Closed
Bug 255291
Opened 20 years ago
Closed 20 years ago
OCSP validation failure, -5961 due proxies are not used although they should be
Categories
(Core Graveyard :: Security: UI, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 111384
People
(Reporter: zimon, Assigned: darin.moz)
References
()
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040210 Firefox/0.8
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040210 Firefox/0.8
I get Error codes -5961 and the sites are refusing the work.
I use "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6)" and Firefox v0.8
I also tried with Firefox 0.9.3 and also with Mozilla 1.7.2
The same bug is still there.
The bug seems to trigger if proxies are used.
I use autoproxy script (autoproxy.pac), which
tries to forward most of the connections through a proxy which uses different
tcp port than 80. Outgoing traffic to port 80/tcp is blocked by a firewall.
Also manual proxy configuration causes the same problem with OCSP.
When proxies are used and I have OCSP validation enabled, and I try to connect
to some HTTPS-site, the Firefox/Mozilla do not use somehow the proxies I have
in settings. Instead it tries to open a direct TCP connection for OCSP
bypassing the proxy, so firewall reports something like this:
Aug 11 11:54:42 localhost kernel: IT out rej rest IN= OUT=eth0
SRC=<my_host_ip_here> DST=12.166.243.30 LEN=60 TOS=0x00 PREC=0x00 TTL=64
ID=4096DF PROTO=TCP SPT=45975 DPT=80 WINDOW=5840 RES=0x00 CWR ECE SYN URGP=0
12.166.243.30 is one of Verisign's IP addresses.
So autoproxy settings are not used in OCSP? A bug or a feature?
For example trying with the mentioned settings to connect to the URI
<https://swww.canada.etrade.com/login.shtml>, I'll get this dialog window:
"Error establishing and excrypted connection to swww.canada.etrade.com. Error
Code: -5961"
When [OK] is hit, I'll get this dialog window:
"The Document contains no data."
Reproducible: Always
Steps to Reproduce:
1. Set up manual proxy for HTTP and port number to something else bug 80/tcp
2. Block outgoing traffix to port 80/tcp by a firewall and enable logging.
3. Enable OCSP checking in the browser's settings
4. Surf to https://swww.canada.etrade.com/login.shtml
Actual Results:
"Error establishing and excrypted connection to swww.canada.etrade.com. Error
Code: -5961"
Expected Results:
The site should work and HTTPS connection made?
If OCSP is disabled, it works.
This bug is somewhat related to bug 130885 and I first tried to report this bug
there in the comments.
http://bugzilla.mozilla.org/show_bug.cgi?id=130885
example file:///tmp/autoproxy.pac file:
function FindProxyForURL(url, host)
{
return "PROXY proxyIPaddressHere:8081";
}
Example iptables command to block and log outgoing traffic to 80/tcp:
iptables -I OUTPUT -j REJECT -p tcp --dport 80
iptables -I OUTPUT -j LOG -p tcp --dport 80 --log-prefix "IT out rej tcp80 "
This line:
"Steps to Reproduce:
1. Set up manual proxy for HTTP and port number to something else bug 80/tcp"
should be...
"Steps to Reproduce:
1. Set up manual proxy for HTTP and HTTPS and port number to something else but
80/tcp"
Comment 2•20 years ago
|
||
Crypto bugs are not Browser bugs. Use the PSM or NSS products when filing
crypto bugs.
Anyway, this is a known limitation. OCSP and proxies do not mix.
*** This bug has been marked as a duplicate of 111384 ***
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Component: Networking: HTTP → Client Library
Product: Browser → PSM
Resolution: --- → DUPLICATE
Version: Trunk → 2.4
Well the OCSP traffic seems to be just HTTP/1.0 traffic, not HTTPS (looked
through ethereal), so I thought this is just a proxy bug because proxy is
forgotten to be used in this situation. And the bugzilla suggested problems with
proxy should be in Browser+HTTP-bugs. Well ok, PSM in this situation just uses
HTTP instead of HTTPS to complete the job.
The browser sends "POST / HTTP/1.0" with all usual HTTP-headers to the OCSP site
(ocsp.verisign.com) and the server sends "HTTP/1.0 200 OK" after the
HTTP-request. Then TCP connection is closed. Quickly looking, I don't see any
problems not to use proxy.
But yes I see it is a bug in OCSP if they don't define in the RFC how proxies
could or MAY be used.
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•