If you think a bug might affect users in the 57 release, please set the correct tracking and status flags for Release Management.

ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerprint'

RESOLVED FIXED in mozilla1.9.1

Status

()

Core
Security: PSM
RESOLVED FIXED
8 years ago
4 years ago

People

(Reporter: Tomcat, Assigned: kaie)

Tracking

(Blocks: 1 bug, {assertion, regression})

1.9.1 Branch
mozilla1.9.1
x86
All
assertion, regression
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(blocking1.9.1 needed, status1.9.1 wanted)

Details

(Whiteboard: [crashkill-automation], URL)

(Reporter)

Description

8 years ago
Steps to reproduce - 1.9.1 Mac Debug Build.

Load a site like https://www.mozilla.com - triggers :

###!!! ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerprint', file /work/mozilla/builds/1.9.1/mozilla/security/manager/ssl/src/nsIdentityChecking.cpp, line 846

Also seem at lot of times on other sites during the test automation runs
Flags: blocking1.9.0.19?
I don't know why we're even looking for EV roots on sites like www.mozilla.com, whose certs don't carry the EV extension. But I don't know if it's a problem that "sha1 != fingerprint" there.
Whiteboard: [crashkill-automation] → [crashkill-automation][sg:investigate]
(Reporter)

Comment 2

8 years ago
stack from a windows build.

It seems this assertion is also triggered when the Extension Manager/Update Manager checks for update (which is also done via https://)


###!!! ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerpr
int', file c:/work/mozilla/builds/1.9.1/mozilla/security/manager/ssl/src/nsIdent
ityChecking.cpp, line 846
nspr4!PR_CallOnce+0x0000000000000038 (c:\work\mozilla\builds\1.9.1\mozilla\nsprp
ub\pr\src\misc\prinit.c, line 805)
xul!nsNSSComponent::EnsureIdentityInfoLoaded+0x0000000000000018 (c:\work\mozilla
\builds\1.9.1\mozilla\security\manager\ssl\src\nsidentitychecking.cpp, line 1160
)
xul!nsNSSCertificate::hasValidEVOidTag+0x00000000000000CE (c:\work\mozilla\build
s\1.9.1\mozilla\security\manager\ssl\src\nsidentitychecking.cpp, line 987)
xul!nsNSSCertificate::getValidEVOidTag+0x000000000000004A (c:\work\mozilla\build
s\1.9.1\mozilla\security\manager\ssl\src\nsidentitychecking.cpp, line 1100)
xul!nsNSSCertificate::GetIsExtendedValidation+0x00000000000000B7 (c:\work\mozill
a\builds\1.9.1\mozilla\security\manager\ssl\src\nsidentitychecking.cpp, line 112
6)
xul!AuthCertificateCallback+0x000000000000012E (c:\work\mozilla\builds\1.9.1\moz
illa\security\manager\ssl\src\nsnsscallbacks.cpp, line 987)
ssl3!ssl3_HandleCertificate+0x00000000000003CA (c:\work\mozilla\builds\1.9.1\moz
illa\security\nss\lib\ssl\ssl3con.c, line 7281)
ssl3!ssl3_HandleHandshakeMessage+0x00000000000003DF (c:\work\mozilla\builds\1.9.
1\mozilla\security\nss\lib\ssl\ssl3con.c, line 7959)
ssl3!ssl3_HandleHandshake+0x00000000000001C8 (c:\work\mozilla\builds\1.9.1\mozil
la\security\nss\lib\ssl\ssl3con.c, line 8083)
ssl3!ssl3_HandleRecord+0x00000000000005F8 (c:\work\mozilla\builds\1.9.1\mozilla\
security\nss\lib\ssl\ssl3con.c, line 8346)
ssl3!ssl3_GatherCompleteHandshake+0x00000000000000BB (c:\work\mozilla\builds\1.9
.1\mozilla\security\nss\lib\ssl\ssl3gthr.c, line 206)
ssl3!ssl_GatherRecord1stHandshake+0x000000000000007B (c:\work\mozilla\builds\1.9
.1\mozilla\security\nss\lib\ssl\sslcon.c, line 1258)
ssl3!ssl_Do1stHandshake+0x000000000000021D (c:\work\mozilla\builds\1.9.1\mozilla
\security\nss\lib\ssl\sslsecur.c, line 151)
ssl3!ssl_SecureSend+0x00000000000001C5 (c:\work\mozilla\builds\1.9.1\mozilla\sec
urity\nss\lib\ssl\sslsecur.c, line 1176)
ssl3!ssl_SecureWrite+0x0000000000000016 (c:\work\mozilla\builds\1.9.1\mozilla\se
curity\nss\lib\ssl\sslsecur.c, line 1221)
ssl3!ssl_Write+0x00000000000000A3 (c:\work\mozilla\builds\1.9.1\mozilla\security
\nss\lib\ssl\sslsock.c, line 1488)
xul!nsSSLThread::Run+0x000000000000025D (c:\work\mozilla\builds\1.9.1\mozilla\se
curity\manager\ssl\src\nssslthread.cpp, line 1043)
xul!nsPSMBackgroundThread::nsThreadRunner+0x0000000000000016 (c:\work\mozilla\bu
ilds\1.9.1\mozilla\security\manager\ssl\src\nspsmbackgroundthread.cpp, line 45)
nspr4!_PR_NativeRunThread+0x00000000000000F7 (c:\work\mozilla\builds\1.9.1\mozil
la\nsprpub\pr\src\threads\combined\pruthr.c, line 426)
nspr4!pr_root+0x0000000000000023 (c:\work\mozilla\builds\1.9.1\mozilla\nsprpub\p
r\src\md\windows\w95thred.c, line 122)
MSVCR80D!beginthreadex+0x0000000000000221
MSVCR80D!beginthreadex+0x00000000000001C7
kernel32!GetModuleFileNameA+0x00000000000001BA
OS: Mac OS X → All
(Assignee)

