Last Comment Bug 564421 - Connection reset while trying to access gmail.com or sites.google.com behind corporate proxy (tlsv1)
: Connection reset while trying to access gmail.com or sites.google.com behind ...
Status: RESOLVED WORKSFORME
: regression
Product: Core
Classification: Components
Component: Networking: HTTP (show other bugs)
: 1.9.2 Branch
: x86 Windows XP
: -- normal with 1 vote (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
http://gmail.com and http://sites.goo...
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2010-05-07 07:08 PDT by albatros_la
Modified: 2014-07-21 10:06 PDT (History)
12 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
ff3.6.4b gmail.com access log (111.50 KB, text/plain)
2010-05-10 01:24 PDT, albatros_la
no flags Details
ff3.6 gmail.com access log (78.14 KB, application/x-zip-compressed)
2010-09-01 02:11 PDT, albatros_la
no flags Details
ff3.6.9 gmail.com access log (18.00 KB, application/x-zip-compressed)
2010-09-01 02:12 PDT, albatros_la
no flags Details
HTTP activity log, trying to connect to Google Apps For Your Domain mail from behind proxy/web filter. Error is Connection Interrupted. (146.73 KB, text/plain)
2010-10-06 02:25 PDT, samwise+mozilla
no flags Details
log of failure to connect through proxy.library.upenn.edu (743.55 KB, text/plain)
2012-02-02 04:40 PST, Jonathan Baron
no flags Details

Description albatros_la 2010-05-07 07:08:27 PDT
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.2.4) Gecko/20100503 Firefox/3.6.4
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.9.2.4) Gecko/20100503 Firefox/3.6.4b (and 3.6.3 too)

After upgrading to 3.6.3 version Firefox does not seem to be able to load gmail.com and sites.google.com pages anymore. It simply responds with the classic error page
------------------------
The connection was reset
The connection to www.google.com was reset while the page was loading.
...
------------------------
Note that it ALWAYS refers to www.google.com, despite the url loaded being gmail.com or sites.google.com. Moreover www.google.com is fully accessible.
The stated sites are fully loadable with IE or previous versions of Firefox on the same network.

(Ineffective) solutions tried so far:
- re-installation
- safe-mode
- different profile
- ipv6 disabling
- network http pipelining disabled

Firefox loads the stated pages painlessly when the machine is connected directly to the web (so just not staying behind the firewall). I have no administrative access to the firewall, so I cannot provide any information about its configuration.

Reproducible: Always

Steps to Reproduce:
1. type "http://gmail.com" or "http://sites.google.com" on url bar
2. press enter
Actual Results:  
Page loading does not occurs, connection reset error encountered indeed.

Expected Results:  
Full access to gmail.com and sites.google.com
Comment 1 Matthias Versen [:Matti] 2010-05-07 10:20:54 PDT
Please try a nightly trunk build :
ftp://ftp.mozilla.org/pub/firefox/nightly/latest-mozilla-central/

if you still get this attach a http log:
https://developer.mozilla.org/en/HTTP_Logging

I suspect the https proxy security changes in 3.6.3 and one issue got fixed on trunk.
Comment 2 albatros_la 2010-05-10 01:24:30 PDT
Created attachment 444360 [details]
ff3.6.4b gmail.com access log
Comment 3 albatros_la 2010-05-10 01:24:47 PDT
I have tried this nighlty build: firefox-3.7a5pre.en-US.win32.zip
It seems that SSL authentication is broken, in fact I am not able to login to the corporate network with it (in order to access to it, I have to login through a web portal whenever I open a new browser instance). Every site I try to access to, it gets me this error:
------------------------
Secure Connection Failed
An error occurred during a connection to websso.corp.thales.

Renegotiation is not allowed on this SSL socket.

