Closed Bug 960850 Opened 8 years ago Closed 14 days ago

Firefox shows SSL error for https://www.boaeditions.org/ even though the site is just redirecting you to http://...

Categories

(Core :: Security, defect)

defect
Not set
trivial

Tracking

()

RESOLVED INCOMPLETE

People

(Reporter: mwobensmith, Assigned: kwilson)

References

()

Details

(Whiteboard: [country-us])

https://www.boaeditions.org/ produces the following on FF27:

"www.boaeditions.org uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. 
(Error code: sec_error_unknown_issuer)"

This does not happen on FF26 or Chrome. On both of those sites, it appears to redirect to an HTTP URI instead.
(In reply to Matt Wobensmith from comment #0)
> https://www.boaeditions.org/ produces the following on FF27:
> 
> "www.boaeditions.org uses an invalid security certificate. The certificate
> is not trusted because no issuer chain was provided. 
> (Error code: sec_error_unknown_issuer)"
> 
> This does not happen on FF26 or Chrome. On both of those sites, it appears
> to redirect to an HTTP URI instead.

Please try with a clean profile on Firefox 26. It works for me on Nightly 29 and I suspect that the reason it works on Firefox 26 is that you have cached an intermediate certificate that the site needs.
Flags: needinfo?(mwobensmith)
You are correct, Brian. Clean profile on Firefox 26 produces same behavior observed on Firefox 27. 

Not a regression.
Flags: needinfo?(mwobensmith)
Kathleen, this server isn't sending the intermediate CA certificate in its SSL handshake. That means it is misconfigured. The certificate was issued by Network Solutions. Could you ask Network Solutions to help the site fix the problem?
Assignee: nobody → kwilson
Component: Libraries → English Other
OS: Mac OS X → All
Product: NSS → Tech Evangelism
Hardware: x86 → All
See Also: → 733232, 399324, 682263
Target Milestone: --- → Feb
Version: 3.16.5 → Trunk
(In reply to Brian Smith (:briansmith, :bsmith; NEEDINFO? for response) from comment #3)
> Kathleen, this server isn't sending the intermediate CA certificate in its
> SSL handshake. That means it is misconfigured. The certificate was issued by
> Network Solutions. Could you ask Network Solutions to help the site fix the
> problem?

I have been in contact with a representative of Network Solutions regarding this since January 16. The server belongs to Rackspace, so they are trying to get Rackspace to install the intermediate cert.
I just tried browsing to https://www.boaeditions.org/ in another browser (Safari), and it redirects me to http://www.boaeditions.org/

Is it possible that redirection from https to http somehow got broken in Firefox?
So indeed the site http://www.boaeditions.org/ works well in Firefox.

The redirection from https://www.boaeditions.org/ is not happening in Firefox Desktop, because of the SSL error. In Safari WebKit and Opera Blink the sites are redirected to http://


# Safari
→ http --print hH GET 'https://www.boaeditions.org/' 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2' | egrep -i 'HTTP/|location'
GET / HTTP/1.1
HTTP/1.1 302 Found
Location: http://www.boaeditions.org/


# Firefox 
→ http --print hH GET 'https://www.boaeditions.org/' 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0' | egrep -i 'HTTP/|location'
GET / HTTP/1.1
HTTP/1.1 302 Found
Location: http://www.boaeditions.org/

# Opera
→ http --print hH GET 'https://www.boaeditions.org/' 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 OPR/24.0.1558.51 (Edition Next)' | egrep -i 'HTTP/|location'
GET / HTTP/1.1
HTTP/1.1 302 Found
Location: http://www.boaeditions.org/


So the server is consistent here, It wants to redirect to http, but it seems that Firefox wants to first validate the certificate. 

I have the feeling that it is an issue with Firefox.
Flags: needinfo?(brian)
Component: English Other → Desktop
Whiteboard: [country-us] [notcontactready]
It is better for somebody other than me to look at this. Thanks for the new information though!
Flags: needinfo?(brian)
Works for me - redirects nicely to http: both in Nightly and latest release.
Summary: https://www.boaeditions.org/ throws an SSL error → Firefox shows SSL error for https://www.boaeditions.org/ even though the site is just redirecting you to http://...
(I suspect the site was fixed, not Gecko? It would be nice if someone with the required knowledge set up a test case so we could verify whether Gecko is stricter than other implementations here. I guess it's not high pri, though, given that it's a corner case and invalidly configured HTTPS servers redirecting to HTTP likely won't be found often even in the wild.)
Component: Desktop → Security
Product: Tech Evangelism → Core
Target Milestone: Feb → ---
Severity: normal → trivial
Whiteboard: [country-us] [notcontactready] → [country-us]
The site is still broken, just load https://www.ssllabs.com/ssltest/analyze.html?d=boaeditions.org
under "Certification Paths" you see that the server provides only his main certificate (1=sent) but doesn't send the intermediate certificate (2=Extra download , should be 2=sent).

Some browsers support a download of such missing intermediates but not Gecko (bug 399324). 
Firefox caches intermediates certificates in his user profile once it encountered it somewhere on the web so you may not see the error if your user profile already contains a cached copy of the intermediate certificate.
Use a new profile as Brian already suggested in comment#2 and the error can be seen again.

>So the server is consistent here, It wants to redirect to http, but it seems that Firefox wants to first validate the certificate. 
Before you can download any content over https you have to complete the ssl/TLS handshake and content can be everything including a 301/302 redirect.


Unfortunately the site shows a different issue with recent Firefox versions and I do not know why this happens: sec_error_bad_signature
(In reply to Matthias Versen [:Matti] from comment #10)
> 
> Unfortunately the site shows a different issue with recent Firefox versions
> and I do not know why this happens: sec_error_bad_signature

I asked Keeler about this, and here's his response: It looks like the signature on that certificate is actually invalid (or it was signed by a certificate other than the one that's in our root program but has the same subject name).

I've sent email about it to the CA.

Page is https now

Status: NEW → RESOLVED
Closed: 14 days ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.