Closed
Bug 703024
Opened 13 years ago
Closed 13 years ago
Back out bug 662996 (OCSP requests leak cookies) because of bug 701019
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
VERIFIED
FIXED
mozilla9
Tracking | Status | |
---|---|---|
firefox8 | --- | affected |
firefox9 | + | verified |
firefox10 | + | verified |
firefox11 | + | verified |
status1.9.2 | --- | unaffected |
status1.9.1 | --- | unaffected |
People
(Reporter: briansmith, Assigned: mayhemer)
References
Details
(Keywords: privacy, verified-beta, Whiteboard: [qa!])
Attachments
(1 file)
(deleted),
patch
|
briansmith
:
review+
akeybl
:
approval-mozilla-aurora+
akeybl
:
approval-mozilla-beta+
mayhemer
:
checkin+
|
Details | Diff | Splinter Review |
+++ This bug was initially created as a clone of Bug #662996 +++
(In reply to Ruud van Melick from bug 701019 comment 0)
> Created attachment 573192 [details]
> Firefox 8 - HTTP headers captured with Live HTTP Headers add-on
>
> Visit http://bankieren.rabobank.nl/klanten/
> This website uses an EV-certificate.
>
> After upgrading Firefox to version 8 (previous version 7.0.1) the site
> identity button is blue instead of green.
>
> If I enable this preference: advanced => encryption => validation => "When
> an OCSP server connection fails, treat the certificate as invalid", then I
> get this error message when visiting the website:
> sec_error_ocsp_bad_http_response
>
> Looking at the HTTP headers, this seems related to the fact that the OCSP
> request is rejected by our proxy server due to lack of authentication. This
> does not happen when using Firefox 7.0.1 (not all computers have been
> upgraded to Firefox 8 yet).
Reporter | ||
Comment 1•13 years ago
|
||
OCSP doesn't work when the user is going through an authenticating HTTP proxy. Either we will silently ignore the OCSP failure (default behavior), or almost every HTTPS site will stop working for said user.
Assignee | ||
Comment 2•13 years ago
|
||
Do you have arguments why to back this out rather then fix the actual bug 701019? I still miss it and therefor I'm strongly against.
Reporter | ||
Comment 3•13 years ago
|
||
1. We should do this as ridealone to any 8.0.2 release. I don't think we should land anything more complicated than the backout for 8.0.2.
2. Similarly, I don't think we should land a fix for 701019 on mozilla-beta, but we should fix the regression for mozilla-beta.
3. More generally, it isn't clear that we can just change what LOAD_ANONYMOUS means yet, I don't have time to think about that right now, but we should fix the regression ASAP on mozilla-central and mozilla-aurora.
Comment 4•13 years ago
|
||
(In reply to Brian Smith (:bsmith) from comment #1)
> OCSP doesn't work when the user is going through an authenticating HTTP
> proxy.
Brian, this really surprises me.
The whole motiviation for the addition of the SSL thread had been done in order to support OCSP trough proxies, and the last time I had tested that used to work.
Why do you think it doesn't work? Have you tested it?
In particular, which is the oldest version where this regressed?
Assignee | ||
Comment 5•13 years ago
|
||
Thanks Brian. Now I understand. I had to take a look at the target milestone of bug 662996 first.
I agree now. I'll have a patch for this soon.
Assignee | ||
Comment 6•13 years ago
|
||
Commenting out the code added in bug 662996.
Kai, the regression we are trying to quickly fix here is that an OCSP request cannot go with the LOAD_ANONYMOUS flag set through a proxy requiring authentication. It causes blue larry for EV certs. This regressed in Firefox 8 for which bug 662996 has landed.
This will be fully fixed in bug 701019 because there are also other issues caused by incorrect behavior of LOAD_ANONYMOUS flag (as I see it). That fix needs a security review first and is expected to be too risky for Aurora, Beta, Release.