(Error code: ssl_error_renegotiation_not_allowed)
------------------------
So I have switched back to the version we was talking about (3.6.4 build 20100503122926).
I have attached the log file I have produced with it while trying to access gmail.com. I have substituted the real corporate proxy url with an evocative "corporate_proxy_url", the rest of the log file is left unchanged. I hope it helps!
Comment 4 Matthias Versen [:Matti] 2010-05-10 03:16:08 PDT
marking new, someone need to look at the log
Comment 5 albatros_la 2010-07-06 01:06:12 PDT
Upgraded to newer relases and still experiencing the same issue. Currently using 3.6.7 and nothing has changed. Any chance to see it solved? I do not want to be pedantic, but I am really missing the connectivity to those sites, thus I am forced to use IE to access them and that is pretty annoying.
Comment 6 [not reading bugmail] 2010-07-06 03:25:34 PDT
Have you tried a new profile that you can test to check against the proxy setting change?  Automatically choose system proxy?   how about clearing caches and cookies for those sites?
Comment 7 albatros_la 2010-07-07 06:42:36 PDT
I am forced to use the corporate proxy, so I cannot change that setting if I want to access the corporate network. Gmail sites stated above are the unique sites to which I am not able to access, that is surely an anomaly which cannot be linked to those sites nor to the proxy behavior. In fact, as previously said, I can access to those sites just using IE. I have just tried all what you are suggesting with no improvements. The fact is that the problem raised just upgrading to 3.6.3 version (and later) and if I switch back to 3.6.2 I can have the network fully working again (losing all the other improvements the browser has experienced since then, of course). So something is truly different from versions > 3.6.3 and the previous releases. I am not into the coding matter enough to study the source and understand which is actually different, that is why I am asking some support hoping someone can correct what is going wrong with the code. I understand that there are not so many people experiencing this problem out there (and so - maybe - this is considered a minor bug since it has not been corrected in the last 5 releases), but where I am used to work everyone is currently unable to access gmail by firefox because of this bug and that sounds pretty embarassing.
Comment 8 John Vandenberg 2010-08-06 03:54:14 PDT
I see in the log that your proxy returns "The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied."  This appears to be an error of "Microsoft Internet Security and Acceleration Server Enterprise Edition"
http://technet.microsoft.com/en-gb/library/cc767787.aspx
Are you able to work out what version of the proxy you are using?

It looks like your bug report could be related to bug 360102.

Can you reproduce the problem with Firefox 2.0?
Is the problem fixed with Firefox 1.5.0.6?

Old versions available here: 
http://www.oldapps.com/firefox.php

p.s. Can you reproduce bug 553979?
Comment 9 albatros_la 2010-08-06 10:21:41 PDT
Well, I will test those versions of Firefox if it helps, but now I will be away from my job place for three weeks, so I will post the results when I will get back there. However, as said above, it's all working with 3.6.3 version, but not with newer versions, so I do not understand which is the point on testing old 1.5.x and 2.x versions. I will check the log of 3.6.3 version in order to see if there is the same issue with the ISA server (maybe that's not the trouble blocking gmail, we will see). I will try to find out which is the version of the proxy too.
Bug 553979 is not reproducible: other sites are fully accessible and there are no hangs on connection.
Comment 10 WADA 2010-08-06 10:41:15 PDT
(In reply to comment #9)
> However, as said above, it's all working with 3.6.3 version,
> but not with newer versions,
> so I do not understand which is the point on testing old 1.5.x and 2.x versions.

As seen in bug 575915(mainly due to proxy's bug), problem due to proxy's bug is affected by Fx/Tb side change in newer version.
I recommend you to get NSPR log with Fx 3.6.3 and with a newer Fx 3 version, and compare protocol level flow, as opener of bug 575915 and us did. 
> https://developer.mozilla.org/en/HTTP_Logging
> SET NSPR_LOG_MODULES=timestamp,nsHttp:5,nsSocketTransport:5,nsHostResolver:5
Comment 11 albatros_la 2010-09-01 02:11:44 PDT
Created attachment 471068 [details]
ff3.6 gmail.com access log
Comment 12 albatros_la 2010-09-01 02:12:10 PDT
Created attachment 471069 [details]
ff3.6.9 gmail.com access log
Comment 13 albatros_la 2010-09-01 02:21:42 PDT
Upgraded to 3.6.9, behaviour's remained the same. I've logged the protocol level flow as you have suggested and I have attached the resulting logs for 3.6.9 and 3.6 releases. The latter because I have verified that it is the last working version. I am pretty sure gmail was accessible as far as I was connecting through 3.6.2, but actually today that release gives the same problems of the most recent ones. Release 3.6 resulted fully working as you can see looking at the relevant log file. I am not enough into the matter to understand what's going on, however I have roughly looked into the log and yes: it could be something similar to which reported into bug 575915. If it will turn out to be a proxy-side bug, I will be really glad to communicate it to my system administrator if you instruct me about the problem.
Comment 14 albatros_la 2010-09-01 02:59:28 PDT
Upgraded to 3.6.9, behaviour's remained the same. I've logged the protocol level flow as you have suggested and I have attached the resulting logs for 3.6.9 and 3.6 releases. The latter because I have verified that it is the last working version. I am pretty sure gmail was accessible as far as I was connecting through 3.6.2, but actually today that release gives the same problems of the most recent ones. Release 3.6 resulted fully working as you can see looking at the relevant log file. I am not enough into the matter to understand what's going on, however I have roughly looked into the log and yes: it could be something similar to which reported into bug 575915. If it will turn out to be a proxy-side bug, I will be really glad to communicate it to my system administrator if you instruct me about the problem.
Comment 15 albatros_la 2010-09-21 04:02:55 PDT
Things seem going from bad to worse! After upgrading to 3.6.10 I have lost the capability to access to bugzilla too, thus I am currently using firefox 3.6 in no-remote mode on a different profile in order to access bugzilla, gmail, google sites, etc... Running two Firefox versions simultaneously is the unique solution I have found so far in order to maintain the improvements of latest versions while having the chance to access gmail & co.
Comment 16 samwise+mozilla 2010-10-05 09:02:21 PDT
I think I'm suffering from this at work, too.  Our web access is filtered by a Blue Coat proxy, I believe.  GMail (more specifically, GAFYD) works fine with older (< 3.6) versions of Firefox and Internet Explorer 6-8 but does not work with the latest versions of Firefox.

