Bug 438143

Summary: firefox refuses to show https://lists.mplayerhq.hu/
Product: [Fedora] Fedora Reporter: David Woodhouse <dwmw2>
Component: firefoxAssignee: Gecko Maintainer <gecko-bugs-nobody>
Status: CLOSED WORKSFORME QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: low    
Version: rawhideCC: dcantrell, kengert, rrelyea
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-04-21 12:33:02 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 235705    
Description Flags
screencast of how it does work
screenshot with cacert root cert installed
screenshot without cacert root cert installed
two failure modes none

Description David Woodhouse 2008-03-19 08:34:06 EDT
When going to the above URL I get a dialog box with the following message:

        lists.mplayerhq.hu:443 uses an invalid security certificate.
        The certificate is not trusted because it is self signed.
        (Error code: sec_error_untrusted_issuer

I see no way to bypass this.

Comment 1 David Woodhouse 2008-03-19 08:37:18 EDT
I went into the advanced preferences, tried to add an exception for the site in
question, and got the same problem. When I enter the URL into the 'Add Security
Exception' dialog and click 'Get Certificate', I get the same error dialog, and
it says "Unable to obtain identification status for the given site".
Comment 2 David Woodhouse 2008-03-19 08:51:08 EDT
Weird. On another machine, the same package gives me a 'page load error' page
(not a dialog) which starts with the same text, but also has an 'Or you can add
an exception...' link which brings up the security manager... which then
actually works.
Comment 3 David Woodhouse 2008-03-19 09:07:48 EDT
binary search on prefs.js shows that the problem happens when using a proxy (squid).
Comment 4 Matěj Cepl 2008-03-19 11:10:02 EDT
Not reproducable with firefox 3beta4. Watch the following funnies ...
Comment 5 David Woodhouse 2008-03-19 11:18:40 EDT
Hm. What proxy were you using?
Comment 6 David Woodhouse 2008-03-19 11:19:08 EDT
And you were definitely using it for SSL, not just http?
Comment 7 Matěj Cepl 2008-03-19 11:33:50 EDT
Created attachment 298526 [details]
screencast of how it does work

this is how it works
Comment 8 Matěj Cepl 2008-03-19 11:36:22 EDT
... and yes I don't like it either -- however, the current state is much better
than it was before; that link in the dialog is a result of much fight in
bugzilla.mozilla.org ;-) (not mine, though).
Comment 9 David Woodhouse 2008-03-19 11:41:13 EDT
Your screencast matches what I see (apart from the language, obviously) when I
don't use a proxy -- or when I use a proxy only for HTTP but not SSL. But when I
use a proxy (squid on Fedora 8), I just get the dialog box instead.
Comment 10 Matěj Cepl 2008-03-19 15:32:46 EDT
Oh, now I get it -- finally. My granny always told me that Wednesday is a bad
day, and you see -- my brain switched off. OK, I see that proxy is an essential
part of your problem.

OK, let's reopen it and I will test it (probably tomorrow though, now I am at home)
Comment 11 Matěj Cepl 2008-03-21 04:47:41 EDT
Actually, ...

My Firefox (firefox-3.0-0.44.cvs20080315.fc9.x86_64) has Network Connection set
up to "Use system settings" which is using squid on http://localhost:3128. And I
have just managed to repeat the process shown in the screencast above.

This is /var/log/squid/access.log generated during the tryout:

1206089014.176   1692 TCP_MISS/200 702 CONNECT lists.mplayerhq.hu:443
1206089017.402     68 TCP_MISS/200 702 CONNECT lists.mplayerhq.hu:443
1206089025.204     72 TCP_MISS/200 702 CONNECT lists.mplayerhq.hu:443
1206089027.207     74 TCP_MISS/301 342 GET
http://lists.mplayerhq.hu/mailman/listinfo - DIRECT/ -
1206089033.096   5378 TCP_MISS/200 803 CONNECT lists.mplayerhq.hu:443
1206089033.098   6119 TCP_MISS/200 17912 CONNECT
lists.mplayerhq.hu:443 - DIRECT/ -

and this is the particular piece of /var/log/squid/store.log

1206089027.207 RELEASE -1 FFFFFFFF 44413EF33322FF0BB5233C2F780D88AF  301
1206089027        -1        -1 unknown 0/0 GET
Comment 12 David Woodhouse 2008-03-21 05:29:11 EDT
Using squid on localhost, I can reproduce your behaviour. Perhaps it needs to be
the F8 version of squid?
Comment 13 Kai Engert (:kaie) 2008-04-01 14:09:04 EDT
I can not reproduce this bug.
I am always able to add an exception.
Once I do, I'm able to connect.

I've installed squid and in firefox I configured both http and ssl proxy to
connect to 3128.

Works fine for me.

Comment 14 Kai Engert (:kaie) 2008-04-01 14:10:37 EDT
Where in the OS do I set "system proxy settings"?

Note I'm logging into that machine remotely, so if you could tell me which
command I must execute to configure the system's proxy setting, it would help me
a lot.
Comment 15 Matěj Cepl 2008-04-01 18:30:36 EDT
gconftool-2 -R /system/proxy
Comment 16 Jesse Keating 2008-04-03 15:07:38 EDT
Is this really a F9 blocker?  I'm punting over to Target.
Comment 17 Kai Engert (:kaie) 2008-04-03 22:21:25 EDT
Sorry, there is no bug, at least none that I can reproduce.

I configured a system proxy using gnome-control-center.
I configured firefox to use the system proxy.
I verified the proxy is required, by stopping squid, and trying to surf the web
(then I got an error message, as expected).

I verified the proxy is used by looking at squid/access.log

I tried to use a proxy on the localhost, worked fine.

I tried to use a proxy on a remote machine.
On the local machine, I used iptables to block access to hostname
I used telnet to SSL port 443 verify the iptables rule works.

With squid started, I used Firefox to connect to the site.
I got the error page about an invalid page, as expected.

I used the "add exception" button and dialog and was successfully able to add it.
Then I was able to connect to the site.

Sorry, I can't reproduce.
Comment 18 David Woodhouse 2008-04-11 11:40:10 EDT
cacert is also broken. I have the cacert root certificates installed: 

When I go to https://cats.cacert.org/ I get an
'ssl_error_handshake_failure_alert' error, and no option to make an exception.
This is with no proxy.
Comment 19 David Woodhouse 2008-04-11 11:41:37 EDT
When I remove the CAcert root certs, I get to make an exception. But with them
installed, I can't (and shouldn't it just work without any problems?)
Comment 20 Kai Engert (:kaie) 2008-04-11 19:51:59 EDT
ok, I'll test the new report
Comment 21 Kai Engert (:kaie) 2008-04-11 20:02:56 EDT
David, I indeed can reproduce your problem. I can reproduce it with the
firefox/nss contained in rawhide, and I can reproduce it with the most recent
upstream sources, too.

I think it's a separate issue from the one originally reported in this bug.

I might close this bug and open a new one.
Comment 22 Kai Engert (:kaie) 2008-04-11 20:22:56 EDT
David, you said, if you remove the root certs, then you are able to add an

But, once you have the added the exception, are you then able to connect?

In my testing, I still get the handshake alert error message, which seems to
suggest that the server is bad.

In addition I've just tested with Firefox 2.
I get an error message with code -12227, which means the same thing.

Are you really able to open that web site?
Comment 23 David Woodhouse 2008-04-12 03:48:50 EDT
Created attachment 302198 [details]
screenshot with cacert root cert installed
Comment 24 David Woodhouse 2008-04-12 03:50:06 EDT
Created attachment 302199 [details]
screenshot without cacert root cert installed
Comment 25 Kai Engert (:kaie) 2008-04-12 06:32:16 EDT
David, yes, these screenshots are exactly what I get, too.

David, please tell me, are you able to connect to this server using *any*
software? If yes, can you please name product and version?

The handshake_failure_alert means that client and server are unable to agree on
a protocol.

This does not look like a new behavior in FF3. Firefox 2 and 1.5 show exactly
the same behavior (reject connection with error message).

This problem is not limited to Firefox, as far as I can tell. I tried konqueror,
and it gives me "An error occurred while loading https://cats.cacert.org: Could
not connect to host cats.cacert.org."

When I use a low level tool from NSS it tells me:
SSL peer was unable to negotiate an acceptable set of security parameters.
Comment 26 David Woodhouse 2008-04-12 08:04:30 EDT
Created attachment 302208 [details]
two failure modes

Hm, true. I hadn't gone through the process of adding the exception, so
assumed it was another manifestation of the original problem reported
above. When I add the exception, I end up with the same error; it still
doesn't work.

I now have CAcert-provided certificates for some of my own machines,
including https://pentafluge.infradead.org, and those seem to work fine
-- even when I'm using a proxy.

Interestingly, when using a proxy and not having the CAcert root cert
installed I can connect to pentafluge.infradead.org but not to
clueless.aaisp.net.uk. For the former I get a page reporting
'sec_error_unknown_issuer' and the option to make an exception. For the
latter I get a dialog reporting 'sec_error_untrusted_issuer'. And no way
to proceed. Demonstrated in attached screenshot.
Comment 27 David Woodhouse 2008-04-13 04:11:33 EDT
Aha, cats.cacert.org requires a client certificate. If I _have_ a client
certificate, it pops up a dialog box telling me "This site has requested that
you identify yourself with a certificate", and lets me choose the certificate to

When I didn't have a client cert installed, it just failed. Shouldn't it have
been more helpful? (so yes, that is a separate bug from the original one).
Comment 28 David Woodhouse 2008-04-18 16:28:05 EDT
Kai, am I right in thinking that you've managed to reproduce the failure with
https://lists.mplayerhq.hu/ when operating via squid?
Comment 29 Kai Engert (:kaie) 2008-04-21 12:33:02 EDT
No, it always worked for me with the mplayer site.