Closed
Bug 901650
Opened 11 years ago
Closed 11 years ago
Persona accepting invalid SSL certs for primary detection.
Categories
(Cloud Services :: Server: Identity, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: david, Assigned: francois)
References
Details
A couple of hours ago I found that my (fallback hosted) persona account (david@illsley.org) wasn't working. After some debugging, I discovered that it's down to me co-hosting the test domain I was playing around with last year (i5y.org) with illsley.org When you connect to https://illsley.org/.well-known/browserid in firefox you get a warning about both an expired cert and the name mismatching. Unfortunately, it appears that the prod persona code is ignoring those warnings. I've now been able to set a browserid file there which delegates that domain to eyedee.me using the expired cert for the wrong domain: $ curl -vv -k -3 https://illsley.org/.well-known/browserid * About to connect() to illsley.org port 443 (#0) * Trying 46.51.187.142... * connected * Connected to illsley.org (46.51.187.142) port 443 (#0) * SSLv3, TLS handshake, Client hello (1): * SSLv3, TLS handshake, Server hello (2): * SSLv3, TLS handshake, CERT (11): * SSLv3, TLS handshake, Server key exchange (12): * SSLv3, TLS handshake, Server finished (14): * SSLv3, TLS handshake, Client key exchange (16): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSLv3, TLS change cipher, Client hello (1): * SSLv3, TLS handshake, Finished (20): * SSL connection using DHE-RSA-AES256-SHA * Server certificate: * subject: description=5sHVqRIlEOQv8gK4; C=GB; CN=www.i5y.org; emailAddress=davidillsley@gmail.com * start date: 2012-02-25 21:16:44 GMT * expire date: 2013-02-26 16:05:28 GMT * subjectAltName does not match illsley.org > GET /.well-known/browserid HTTP/1.1 > User-Agent: curl/7.24.0 (x86_64-apple-darwin12.0) libcurl/7.24.0 OpenSSL/0.9.8x zlib/1.2.5 > Host: illsley.org > Accept: */* > < HTTP/1.1 200 OK < Date: Mon, 05 Aug 2013 19:36:33 GMT < Server: Apache/2.2.22 (Ubuntu) < Last-Modified: Mon, 05 Aug 2013 18:53:47 GMT < ETag: "4096a-1f-4e337d4151fd6" < Accept-Ranges: bytes < Content-Length: 31 < Content-Type: application/json < { "authority": "eyedee.me" } * Connection #0 to host illsley.org left intact * Closing connection #0 * SSLv3, TLS alert, Client hello (1): davidillsley@Davids-MacBook-Air-2 ~ $ curl https://login.persona.org/wsapi/address_info?email=david%40illsley.org&issuer=default [1] 34574 davidillsley@Davids-MacBook-Air-2 ~ $ {"auth":"https://eyedee.me/browserid/sign_in.html","prov":"https://eyedee.me/browserid/provision.html","type":"primary","issuer":"eyedee.me","normalizedEmail":"david@illsley.org","state":"transition_to_primary"} (I'll change this just as soon as you've been able to confirm/refute the problem :) Interestingly, the check_primary_support script doesn't accept illsley.org as a primary: davidillsley@Davids-MacBook-Air-2 ~/Development/browserid/scripts $ node check_primary_support illsley.org info: process type is check_primary_support debug: illsley.org is not a browserid primary: Error: CERT_HAS_EXPIRED debug: illsley.org is not a browserid primary: Error: CERT_HAS_EXPIRED error: illsley.org is not a browserid primary: Error: CERT_HAS_EXPIRED Given that my david@illsley.org account has been working recently (I'd guess until about a month ago), I'd guess this is a change since then. Let me know if you need any more information. David
Updated•11 years ago
|
Assignee: nobody → gene
Comment 1•11 years ago
|
||
I've idenfified the cause of the problem and have deployed a new staging stack with a fix (I'll be detailing the fix shortly). jrgm was going to take a look at it in stage.
Comment 2•11 years ago
|
||
Staging looks good (says jrgm). Here's the fix : https://github.com/mozilla/identity-ops/commit/06cf56a2e6bf2652ce9a5e9b9548ff7e8b292231
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Comment 3•11 years ago
|
||
I'm building new production stacks that incorporate this fix now and should have them out within the hour
Comment 4•11 years ago
|
||
I think once we fix this in prod, we'll want to open a bug in github on the browserid-server software since this vulnerability exists for installations not utilizing an outbound https proxy like we do.
Comment 5•11 years ago
|
||
Okay, new production stacks look ok. You can switch DNS (and cut it off on the old stacks).
Comment 6•11 years ago
|
||
This fixed code has been deployed live in production.
Reporter | ||
Comment 7•11 years ago
|
||
Fix looks good to me. In 4 hours? Good Work. I've updated my server so it would no longer demonstrate the problem, so I've no objection to this bug being opened up at the appropriate time.
Updated•11 years ago
|
Assignee: gene → francois
Comment 8•11 years ago
|
||
David. A big thanks for reporting this to us!
Assignee | ||
Comment 9•11 years ago
|
||
I have submitted a pull request to set rejectUnauthorized to true everywhere in our codebase: https://github.com/mozilla/browserid/pull/3761 Given that this is fixed in production and that the pull request is public, I think we can uncloak this bug.
Assignee | ||
Comment 10•11 years ago
|
||
The pull request has been merged.
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
un-hiding per :francois
Group: mozilla-services-security
You need to log in
before you can comment on or make changes to this bug.
Description
•