Attachment #574972 -
Flags: review?(kaie)
Updated•13 years ago
|
Reporter | ||
Updated•13 years ago
|
Attachment #574972 -
Flags: review?(kaie) → review+
Assignee | ||
Comment 7•13 years ago
|
||
Comment on attachment 574972 [details] [diff] [review]
v1
https://hg.mozilla.org/integration/mozilla-inbound/rev/18f70e33e444
Attachment #574972 -
Flags: checkin+
Assignee | ||
Updated•13 years ago
|
Attachment #574972 -
Flags: approval-mozilla-beta?
Attachment #574972 -
Flags: approval-mozilla-aurora?
Assignee | ||
Updated•13 years ago
|
Target Milestone: --- → mozilla11
Comment 8•13 years ago
|
||
Comment on attachment 574972 [details] [diff] [review]
v1
[Triage Comment]
For anybody just joining us, this is basically a full backout of bug 662996 (albeit by commenting out the change). Approving for Aurora/Beta, pending landing on m-c first.
Please land this ASAP to make it into today's build.
Attachment #574972 -
Flags: approval-mozilla-beta?
Attachment #574972 -
Flags: approval-mozilla-beta+
Attachment #574972 -
Flags: approval-mozilla-aurora?
Attachment #574972 -
Flags: approval-mozilla-aurora+
Assignee | ||
Comment 9•13 years ago
|
||
https://hg.mozilla.org/releases/mozilla-aurora/rev/417f8f91c250
https://hg.mozilla.org/releases/mozilla-beta/rev/d67013733acb
Target Milestone: mozilla11 → mozilla9
Updated•13 years ago
|
Comment 10•13 years ago
|
||
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Comment 11•13 years ago
|
||
I have tried this with https://www.verisign.com on:
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:9.0) Gecko/20100101 Firefox/9.0 beta 6
Mozilla/5.0 (Windows NT 6.1; rv:9.0) Gecko/20100101 Firefox/9.0 beta 6
Mozilla/5.0 (X11; Linux x86_64; rv:9.0) Gecko/20100101 Firefox/9.0 beta 6
The secure connection notification appears.
Setting resolution to Verified Fixed on Beta.
Keywords: verified-beta
Whiteboard: [qa+] → [qa+][qa!:9]
Comment 12•13 years ago
|
||
I have tried this using the link from the description and the secure notification is present (green site's identity button).
I get no error with the pref activated: "When an OCSP server connection fails, treat the certificate as invalid". (it's deactivated by default)
Mozilla/5.0 (X11; Linux x86_64; rv:10.0) Gecko/20100101 Firefox/10.0 beta 6
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:10.0) Gecko/20100101 Firefox/10.0 beta 6
Mozilla/5.0 (Windows NT 6.1; rv:10.0) Gecko/20100101 Firefox/10.0 beta 6
Setting resolution to Verified Fixed.
Whiteboard: [qa+][qa!:9] → [qa+][qa!:9][qa!:10]
Comment 13•13 years ago
|
||
Marking as fixed for Firefox 11 since this landed while 11 was on m-c.
Comment 14•13 years ago
|
||
Setting this Verified Fixed on Firefox 11 beta on
Mozilla/5.0 (X11; Linux i686; rv:11.0) Gecko/20100101 Firefox/11.0 beta 3
Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:11.0) Gecko/20100101 Firefox/11.0 beta 3
Mozilla/5.0 (Windows NT 6.1; rv:11.0) Gecko/20100101 Firefox/11.0 beta 3
I've followed the steps from comment11 and comment12 the secure notification is present (green site's identity button) and also I get no error with the pref activated: "When an OCSP server connection fails, treat the certificate as invalid". (it's deactivated by default)
Status: RESOLVED → VERIFIED
Whiteboard: [qa+][qa!:9][qa!:10] → [qa!]
Updated•12 years ago
|
tracking-fennec: ? → ---
tracking-firefox8:
? → ---
You need to log in
before you can comment on or make changes to this bug.
Description
•