Closed
Bug 960850
Opened 10 years ago
Closed 2 years ago
Firefox shows SSL error for https://www.boaeditions.org/ even though the site is just redirecting you to http://...
Categories
(Core :: Security, defect)
Core
Security
Tracking
()
RESOLVED
INCOMPLETE
People
(Reporter: mwobensmith, Assigned: kathleen.a.wilson)
References
()
Details
(Whiteboard: [country-us])
https://www.boaeditions.org/ produces the following on FF27: "www.boaeditions.org uses an invalid security certificate. The certificate is not trusted because no issuer chain was provided. (Error code: sec_error_unknown_issuer)" This does not happen on FF26 or Chrome. On both of those sites, it appears to redirect to an HTTP URI instead.
|
||
Comment 1•10 years ago
|
||
(In reply to Matt Wobensmith from comment #0) > https://www.boaeditions.org/ produces the following on FF27: > > "www.boaeditions.org uses an invalid security certificate. The certificate > is not trusted because no issuer chain was provided. > (Error code: sec_error_unknown_issuer)" > > This does not happen on FF26 or Chrome. On both of those sites, it appears > to redirect to an HTTP URI instead. Please try with a clean profile on Firefox 26. It works for me on Nightly 29 and I suspect that the reason it works on Firefox 26 is that you have cached an intermediate certificate that the site needs.
Flags: needinfo?(mwobensmith)
|
Reporter | |
Comment 2•10 years ago
|
||
You are correct, Brian. Clean profile on Firefox 26 produces same behavior observed on Firefox 27. Not a regression.
Flags: needinfo?(mwobensmith)
|
|
||
Comment 3•10 years ago
|
||
Kathleen, this server isn't sending the intermediate CA certificate in its SSL handshake. That means it is misconfigured. The certificate was issued by Network Solutions. Could you ask Network Solutions to help the site fix the problem?
|
Assignee | |
Comment 4•10 years ago
|
||
(In reply to Brian Smith (:briansmith, :bsmith; NEEDINFO? for response) from comment #3) > Kathleen, this server isn't sending the intermediate CA certificate in its > SSL handshake. That means it is misconfigured. The certificate was issued by > Network Solutions. Could you ask Network Solutions to help the site fix the > problem? I have been in contact with a representative of Network Solutions regarding this since January 16. The server belongs to Rackspace, so they are trying to get Rackspace to install the intermediate cert.
|
|
Assignee | |
Comment 5•10 years ago
|
||
I just tried browsing to https://www.boaeditions.org/ in another browser (Safari), and it redirects me to http://www.boaeditions.org/ Is it possible that redirection from https to http somehow got broken in Firefox?
|
||
Comment 6•10 years ago
|
||
So indeed the site http://www.boaeditions.org/ works well in Firefox. The redirection from https://www.boaeditions.org/ is not happening in Firefox Desktop, because of the SSL error. In Safari WebKit and Opera Blink the sites are redirected to http:// # Safari → http --print hH GET 'https://www.boaeditions.org/' 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.78.2 (KHTML, like Gecko) Version/7.0.6 Safari/537.78.2' | egrep -i 'HTTP/|location' GET / HTTP/1.1 HTTP/1.1 302 Found Location: http://www.boaeditions.org/ # Firefox → http --print hH GET 'https://www.boaeditions.org/' 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:31.0) Gecko/20100101 Firefox/31.0' | egrep -i 'HTTP/|location' GET / HTTP/1.1 HTTP/1.1 302 Found Location: http://www.boaeditions.org/ # Opera → http --print hH GET 'https://www.boaeditions.org/' 'User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_9_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/37.0.2062.94 Safari/537.36 OPR/24.0.1558.51 (Edition Next)' | egrep -i 'HTTP/|location' GET / HTTP/1.1 HTTP/1.1 302 Found Location: http://www.boaeditions.org/ So the server is consistent here, It wants to redirect to http, but it seems that Firefox wants to first validate the certificate. I have the feeling that it is an issue with Firefox.
Flags: needinfo?(brian)
|
|
||
Updated•10 years ago
|
Component: English Other → Desktop
Whiteboard: [country-us] [notcontactready]
|
|
||
Comment 7•10 years ago
|
||
It is better for somebody other than me to look at this. Thanks for the new information though!
Flags: needinfo?(brian)
|
||
Comment 8•10 years ago
|
||
Works for me - redirects nicely to http: both in Nightly and latest release.
|
|
||
Updated•10 years ago
|
Summary: https://www.boaeditions.org/ throws an SSL error → Firefox shows SSL error for https://www.boaeditions.org/ even though the site is just redirecting you to http://...
|
|
||
Comment 9•10 years ago
|
||
(I suspect the site was fixed, not Gecko? It would be nice if someone with the required knowledge set up a test case so we could verify whether Gecko is stricter than other implementations here. I guess it's not high pri, though, given that it's a corner case and invalidly configured HTTPS servers redirecting to HTTP likely won't be found often even in the wild.)
Component: Desktop → Security
Product: Tech Evangelism → Core
Target Milestone: Feb → ---
|
|
||
Updated•10 years ago
|
Severity: normal → trivial
Whiteboard: [country-us] [notcontactready] → [country-us]
|
||
Comment 10•10 years ago
|
||
The site is still broken, just load https://www.ssllabs.com/ssltest/analyze.html?d=boaeditions.org under "Certification Paths" you see that the server provides only his main certificate (1=sent) but doesn't send the intermediate certificate (2=Extra download , should be 2=sent). Some browsers support a download of such missing intermediates but not Gecko (bug 399324). Firefox caches intermediates certificates in his user profile once it encountered it somewhere on the web so you may not see the error if your user profile already contains a cached copy of the intermediate certificate. Use a new profile as Brian already suggested in comment#2 and the error can be seen again. >So the server is consistent here, It wants to redirect to http, but it seems that Firefox wants to first validate the certificate. Before you can download any content over https you have to complete the ssl/TLS handshake and content can be everything including a 301/302 redirect. Unfortunately the site shows a different issue with recent Firefox versions and I do not know why this happens: sec_error_bad_signature
|
|
Assignee | |
Comment 11•10 years ago
|
||
(In reply to Matthias Versen [:Matti] from comment #10) > > Unfortunately the site shows a different issue with recent Firefox versions > and I do not know why this happens: sec_error_bad_signature I asked Keeler about this, and here's his response: It looks like the signature on that certificate is actually invalid (or it was signed by a certificate other than the one that's in our root program but has the same subject name). I've sent email about it to the CA.
|
|
||
Comment 12•2 years ago
|
||
Page is https now
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → INCOMPLETE
You need to log in
before you can comment on or make changes to this bug.
Description
•