Closed Bug 92475 Opened 23 years ago Closed 22 years ago

Need error msg for expired CRLs. Was: Can't check account status at Amazon

Categories

(Core Graveyard :: Security: UI, defect, P1)

1.0 Branch
defect

Tracking

(Not tracked)

VERIFIED WORKSFORME
Future

People

(Reporter: lord, Assigned: ddrinan0264)

Details

Attachments

(5 files)

While trying to view my account status at Amazon, I am unable to login.

To reproduce:
-Go to http://www.amazon.com/
-Click on Your Account (top right)
-Click on the GO! next to "my recent orders and transactions"
-Enter email address and password
-Click "Sign in using our secure server"

Expected results:
You'd be logged in.

Observed results:
Nothing happens.
Priority: -- → P1
Target Milestone: --- → 2.1
Others are having a hard time reproducing this, but I can only get to some SSL
sites, even with a new profile.  

Marking Blocker.  We need to get this cleared up before we branch for 0.9.3.

junruh: please see if you can reproduce this problem on Win2k.  You'll need to
visit a lot of external HTTPS sites to find one that triggers this problem.



Severity: normal → blocker
->ddrinan
Assignee: ssaux → ddrinan
This is caused by an expired CRL. We should be putting up an error message in 
this case. The workaround for the moment is to remove the CRL from the profile. 
I'm removing this as a blocker.
Severity: blocker → critical
Update Summary to reflect actual problem.
Summary: Can't check account status at Amazon → Need error msg for expired CRLs. Was: Can't check account status at Amazon
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
Keywords: patch
A couple of notes:
1) These should all have absolute paths after for src (like help.js) and should
all say type="application/x-javascript" as well.

+<script src="chrome://global/content/strres.js" />
+<script src="pippki.js" />
+<script src="serverCrlExpired.js" />
+<script type="application/x-javascript" src="chrome://help/content/help.js" />

2) According to Bug 88328, we shouldn't have 'width' or orient set on any
buttons.  The theme should decide how bug our buttons are.

Fix these 2 issues, and r=javi
Attached patch Updated patch.Splinter Review
Keywords: review
sr=blizzard
Fixed checked in.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
On Wink2 2001-08-10-10-trunk build:

Following Lord's steps, I at least got an dialog saying "Connection refused" 
(or something close to it) the *first* time I tried to connect.  Subsequent re-
submissions (clicking the submit button again and again and again) gave me no 
dialogs, and only a watch cursor for a few seconds.

I tried this on MacOSX 2001-08-10-05-trunk build, and had no problems.  Fix was 
checked in on 2001-08-09 15:32 so I'm reopening - Sorry David!
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
The way I understand this bug, one can't connect to sites whose ssl cert is
governed by a crl that has expired.  The fix is to show a dialog in that case
rather than failing silently.  To verify the fix, one needs to install an
expired CRL, which applies to a known site, then go and visit said site, and see
that rather than failing silently we get the dialog that David created.

QA please revisit this.
Marking back as FIXED until there's either a compelling case for REOPENED or
it's VERIFIED.
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
There is no such thing as an expired cert. Please see bug 94013 for details. 
This code and UI needs to take that into account.  

nextUpdate time does not mean "expired".

Reopening.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
 +  rv = NS_ERROR_FAILURE;;

remove the extra ;

+  <button id="ok-button" class="dialog" label="&ok.label;" primary="true"
+     onclick="doOK();" disabled="false"/> 

you shouldn't need to set disabled=false on buttons

+<!ENTITY serverCrlNextupdate.message "Please ask your system administrator for 
assistance">

This is a bit unhelpful for a home user, but I can't think of anything better 
at the moment, so this will be ok.

Fix the first two items I mentioned and r=bryner.
Attached patch Updated patch.Splinter Review
Check if you need flex in the xul.  Other than that, sr=tor.
Keywords: reviewapproval
a=asa on behalf of drivers
Patch checked in. Marking FIXED.
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
In order to test this, download the the RSASecureServer.crl file from 
crl.verisign.com and host the file on a web server that has the mime type 
application/x-pkcs7-crl. Download the crl into your browser, set your computer 
clock forward by about 6 months and then visit https://www.verisign.com. 
There are multiple problems with the xul in this patch, so reopening.  First of
all, though, why must this alert be hand-rolled? Why can't it use the existing
CommonDialog infrastructure?

In the future, please have someone intimately familiar with xul review a change
such as this.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Making future.
What specific problems are there for this dialog. Is the functionality broken?
Target Milestone: 2.1 → Future
OS > all
OS: Windows 2000 → All
QA Contact: ckritzer → junruh
Hardware: PC → All
Version: 2.0 → 2.1
I am also seeing this problem when trying to access my account on
www.amazon.co.uk.  

To reproduce:

- go to http://www.amazon.co.uk
- click on the "Sign In" link
- enter username and password
- click "continue using secure server"

Actual result: dialog warning: "www.amazon.co.uk was not found. Please check the
name and try again."

Expected result: account home page loaded

O/S WinNT SP5
Mozilla 0.9.5 Build ID: 2001101117

I am yet to find a site using SSL that I _can_ access.
Please ignore previous comment. I've just discovered I had not created the
correct entry for the SSL proxy; I can now access SSL sites. Apologies.
I this still an issue?

I am able to connect to https sites, although I have an expired CRL for the CA
that issued that sites cert.

Marking worksforme. Please verify.

As I believe, we no longer inhibit connecting to a site because of an expired
CRL, we do not need an error message for that situation.
Status: REOPENED → RESOLVED
Closed: 23 years ago22 years ago
Resolution: --- → WORKSFORME
Verified.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: