|Summary:||Firefox 3 failures when profile is stored on a samba/cifs network drive|
|Product:||[Fedora] Fedora||Reporter:||Karl Magnus Kolstø <karl.kolsto>|
|Component:||firefox||Assignee:||Gecko Maintainer <gecko-bugs-nobody>|
|Status:||CLOSED UPSTREAM||QA Contact:||Fedora Extras Quality Assurance <extras-qa>|
|Version:||9||CC:||abartlet, bjorn.sund, kengert, mcepl, rrelyea, shaines, walters, wtc|
|Fixed In Version:||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2009-06-18 05:16:11 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description Karl Magnus Kolstø 2008-06-13 13:17:11 UTC
From Bugzilla Helper: User-Agent: Mozilla/5.0 (compatible; Konqueror/4.0; Linux) KHTML/4.0.5 (like Gecko) Fedora/4.0.5-2.fc9 Description of problem: When pointing firefox 3b5 to a server with an unofficial ssl certificate we get " Secure Connection Failed <server>:<port> uses an invalid security certificate. The certificate is not valid for any server names. (Error code: ssl_error_bad_cert_domain) * This could be a problem with the server's configuration, or it could be someone trying to impersonate the server. * If you have connected to this server successfully in the past, the error may be temporary, and you can try again later. Or you can add an exception… " When clicking on 'Or you can add an exception...' I am presented with the options 'Get me out of here!' and 'Add Exception...' Clicking on either yields no response. Not even after waiting about 10 minutes. Version-Release number of selected component (if applicable): firefox-3.0-0.60.beta5.fc9.i386 How reproducible: Always Steps to Reproduce: 1. start firefox 2. try to connect to server:port on server with 'local security certificate", one that isn't official in some way. 3. when firefox complains about secure connection failing, try to add exception Actual Results: Nothing, basically. The 'wheel' on the tab is 'spinning', but nothing appears to happen. Not even after waiting for 10 or so minutes. Expected Results: Presumably exception would be added and I should be taken to the expected web page. Additional info:
Comment 1 Matěj Cepl 2008-06-13 16:17:57 UTC
Could we get particular URL, where it happens? I certainly cannot reproduce this on many sites, where everything works as expected.
Comment 2 Karl Magnus Kolstø 2008-06-13 16:45:31 UTC
This particular server is not accessible from the Internet, unfortunatly. I do not remember the details right now, but it has something to do with the way it's ssl certificate either was generated or installed. I can connect to the server if I use fully qualified domain name, but the sertificate fails to get recognized if I connect using only the short name of the server. (Maybe this gives you some clues?) I believe that certificate was either bought from a non-widely used entity, or also possibly internally. In any case, I can try to dig up some more info about it over the weekend.
Comment 3 Matěj Cepl 2008-06-13 21:13:23 UTC
Do so, please. As much information related to this issue as possible would be helpful.
Comment 4 Karl Magnus Kolstø 2008-06-16 08:34:21 UTC
What I have been able find out about the certificate is the following; (this is what konqueror is able to tell me about the certificate btw) Encryption: RC4, using 128 bits of a 128 bit key Details: AUTH = RSA, Kx = RSA, MAC = SHA-1 SSL Version: SSLv3 Certificate Chain: <fully qualified domain name of the machine I try to connect> It is a pulldown menu with also has "Cybertrust Educational CA" and "GTE CyberTrust Global Root" as options Tab 'Subject' Common Name: <FQD of machine I try to connect to> Rest is just address Tab 'Issuer' Common Name: Cybertrust Educational CA Organization: Cybertrust Organizational Unit: Educational CA Country: BE State: <blank> City: <blank> below that; Trusted: TODO Validity period: 2007-02-26 12:52 to 2010-02-26 13:52 Serial Number: <blank> MD5 Digest: <mostly irrelevant?> ------------- I hope this might help in some way. -- Karl Magnus
Comment 5 Matěj Cepl 2008-06-16 09:08:38 UTC
(In reply to comment #2) > I can connect to the server if I use fully qualified domain name, but the > sertificate fails to get recognized if I connect using only the short name of > the server. (Maybe this gives you some clues?) Yes, one clue is that you just shouldn't do it. There are many security reasons why Firefox won't expand to FQDN and checking of certificate will (and should) fail. Do you have the same problem (no way how to exception) with FQDN as well?
Comment 6 Matěj Cepl 2008-06-16 09:09:47 UTC
(note, it doesn't meant that there is no problem -- we shouldn't just timeout, but tell you something meaningful)
Comment 7 Matěj Cepl 2008-06-16 09:17:04 UTC
BTW, for your pleaseure, this https://bugzilla.mozilla.org/show_bug.cgi?id=134402#c11 I found quite enlightening.
Comment 8 Karl Magnus Kolstø 2008-06-16 09:24:46 UTC
I agree that firefox shouldn't try to expand to FQDN by itself, but this server is local to me, so I should be able to use the shortname for it. Firefox 2 on fedora 8 protested too, but let me continue with a warning. If I use FQDN to the server in question it works without question and protests (also did on fedora 8). When I try to connect, I get the error page fairly quickly. And it is fairly meaningful (see my initial post for the whole error page text). The real problem here is that that error page tells me I can add an exception, but when I click that link (last line in the paste of that page is a link) the two buttons that appears does nothing. One is labled "Get me out of here!" the other "Add Exception..." Pressing either of them nothing happens. I have tried clicked 'Add Exception..." and left it for about half an hour. Nothing. Thanks.
Comment 9 Matěj Cepl 2008-06-16 10:05:09 UTC
(In reply to comment #8) > I agree that firefox shouldn't try to expand to FQDN by itself, but this > server is local to me, so I should be able to use the shortname for it. > Firefox 2 on fedora 8 protested too, but let me continue with a warning. The fact FF3 cannot continue with warning is considered from the security point of view as The Right Thing™ (see for example http://www.cs.auckland.ac.nz/~pgut001/pubs/phishing.pdf), but of course adding exceptions should work. If you need to get access to the local server by the short name, you should be able to ask your CA to add short name to the certificate of the server (it is possible to have more than one name in the cert). > The real problem here is that that error page tells me I can add an exception, > but when I click that link (last line in the paste of that page is a link) the > two buttons that appears does nothing. Yes, this is a bug. I am not sure whether it should be dealt with here or upstream, but I will investigate. Do you by chance get something interesting on the stderr when running firefox from xterm/rxvt/gnome-terminal/konsole?
Comment 10 Karl Magnus Kolstø 2008-06-16 10:39:59 UTC
We agree on the first part then. Starting firefox from a terminal I get stdout/stderr messages at all. Getting it fixed would be a good thing, preferrably upstream I would guess.
Comment 11 Karl Magnus Kolstø 2008-06-16 10:40:41 UTC
It was supposed to be; "Starting firefox from a terminal I get NO stdout/stderr messages at all."
Comment 12 Kai Engert (:kaie) (inactive account) 2008-06-16 12:33:58 UTC
Are you connecting in the form: (a) https://hostname/ or (b) https://hostname:portnumber/ ? If (b), what is the portnumber?
Comment 13 Kai Engert (:kaie) (inactive account) 2008-06-16 12:35:30 UTC
is IPv6 enabled on your machine? Is maybe one hostname getting resolved as ipv4 and the other one at ipv6? (Just making wild guesses)
Comment 14 Karl Magnus Kolstø 2008-06-17 07:40:29 UTC
Hi, Option (b). Not that I can see the particular relevance, but port is 8888 I believe it is. Ifconfig tells me I have an inet6 addr. But that should not really matter. That setup is identical to what we have on fedora 8. And it works there (firefox 2 though) I was about to test one thing regarding search domain in resolv.conf, but now firefox 3b5 doesn't take enter in the address bar. I have seen that problem before, but it went away yesterday. But now it seems to be back. I am able to type text in the address bar, but it doesn't take enter. Kind of strange, really. (yes, I have tested with several keyboards)
Comment 15 Matěj Cepl 2008-06-17 09:13:08 UTC
OK, I am persuaded that there is a bug here. ASSIGNing.
Comment 16 Karl Magnus Kolstø 2008-06-18 10:34:10 UTC
We did investigate a bit further and have found out the following; This is also tested on Firefox 3.0 proper! We see exactly the same problems there as in 3.0b5. If we move the .mozilla directory from the home-dir (CIFS mounted samba filesystem) to a local filesystem (typically ln -s .mozilla) All the problems we have been seeing seems gone. Both the buttons that didn't work and the "enter in the address bar doesn't work" problem mentioned above just seems to just disappeared. This type of solution does not scale very well above a couple of machines and users though (we have users in the thousands and machines in the hundreds), so I hope it is still possible to resolve it. Thanks -- Karl Magnus
Comment 17 Kai Engert (:kaie) (inactive account) 2008-08-06 00:41:42 UTC
Karl Magnus, thanks for letting us know you've found a workaround. Could you please try to reproduce the problem again, and check whether the error console shows any interesting messages, and paste them here? If possible, please clear the error console before you attempt the failing operation, then paste any messages the failing operation produced. Or you could simply attach a file with all the messages from the console. Thanks CC'ing Andrew as this bug is suspected to be related to the firefox profile being stored on a samba/cifs share.
Comment 18 Kai Engert (:kaie) (inactive account) 2008-08-06 00:45:24 UTC
I've reported this issue upstream at https://bugzilla.mozilla.org/show_bug.cgi?id=449316
Comment 19 Andrew Bartlett 2008-08-06 00:54:34 UTC
What is the version of Samba on the server, what is the Linux Kernel version on the client?
Comment 20 Bjørn Tore Sund 2008-08-06 12:16:16 UTC
Samba server is samba-3.0.28-0.4.3 as provided through SLES 10 SP1. We have seen the problem with all versions of the linux kernel provided with FC9, all of which have been 2.6.25-based. -BT
Comment 21 Karl Magnus Kolstø 2008-08-19 09:13:49 UTC
Sorry for keeping you waiting (vacation). Repeating the operation, the error console doesn't give any new messages at all. There where, however, two messages when the browser is started. I'm unsure if they're relevant, so I paste them here just in case; (browser version 3.0.1 by the way) " Error: [Exception... "Component returned failure code: 0x80570016 (NS_ERROR_XPC_GS_RETURNED_FAILURE) [nsIJSCID.getService]" nsresult: "0x80570016 (NS_ERROR_XPC_GS_RETURNED_FAILURE)" location: "JS frame :: file:///usr/lib/firefox-3.0.1/components/nsBrowserGlue.js :: bg__initPlaces :: line 358" data: no] Source File: file:///usr/lib/firefox-3.0.1/components/nsBrowserGlue.js Line: 358 " and " Error: uncaught exception: [Exception... "Component returned failure code: 0x8007000e (NS_ERROR_OUT_OF_MEMORY) [nsIDocShellHistory.useGlobalHistory]" nsresult: "0x8007000e (NS_ERROR_OUT_OF_MEMORY)" location: "JS frame :: chrome://browser/content/browser.js :: prepareForStartup :: line 763" data: no] " Thanks -- Karl Magnus
Comment 22 Karl Magnus Kolstø 2008-08-19 09:30:22 UTC
I did an strace, and even though I'm not so good at reading them, I did notice that several files where dropped in my .mozilla/firefox/<string>.default/ directory. All where named places.sqlite-<number>.corrupt. All where 0 byte files by the way. Maybe that is relevant? Thanks -- Karl Magnus
Comment 23 Bug Zapper 2009-06-10 01:35:16 UTC
This message is a reminder that Fedora 9 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 9. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '9'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 9's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 9 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 24 Kai Engert (:kaie) (inactive account) 2009-06-18 05:16:11 UTC
This bug is known, still unresolved, and being tracked upstream. https://bugzilla.mozilla.org/show_bug.cgi?id=462287