Red Hat Bugzilla – Full Text Bug Listing
|Summary:||firefox refuses to show https://lists.mplayerhq.hu/|
|Product:||[Fedora] Fedora||Reporter:||David Woodhouse <dwmw2>|
|Component:||firefox||Assignee:||Gecko Maintainer <gecko-bugs-nobody>|
|Status:||CLOSED WORKSFORME||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||rawhide||CC:||dcantrell, kengert, rrelyea|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-04-21 12:33:02 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Bug Depends On:|
Description David Woodhouse 2008-03-19 08:34:06 EDT
When going to the above URL I get a dialog box with the following message: lists.mplayerhq.hu:443 uses an invalid security certificate. The certificate is not trusted because it is self signed. (Error code: sec_error_untrusted_issuer I see no way to bypass this. firefox-3.0-0.44.cvs20080315.fc9 xulrunner-1.9-0.44.cvs20080315.fc9
Comment 1 David Woodhouse 2008-03-19 08:37:18 EDT
I went into the advanced preferences, tried to add an exception for the site in question, and got the same problem. When I enter the URL into the 'Add Security Exception' dialog and click 'Get Certificate', I get the same error dialog, and it says "Unable to obtain identification status for the given site".
Comment 2 David Woodhouse 2008-03-19 08:51:08 EDT
Weird. On another machine, the same package gives me a 'page load error' page (not a dialog) which starts with the same text, but also has an 'Or you can add an exception...' link which brings up the security manager... which then actually works.
Comment 3 David Woodhouse 2008-03-19 09:07:48 EDT
binary search on prefs.js shows that the problem happens when using a proxy (squid).
Comment 4 Matěj Cepl 2008-03-19 11:10:02 EDT
Not reproducable with firefox 3beta4. Watch the following funnies ...
Comment 5 David Woodhouse 2008-03-19 11:18:40 EDT
Hm. What proxy were you using?
Comment 6 David Woodhouse 2008-03-19 11:19:08 EDT
And you were definitely using it for SSL, not just http?
Comment 7 Matěj Cepl 2008-03-19 11:33:50 EDT
Created attachment 298526 [details] screencast of how it does work this is how it works
Comment 8 Matěj Cepl 2008-03-19 11:36:22 EDT
... and yes I don't like it either -- however, the current state is much better than it was before; that link in the dialog is a result of much fight in bugzilla.mozilla.org ;-) (not mine, though).
Comment 9 David Woodhouse 2008-03-19 11:41:13 EDT
Your screencast matches what I see (apart from the language, obviously) when I don't use a proxy -- or when I use a proxy only for HTTP but not SSL. But when I use a proxy (squid on Fedora 8), I just get the dialog box instead.
Comment 10 Matěj Cepl 2008-03-19 15:32:46 EDT
Oh, now I get it -- finally. My granny always told me that Wednesday is a bad day, and you see -- my brain switched off. OK, I see that proxy is an essential part of your problem. OK, let's reopen it and I will test it (probably tomorrow though, now I am at home)
Comment 11 Matěj Cepl 2008-03-21 04:47:41 EDT
Actually, ... My Firefox (firefox-3.0-0.44.cvs20080315.fc9.x86_64) has Network Connection set up to "Use system settings" which is using squid on http://localhost:3128. And I have just managed to repeat the process shown in the screencast above. This is /var/log/squid/access.log generated during the tryout: 1206089014.176 1692 127.0.0.1 TCP_MISS/200 702 CONNECT lists.mplayerhq.hu:443 - DIRECT/18.104.22.168 - 1206089017.402 68 127.0.0.1 TCP_MISS/200 702 CONNECT lists.mplayerhq.hu:443 - DIRECT/22.214.171.124 - 1206089025.204 72 127.0.0.1 TCP_MISS/200 702 CONNECT lists.mplayerhq.hu:443 - DIRECT/126.96.36.199 - 1206089027.207 74 127.0.0.1 TCP_MISS/301 342 GET http://lists.mplayerhq.hu/mailman/listinfo - DIRECT/188.8.131.52 - 1206089033.096 5378 127.0.0.1 TCP_MISS/200 803 CONNECT lists.mplayerhq.hu:443 - DIRECT/184.108.40.206 - 1206089033.098 6119 127.0.0.1 TCP_MISS/200 17912 CONNECT lists.mplayerhq.hu:443 - DIRECT/220.127.116.11 - and this is the particular piece of /var/log/squid/store.log 1206089027.207 RELEASE -1 FFFFFFFF 44413EF33322FF0BB5233C2F780D88AF 301 1206089027 -1 -1 unknown 0/0 GET http://lists.mplayerhq.hu/mailman/listinfo
Comment 12 David Woodhouse 2008-03-21 05:29:11 EDT
Using squid on localhost, I can reproduce your behaviour. Perhaps it needs to be the F8 version of squid?
Comment 13 Kai Engert (:kaie) 2008-04-01 14:09:04 EDT
I can not reproduce this bug. I am always able to add an exception. Once I do, I'm able to connect. I've installed squid and in firefox I configured both http and ssl proxy to connect to 127.0.0.1 3128. Works fine for me.