All I see is the error:

"The connection was interrupted

The connection to mail.google.com was interrupted while the page was loading."

Given the site works fine with IE and, anecdotally, other browsers in use in the company as well as older versions of Firefox, I think the problem is with Firefox.

I appreciate this issue only affects people who are behind a corporate web filter/proxy, but I think the priority should be considered high, to ensure adoption in large corporate environments.  With this bug in place, it's impossible to advocate the use of Firefox at work.

Thanks.
Comment 17 John Vandenberg 2010-10-05 15:51:16 PDT
(In reply to comment #16)
> I think I'm suffering from this at work, too.  Our web access is filtered by a
> Blue Coat proxy, I believe.

Does your proxy require authentication?
Could you find out which Blue Coat proxy you are using (i.e. product name & version), and also attach a http log:
https://developer.mozilla.org/en/HTTP_Logging
Comment 18 samwise+mozilla 2010-10-05 15:57:50 PDT
No authentication required, just an Automatic Proxy Configuration URL to an internal .pac file.

I'll try and get the rest of the information together.

Thanks.
Comment 19 samwise+mozilla 2010-10-06 02:25:40 PDT
Created attachment 481166 [details]
HTTP activity log, trying to connect to Google Apps For Your Domain mail from behind proxy/web filter. Error is Connection Interrupted.
Comment 20 samwise+mozilla 2010-10-06 02:32:17 PDT
I've attached a HTTP Activity log of the connection interrupted failure using
Firefox 3.6.10 on Windows 7 Enterprise 32-bit.  Note that it used to be a
connection reset message but at some point that's changed to be connection
interrupted.

After asking around, I think we're running Blue Coat ProxySG appliances (Full
Proxy Edition) which are probably running version 5.4 or version 5.5 of SGOS. 
Still trying to confirm that.

Like the original reporter, I've tried most of the usual workarounds to no
avail. 

- re-installation
- safe-mode
- different profile
- ipv6 disabling
- network http pipelining disabled
Comment 21 samwise+mozilla 2010-10-06 03:12:17 PDT
Right, I've had it confirmed by our auto proxy team that our web filter/proxy infrastructure is based around Blue Coat ProxySG appliances Full Proxy Edition running roxysg 8100/20 sgos 5.3.3.1.

If I can supply anything else to help get this fixed, please let me know.  It's been a problem in our environment for quite a few FF releases now, unfortunately.  Thanks.
Comment 22 samwise+mozilla 2010-10-06 03:13:32 PDT
Typo:

Blue Coat ProxySG appliances Full Proxy Edition running proxysg 8100/20 sgos 5.3.3.1.
Comment 23 samwise+mozilla 2010-10-06 08:25:41 PDT
I tried installing Firefox 4 Beta 6.  Same issue.  :/
Comment 24 albatros_la 2010-10-18 08:40:03 PDT
I don't know which is the proxy my company is actually using. However, I found this thread related to Blue Coat Proxy SG:
https://kb.bluecoat.com/index?page=content&id=FAQ969&actp=LIST
Let me know if that solution works for you.
Comment 25 samwise+mozilla 2010-10-18 08:50:54 PDT
I've tried with TLS v1 option enabled and disabled.  Neither works.  The connection is still reported as being interrupted.  :/
Comment 26 albatros_la 2010-10-19 10:04:20 PDT
Well, yes, but on that thread they also suggest a configuration trick for the same proxy. Maybe that will solve your problem.
Comment 27 samwise+mozilla 2010-10-19 10:08:01 PDT
Well, yes, but I have no access to the proxy configuration to test such things.  Our firm officially don't support Firefox so the official team won't try it out either.  It's hard to argue the point when IE copes with this corporate proxy out of the box, and Firefox doesn't (in it's latest versions).
Comment 28 albatros_la 2010-11-17 02:26:34 PST
Finally good news! Today I have tested version 4.0b7 and I can confirm it actually works as expected (I am currently typing from Mozilla/5.0 [Windows NT 5.1; rv:2.0b7] Gecko/20100101 Firefox/4.0b7). I can now access google services again. In order to do that I have re-enabled the TLS 1.0 support (that change was uneffective with previous versions).
Moreover, the corporate network settings fully block net access if SSL renegotiation is enabled. It is a problem which seems to be unrelated with the gmail access which has lead to this bug report. However, I would like report hereafter the solution since it is possibile that users encountering that problem have also to face with this one: setting of the environment variable NSS_SSL_ENABLE_RENEGOTIATION to 1 is needed. This solution surely raises some security issues, but as said above it is sometimes required in order to be able to gain net access while being connected to really restrictive corporate networks.
I do not switch to SOLVED the bug since I cannot be sure anything has changed server-side, thus I think other users feedback would represent a more reasonable approach.
Comment 29 samwise+mozilla 2010-11-18 08:53:18 PST
I'm delighted to report that Firefox 4.0b7 also appears to work here too, with TLS enabled.  I'll continue to monitor over the next few days, but it has been working consistently with GMail over https for the last 24 hours.  I haven't had to set any environment variables.