Comment 3

8 years ago
Not a security problem, simply a checksum mismatch, caused by landing the wrong patch into the stable branch, bug 499716, I'll comment there.

I hope we aren't crashing, we shouldn't!
(Assignee)

Updated

8 years ago
Depends on: 499716
Since we shipped with bug 499716 let's fix it here as a regression.

Kai: this isn't filed as a crash bug (though debug builds could crash if you use the fatal-assertion setting), but we are trying to eliminate assertions as part of the "crashkill" effort. New assertions, in particular, pop out in testing.

Tomcat: are you seeing this in 1.9.0.18? Bug 499716 didn't land there afaik. Or was blocking1.9.0.19? supposed to be a 1.9.1 request?
Blocks: 499716
Group: core-security
blocking1.9.1: --- → ?
status1.9.1: --- → wanted
No longer depends on: 499716
Keywords: regression
Whiteboard: [crashkill-automation][sg:investigate] → [crashkill-automation]
(Reporter)

Comment 5

8 years ago
(In reply to comment #4)

> Tomcat: are you seeing this in 1.9.0.18? Bug 499716 didn't land there afaik. Or
> was blocking1.9.0.19? supposed to be a 1.9.1 request?

oh sorry, yeah was confused by version numbers it seems :/ yeah was more a 1.9.1 request !
Flags: blocking1.9.0.19?
regression fix "wanted/needed" on 1.9.1 but not going to "block" on it.
blocking1.9.1: ? → needed
Need to backout http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab and check in attachment 401219 [details] [diff] [review] from bug 499716 (attachment 401121 [details] [diff] [review] checked in by mistake).
(Assignee)

Comment 8

8 years ago
(In reply to comment #7)
> Need to backout http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab

Not all of that, just the first chunk that changed nsIdentityChecking.cpp
(Assignee)

Comment 9

8 years ago
(In reply to comment #8)
> (In reply to comment #7)
> > Need to backout http://hg.mozilla.org/releases/mozilla-1.9.1/rev/96aa722da7ab
> 
> Not all of that, just the first chunk that changed nsIdentityChecking.cpp

In particular, this line:
    "61:57:3a:11:df:0e:d8:7e:d5:92:65:22:ea:d0:56:d7:44:b3:23:71",
needs to be changed to have uppercase hex characters,
that's all.

Updated

6 years ago
Blocks: 726192
No longer blocks: 532972
Summary: ###!!! ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerprint' → ASSERTION: found EV root with unexpected SHA1 mismatch: 'sha1 == fingerprint'
(Assignee)

Comment 10

5 years ago
reassign bug owner.
mass-update-kaie-20120918
Assignee: kaie → nobody

Comment 11

4 years ago
Fixed as part of Bug 545755:
https://hg.mozilla.org/releases/mozilla-1.9.1/diff/6cb32633cd1e/security/manager/ssl/src/nsIdentityChecking.cpp
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
Assignee: nobody → kaie
Target Milestone: --- → mozilla1.9.1
You need to log in before you can comment on or make changes to this bug.