Closed Bug 681573 Opened 13 years ago Closed 13 years ago

Add-on doesn't get updated on Firefox >= 6

Categories

(Toolkit :: Add-ons Manager, defect)

Product:
Toolkit
Component:
Add-ons Manager
Version:
6 Branch
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: ryanli, Unassigned)

Details

I have an add-on hosted at our project's own website, with update.rdf hosted over HTTPS while XPI packages over HTTP. However, since Firefox 6.0 extensions no longer get updated, neither automatically nor manually. This happens on my GNU/Linux (with nightly), however on a Windows 7 machine both auto/manual updates work. Meanwhile, another developer said he was able to manually update but not automatically update. You could install an older version (0.7.9.7110) of our add-on here: http://foxtrick.foundationhorizont.org/nightly/foxtrick-r7110.xpi The update.rdf is here: https://foxtrick.c6.ixwebhosting.com/nightly/update.rdf It should indicate a newer version available, you could test whether you can receive updates. We think that it's related to the CVE-2009-3555 vulnerability, which we strongly believe that the server has. However I myself haven't viewed this warning message on this specific website both on GNU/Linux and Windows, while some other users do. Through Firebug's net console panel I can see that the update.rdf has been successfully retrieved when clicking "Find updates", but no update has taken place. I also have the problem with Firebug 1.8 version, which I could see the CVE-2009-3555 warning of its website. For an older Firebug version, here is a link to 1.8.0: http://getfirebug.com/releases/firebug/1.8/firebug-1.8.0.xpi All test machines have the following preferences: > security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref; false > security.ssl.renego_unrestricted_hosts; (empty) > security.ssl.require_safe_negotiation; false > security.ssl.treat_unsafe_negotiation_as_broken; false > security.ssl.warn_missing_rfc5746; 1 This is really puzzling, and assistance for this would be great.
Component: Extension Compatibility → Add-ons Manager
Product: Firefox → Toolkit
QA Contact: extension.compatibility → add-ons.manager
Could be server configuration problem - trying to view the update.rdf gives Technical Details foxtrick.c6.ixwebhosting.com uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer) It looks as if the chain is not being served. In any case, try with extensions.logging.enabled true to see what is happening in the error console
Dave, correct me if I'm wrong, but when the updateURL in the update.rdf file, which has been loaded via HTTPS, points to a HTTP resource we expect a "X-Target-Digest: sha1:" header in the HTTP response object. Only when this SHA1 hash corresponds to the hash specified in the update.rdf file, we allow an update.
Whiteboard: [invalid?]
(In reply to Henrik Skupin (:whimboo) from comment #3) > Dave, correct me if I'm wrong, but when the updateURL in the update.rdf > file, which has been loaded via HTTPS, points to a HTTP resource we expect a > "X-Target-Digest: sha1:" header in the HTTP response object. Only when this > SHA1 hash corresponds to the hash specified in the update.rdf file, we allow > an update. No, in this case we need the updateHash in the update.rdf itself, which it has right now. The server's ssl settings just need fixing here. Please re-open if this still fails after that.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → INVALID
Whiteboard: [invalid?]
You need to log in before you can comment on or make changes to this bug.