Comment 14 Kai Engert (:kaie) 2008-04-01 14:10:37 EDT
Where in the OS do I set "system proxy settings"? Note I'm logging into that machine remotely, so if you could tell me which command I must execute to configure the system's proxy setting, it would help me a lot.
Comment 15 Matěj Cepl 2008-04-01 18:30:36 EDT
gconftool-2 -R /system/proxy
Comment 16 Jesse Keating 2008-04-03 15:07:38 EDT
Is this really a F9 blocker? I'm punting over to Target.
Comment 17 Kai Engert (:kaie) 2008-04-03 22:21:25 EDT
Sorry, there is no bug, at least none that I can reproduce. I configured a system proxy using gnome-control-center. I configured firefox to use the system proxy. I verified the proxy is required, by stopping squid, and trying to surf the web (then I got an error message, as expected). I verified the proxy is used by looking at squid/access.log I tried to use a proxy on the localhost, worked fine. I tried to use a proxy on a remote machine. On the local machine, I used iptables to block access to hostname lists.mplayerhq.hu. I used telnet to SSL port 443 verify the iptables rule works. With squid started, I used Firefox to connect to the site. I got the error page about an invalid page, as expected. I used the "add exception" button and dialog and was successfully able to add it. Then I was able to connect to the site. Sorry, I can't reproduce.
Comment 18 David Woodhouse 2008-04-11 11:40:10 EDT
cacert is also broken. I have the cacert root certificates installed: http://www.cacert.org/certs/root.crt http://www.cacert.org/certs/class3.crt When I go to https://cats.cacert.org/ I get an 'ssl_error_handshake_failure_alert' error, and no option to make an exception. This is with no proxy.
Comment 19 David Woodhouse 2008-04-11 11:41:37 EDT
When I remove the CAcert root certs, I get to make an exception. But with them installed, I can't (and shouldn't it just work without any problems?)
Comment 20 Kai Engert (:kaie) 2008-04-11 19:51:59 EDT
ok, I'll test the new report
Comment 21 Kai Engert (:kaie) 2008-04-11 20:02:56 EDT
David, I indeed can reproduce your problem. I can reproduce it with the firefox/nss contained in rawhide, and I can reproduce it with the most recent upstream sources, too. I think it's a separate issue from the one originally reported in this bug. I might close this bug and open a new one.
Comment 22 Kai Engert (:kaie) 2008-04-11 20:22:56 EDT
David, you said, if you remove the root certs, then you are able to add an exception. But, once you have the added the exception, are you then able to connect? In my testing, I still get the handshake alert error message, which seems to suggest that the server is bad. In addition I've just tested with Firefox 2. I get an error message with code -12227, which means the same thing. Are you really able to open that web site?
Comment 23 David Woodhouse 2008-04-12 03:48:50 EDT
Created attachment 302198 [details] screenshot with cacert root cert installed
Comment 24 David Woodhouse 2008-04-12 03:50:06 EDT
Created attachment 302199 [details] screenshot without cacert root cert installed
Comment 25 Kai Engert (:kaie) 2008-04-12 06:32:16 EDT
David, yes, these screenshots are exactly what I get, too. David, please tell me, are you able to connect to this server using *any* software? If yes, can you please name product and version? The handshake_failure_alert means that client and server are unable to agree on a protocol. This does not look like a new behavior in FF3. Firefox 2 and 1.5 show exactly the same behavior (reject connection with error message). This problem is not limited to Firefox, as far as I can tell. I tried konqueror, and it gives me "An error occurred while loading https://cats.cacert.org: Could not connect to host cats.cacert.org." When I use a low level tool from NSS it tells me: SSL peer was unable to negotiate an acceptable set of security parameters.
Comment 26 David Woodhouse 2008-04-12 08:04:30 EDT
Created attachment 302208 [details] two failure modes Hm, true. I hadn't gone through the process of adding the exception, so assumed it was another manifestation of the original problem reported above. When I add the exception, I end up with the same error; it still doesn't work. I now have CAcert-provided certificates for some of my own machines, including https://pentafluge.infradead.org, and those seem to work fine -- even when I'm using a proxy. Interestingly, when using a proxy and not having the CAcert root cert installed I can connect to pentafluge.infradead.org but not to clueless.aaisp.net.uk. For the former I get a page reporting 'sec_error_unknown_issuer' and the option to make an exception. For the latter I get a dialog reporting 'sec_error_untrusted_issuer'. And no way to proceed. Demonstrated in attached screenshot.
Comment 27 David Woodhouse 2008-04-13 04:11:33 EDT
Aha, cats.cacert.org requires a client certificate. If I _have_ a client certificate, it pops up a dialog box telling me "This site has requested that you identify yourself with a certificate", and lets me choose the certificate to use. When I didn't have a client cert installed, it just failed. Shouldn't it have been more helpful? (so yes, that is a separate bug from the original one).
Comment 28 David Woodhouse 2008-04-18 16:28:05 EDT
Kai, am I right in thinking that you've managed to reproduce the failure with https://lists.mplayerhq.hu/ when operating via squid?
Comment 29 Kai Engert (:kaie) 2008-04-21 12:33:02 EDT
No, it always worked for me with the mplayer site.