underneath. I'll try to catch a screen shot next time it happens.

    
    

    
  
(In reply to comment #2)
> The dialog comes up sometimes and usually only on the first SSL related error
> (or on a fairly new session after starting FF3). The dialog shouldn't appear,
> but besides that I think this bug is invalid. Perhaps we should change the
> title to relate to the wrongful popup window.

I've added a screenshot (In reply to comment #4)
> Kai, I think that bug 439062 isn't related. More specific:
> 
> Sometimes and only during first SSL error a dialog window pops up which looks
> weird with links in it. Once closed the regular page is displayed underneath.
> I'll try to catch a screen shot next time it happens.

I've posted a screenshot with the situation.

I'm sorry but this window, in my case, shows up *every time* I try to open that website, not only the first time, and I've never had any other problems with invalid SSL certificates from other websites.

This is why I marked the reproducibility as "Always": because it *always* happens by visiting that website. Maybe it's not related to a ".local" domain, but the steps to reproduce the bug are very simple for me: I simply type https://castor.local.

    
    

    
  
We need to either confirm or close this bug. Clearly parts of this are covered by other bugs: bug 439062 covers the ugly html in the dialog and bug 431712 covers the case where you get both a dialog and an error page.

Is there any remaining unique issue covered by this bug? I guess there's an enhancement request that the dialog also have a link to the "add an exception" mechanism but I'm not sure we can pull that off: the dialog is primarily for non-browser PSM clients and the current exception UI is part of the browser rather than PSM. I guess the PSM embedding client could register a callback or something.
Depends on: 431712, 439062

    
    

    
  
I made a test right now, and I think I've managed to understand when exactly the problem occurs: the ".local" domains on my network are translated to both IPv6 and IPv4 addresses.

By disabling IPv6 in Firefox (network.dns.disableIPv6=true in about:config) the problem simply went away, meaning I've an error page (not an error dialog) and I can confirm the security exception.

So there is an unique issue, and it's probably related to the way Firefox translates host names into IP addresses. Somebody should check if in the other bugs you mentioned the problem occurs with IPv6 addresses.

I'm going to change the bug title to something more appropriate.

    
  
Summary: Can not confirm SSL certificate security exception on a .local (mDNS) domain → Can not confirm SSL security exception (dialog instead of HTML page) on a domain whose name is translated to an IPv6 address

    
    

    
  
There's more.

If I leave IPv6 enabled, but I add my ".local" domain in the variable network.dns.ipv4OnlyDomains, when I connect to my https website *both* error page *and* error dialog appear!

Hope this helps...

    
    

    
  
The mention of IPv6 made me wonder if this had something to do with bug 413909 but that was fixed in time for release, I believe, so I wouldn't expect to see this behaviour on released versions of FF3 if that was the cause.  Nevertheless, I'll copy Honza in too.

    
    

    
  
This is clearly duplicate of bug 435558.

    
    

    
  
I can confirm that calling any host on the .local domain on OS X yields this error.

.local is also the default suffix for the localhost (because of Bonjour), so this is very easy to reproduce:

This is also a showstopper for people doing ad-hoc networks with Bonjour auto-discovery (all hosts in such a network are likely to have a .local suffix)

a) write down the name of your Mac in the Sharing tab of system prefs
b) make a self-signed cert for CN with this name with .local suffix ("MyBook.local") and plug it into a server, start the server up
c) browse to "https://MyBook.local"
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: