Closed
Bug 701019
Opened 13 years ago
Closed 13 years ago
Allow send of credentials to an authenticating proxy while using LOAD_ANONYMOUS flag
Categories
(Core :: Networking: HTTP, defect, P1)
Tracking
()
RESOLVED
DUPLICATE
of bug 627616
People
(Reporter: ruud, Assigned: mayhemer)
References
Details
(Keywords: regression)
Attachments
(3 files)
(deleted),
text/plain
|
Details | |
(deleted),
text/plain
|
Details | |
(deleted),
patch
|
Details | Diff | Splinter Review |
Visit http://bankieren.rabobank.nl/klanten/
This website uses an EV-certificate.
After upgrading Firefox to version 8 (previous version 7.0.1) the site identity button is blue instead of green.
If I enable this preference: advanced => encryption => validation => "When an OCSP server connection fails, treat the certificate as invalid", then I get this error message when visiting the website: sec_error_ocsp_bad_http_response
Looking at the HTTP headers, this seems related to the fact that the OCSP request is rejected by our proxy server due to lack of authentication. This does not happen when using Firefox 7.0.1 (not all computers have been upgraded to Firefox 8 yet).
Reporter | ||
Comment 1•13 years ago
|
||
Reporter | ||
Comment 2•13 years ago
|
||
Correction: URL in the first post is wrong. Correct URL is https://bankieren.rabobank.nl/klanten
Comment 3•13 years ago
|
||
I cannot load any HTTPS pages after upgrading to Firefox 8.0.
I have (and had) OCSP validation enabled, including the "When an OCSP server connection fails, treat the certificate as invalid" option. After upgrading from Firefox 7.0.1 to 8.0, however, all OCSP requests to our MS ISA Server proxy are rejected by this proxy with a message saying authentication (my Active Directory credentials) was not supplied. Chrome and IE7 still successfully load HTTPS pages, either because they provide authentication or do not check the OCSP server (I have certificate validation enabled in the Chrome options, but did not see OCSP traffic using Wireshark.)
Here's a sample Wireshark capture of the OCSP traffic to the proxy when trying to connect to Gmail:
POST http://ocsp.thawte.com/ HTTP/1.1
Host: ocsp.thawte.com
User-Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0) Gecko/20100101 Firefox/8.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-gb,en-nz;q=0.9,en;q=0.8,en-us;q=0.7,nl;q=0.6,de-de;q=0.5,de;q=0.4,fr-fr;q=0.3,fr;q=0.2,cs;q=0.1
Accept-Encoding: gzip, deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
DNT: 1
Proxy-Connection: keep-alive
Content-Length: 115
Content-Type: application/ocsp-request
<<request data removed>>
HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )
Via: 1.1 OURPROXY
Proxy-Authenticate: Negotiate
Proxy-Authenticate: Kerberos
Proxy-Authenticate: NTLM
Connection: Keep-Alive
Proxy-Connection: Keep-Alive
Pragma: no-cache
Cache-Control: no-cache
Content-Type: text/html
Content-Length: 4117
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE>Error Message</TITLE>
Comment 4•13 years ago
|
||
The problem is LOAD_ANONYMOUS doesn't do the correct thing.
See http://adblockplus.org/blog/why-you-do-not-want-to-use-the-load_anonymous-flag.
There are other bugs filed about the same problem with LOAD_ANONYMOUS, e.g. bug 627616 that require the same solution: Have LOAD_ANONYMOUS skip HTTP authentication and have it avoid sending cookies, but don't have it skip HTTP proxy authentication.
Assignee: nobody → bsmith
Keywords: regression,
sec-review-needed
Priority: -- → P1
Summary: EV-cert, but "Site identity button" is blue or sec_error_ocsp_bad_http_response → OCSP requests through an authenticating proxy fail due to use of LOAD_ANONYMOUS flag; when strict OCSP checking is enabled, all HTTPS pages fail to load
Target Milestone: --- → Firefox 11
Updated•13 years ago
|
Severity: normal → major
OS: Windows XP → All
Hardware: x86 → All
Updated•13 years ago
|
status1.9.2:
--- → unaffected
status-firefox10:
--- → affected
status-firefox11:
--- → affected
status-firefox7:
--- → affected
status-firefox8:
--- → affected
status-firefox9:
--- → affected
tracking-firefox10:
--- → ?
tracking-firefox11:
--- → ?
tracking-firefox9:
--- → ?
Target Milestone: Firefox 11 → Firefox 9
Assignee | ||
Comment 5•13 years ago
|
||
Simply said: LOAD_ANONYMOUS should not affect Proxy-Authorization header, right? It means to change nsHttpChannelAuthProvider::ProcessAuthentication.
Assignee | ||
Comment 7•13 years ago
|
||
Changing the summary because this is more general problem.
Summary: OCSP requests through an authenticating proxy fail due to use of LOAD_ANONYMOUS flag; when strict OCSP checking is enabled, all HTTPS pages fail to load → Allow send of credentials to an authenticating proxy while using LOAD_ANONYMOUS flag
Assignee | ||
Updated•13 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Comment 8•13 years ago
|
||
Honza, I think we should back out the patch that caused this and nominate it for mozilla-beta and mozilla-aurora and . Then, we can fix the problem more generally. I think it is more complicated than changing the meaning of LOAD_ANONYMOUS for proxies. I.e. I am not sure we can/should change the meaning of LOAD_ANONYMOUS. We should fix the regression before taking more time to figure out exactly what to do long-term.
Assignee | ||
Comment 9•13 years ago
|
||
(In reply to Brian Smith (:bsmith) from comment #8)
> Honza, I think we should back out the patch that caused this and nominate it
> for mozilla-beta and mozilla-aurora and . Then, we can fix the problem more
> generally. I think it is more complicated than changing the meaning of
> LOAD_ANONYMOUS for proxies. I.e. I am not sure we can/should change the
> meaning of LOAD_ANONYMOUS. We should fix the regression before taking more
> time to figure out exactly what to do long-term.
What is the regression bug/patch you want to back out?
Comment 10•13 years ago
|
||
Honza, here is my WIP. I didn't even try to build it and I am not sure what other things need to be changed. Thanks for taking this bug.
Updated•13 years ago
|
Assignee: bsmith → honzab.moz
clearing sec-review flag, this likely needs careful testing from QA but we don't see direct action for us
Keywords: sec-review-needed
Comment 12•13 years ago
|
||
What's the status on this? I just turned mandatory OCSP checking back on in Firefox 9.0.1 and I don't see any problems so far.
Comment 13•13 years ago
|
||
The patch that caused this regression was backed out. This bug is for restoring the change in that patch in a way that doesn't cause this regression.
Assignee | ||
Comment 14•13 years ago
|
||
(In reply to bugzilla_moz.20.ibyte from comment #12)
> What's the status on this? I just turned mandatory OCSP checking back on in
> Firefox 9.0.1 and I don't see any problems so far.
Just for ref: Bug 703024.
Updated•13 years ago
|
Updated•13 years ago
|
Component: Security → Networking
Product: Firefox → Core
QA Contact: firefox → networking
Target Milestone: Firefox 9 → ---
Updated•13 years ago
|
Component: Networking → Networking: HTTP
QA Contact: networking → networking.http
Assignee | ||
Updated•13 years ago
|
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•