Closed Bug 701019 Opened 8 years ago Closed 8 years ago
Allow send of credentials to an authenticating proxy while using LOAD
3.45 KB, text/plain
1.75 KB, text/plain
3.50 KB, patch
|Details | Diff | Splinter Review|
Visit http://bankieren.rabobank.nl/klanten/ This website uses an EV-certificate. After upgrading Firefox to version 8 (previous version 7.0.1) the site identity button is blue instead of green. If I enable this preference: advanced => encryption => validation => "When an OCSP server connection fails, treat the certificate as invalid", then I get this error message when visiting the website: sec_error_ocsp_bad_http_response Looking at the HTTP headers, this seems related to the fact that the OCSP request is rejected by our proxy server due to lack of authentication. This does not happen when using Firefox 7.0.1 (not all computers have been upgraded to Firefox 8 yet).
Correction: URL in the first post is wrong. Correct URL is https://bankieren.rabobank.nl/klanten
I cannot load any HTTPS pages after upgrading to Firefox 8.0. I have (and had) OCSP validation enabled, including the "When an OCSP server connection fails, treat the certificate as invalid" option. After upgrading from Firefox 7.0.1 to 8.0, however, all OCSP requests to our MS ISA Server proxy are rejected by this proxy with a message saying authentication (my Active Directory credentials) was not supplied. Chrome and IE7 still successfully load HTTPS pages, either because they provide authentication or do not check the OCSP server (I have certificate validation enabled in the Chrome options, but did not see OCSP traffic using Wireshark.) Here's a sample Wireshark capture of the OCSP traffic to the proxy when trying to connect to Gmail: POST http://ocsp.thawte.com/ HTTP/1.1 Host: ocsp.thawte.com User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: en-gb,en-nz;q=0.9,en;q=0.8,en-us;q=0.7,nl;q=0.6,de-de;q=0.5,de;q=0.4,fr-fr;q=0.3,fr;q=0.2,cs;q=0.1 Accept-Encoding: gzip, deflate Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7 DNT: 1 Proxy-Connection: keep-alive Content-Length: 115 Content-Type: application/ocsp-request <<request data removed>> HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. ) Via: 1.1 OURPROXY Proxy-Authenticate: Negotiate Proxy-Authenticate: Kerberos Proxy-Authenticate: NTLM Connection: Keep-Alive Proxy-Connection: Keep-Alive Pragma: no-cache Cache-Control: no-cache Content-Type: text/html Content-Length: 4117 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN"> <HTML><HEAD><TITLE>Error Message</TITLE>
The problem is LOAD_ANONYMOUS doesn't do the correct thing. See http://adblockplus.org/blog/why-you-do-not-want-to-use-the-load_anonymous-flag. There are other bugs filed about the same problem with LOAD_ANONYMOUS, e.g. bug 627616 that require the same solution: Have LOAD_ANONYMOUS skip HTTP authentication and have it avoid sending cookies, but don't have it skip HTTP proxy authentication.
Assignee: nobody → bsmith
Priority: -- → P1
Summary: EV-cert, but "Site identity button" is blue or sec_error_ocsp_bad_http_response → OCSP requests through an authenticating proxy fail due to use of LOAD_ANONYMOUS flag; when strict OCSP checking is enabled, all HTTPS pages fail to load
Target Milestone: --- → Firefox 11
Severity: normal → major
OS: Windows XP → All
Hardware: x86 → All
See Also: → 627616
Target Milestone: Firefox 11 → Firefox 9
Simply said: LOAD_ANONYMOUS should not affect Proxy-Authorization header, right? It means to change nsHttpChannelAuthProvider::ProcessAuthentication.
Changing the summary because this is more general problem.
Summary: OCSP requests through an authenticating proxy fail due to use of LOAD_ANONYMOUS flag; when strict OCSP checking is enabled, all HTTPS pages fail to load → Allow send of credentials to an authenticating proxy while using LOAD_ANONYMOUS flag
Status: UNCONFIRMED → NEW
Ever confirmed: true
Honza, I think we should back out the patch that caused this and nominate it for mozilla-beta and mozilla-aurora and . Then, we can fix the problem more generally. I think it is more complicated than changing the meaning of LOAD_ANONYMOUS for proxies. I.e. I am not sure we can/should change the meaning of LOAD_ANONYMOUS. We should fix the regression before taking more time to figure out exactly what to do long-term.
(In reply to Brian Smith (:bsmith) from comment #8) > Honza, I think we should back out the patch that caused this and nominate it > for mozilla-beta and mozilla-aurora and . Then, we can fix the problem more > generally. I think it is more complicated than changing the meaning of > LOAD_ANONYMOUS for proxies. I.e. I am not sure we can/should change the > meaning of LOAD_ANONYMOUS. We should fix the regression before taking more > time to figure out exactly what to do long-term. What is the regression bug/patch you want to back out?
Honza, here is my WIP. I didn't even try to build it and I am not sure what other things need to be changed. Thanks for taking this bug.
Assignee: bsmith → honzab.moz
clearing sec-review flag, this likely needs careful testing from QA but we don't see direct action for us
What's the status on this? I just turned mandatory OCSP checking back on in Firefox 9.0.1 and I don't see any problems so far.
The patch that caused this regression was backed out. This bug is for restoring the change in that patch in a way that doesn't cause this regression.
(In reply to bugzilla_moz.20.ibyte from comment #12) > What's the status on this? I just turned mandatory OCSP checking back on in > Firefox 9.0.1 and I don't see any problems so far. Just for ref: Bug 703024.
Component: Security → Networking
Product: Firefox → Core
QA Contact: firefox → networking
Target Milestone: Firefox 9 → ---
Component: Networking → Networking: HTTP
QA Contact: networking → networking.http
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 627616
You need to log in before you can comment on or make changes to this bug.