Great stuff.
Comment 30 samwise+mozilla 2010-11-24 05:16:43 PST
OK, further comments following a few days monitoring.

A colleague experiencing the same issue remained on Firefox 3.6.12 and discovered that his gmail problems also disappeared.  He thinks things weren't working when he first upgraded to 3.6.12 but then suddenly overnight they were (possible change in our company's proxy server?).  So it's also possible that the change which fixed my Gmail problems was also not related to the browser - it might also have been said proxy change.

On my FF 4b7 installation, I've discovered however that encrypted Google search [https://encrypted.google.com/] requests still do not work - I get "The connection was interrupted" message for any such attempts, just as I used to for Gmail.  Gmail tho continues to work - I even logged out, deleted all mail.google.com cookies and restarted the browser.  I was still able to log back in to Gmail.

I'm not sure this is making things any clearer, but it looks like there's still something clashing between FF 4b7 and our proxy setup.  Why it effects encrypted.google.com and not gmail, I have yet to uncover.
Comment 31 greg.d.thomas 2010-11-24 05:41:06 PST
Just to add my experience; 

Gmail definitely wasn't working with 3.6.11 via our corporate proxy when that release first came out.

Gmail is now working with 3.6.12 - I suspect it wasn't when it first came out (I probably would have checked), but can't be 100% sure.

https://www.google.com is giving the same "The connection was interrupted" error that Gmail used to. 

I've checked all the above with a new profile, so I know Google isn't using a cookie from anywhere.

It would be interesting to know if others suffering from this problem can now access it with 3.6.12; in which case it looks like something at Google has changed. If it's still a problem, then something with our corporate proxy has changed.
Comment 32 Jonathan Baron 2012-02-02 04:40:53 PST
Created attachment 593790 [details]
log of failure to connect through proxy.library.upenn.edu

About the first half of this log is just starting up, loading my home page, and getting my bookmark for the library proxy server for google-scholar. I think the trouble begins when the word "scholar" first appears.
Comment 33 Jonathan Baron 2012-02-02 04:41:46 PST
I think I have a similar problem, so I am reporting it here rather than opening a new report. I'm using nightly 13.0a1 (2012-02-02), for x86_64 linux. As of the build for 2012-01-28, everything was fine, but either 1/29, 1/30, or 1/31 stopped being able to connect to a proxy server that allows me to use the University of Pennsylvania library from home. I get "The connection to proxy.library.upenn.edu:2122 was interrupted while the page was loading." This is of course after typing my login and password. The problem occurs on two different machines, but google-chrome works fine. I will try to attach a log.
Comment 34 Jonathan Baron 2012-02-17 10:53:21 PST
(In reply to Jonathan Baron from comment #33)
> I think I have a similar problem, so I am reporting it here rather than
> opening a new report.

It turns out that I was able to fix my problem by deleting permissions.sqlite. I discovered this by starting with a new profile and moving pieces of the old one, one by one.

So I think this bug is probably fixed, but I'm not changing it, because I'm not sure my bug was the same.
Comment 35 Wayne Mery (:wsmwk, NI for questions) 2014-01-03 12:36:59 PST
WFM per comment 28
Comment 36 Jaques Rousseau 2014-07-21 10:06:11 PDT
Just as additional information:

Jonathan Baron seems to have "EZproxy", while samwise and albatros_la have the "Blue Coat Proxy" in their corporate network. From the attached log files I can see that albatros_la worked for Thales. Thales uses a Blue Coat Proxy with SSL interception. This means the proxy breaks your secure connections to gmail and can read your mail password in plaintext. My urgent advice is to not use the corporate network for secure connections and private mail.

Read more at https://bluecoatproxy.wordpress.com

Note You need to log in before you can comment on or make changes to this bug.