Closed Bug 92475 Opened 23 years ago Closed 22 years ago

Need error msg for expired CRLs. Was: Can't check account status at Amazon

Categories

(Core Graveyard :: Security: UI, defect, P1)

1.0 Branch
defect

Tracking

(Not tracked)

VERIFIED WORKSFORME
Future

People

(Reporter: lord, Assigned: ddrinan0264)

Details

Attachments

(5 files)

While trying to view my account status at Amazon, I am unable to login. To reproduce: -Go to http://www.amazon.com/ -Click on Your Account (top right) -Click on the GO! next to "my recent orders and transactions" -Enter email address and password -Click "Sign in using our secure server" Expected results: You'd be logged in. Observed results: Nothing happens.
Priority: -- → P1
Target Milestone: --- → 2.1
Others are having a hard time reproducing this, but I can only get to some SSL sites, even with a new profile. Marking Blocker. We need to get this cleared up before we branch for 0.9.3. junruh: please see if you can reproduce this problem on Win2k. You'll need to visit a lot of external HTTPS sites to find one that triggers this problem.
Severity: normal → blocker
->ddrinan
Assignee: ssaux → ddrinan
This is caused by an expired CRL. We should be putting up an error message in this case. The workaround for the moment is to remove the CRL from the profile. I'm removing this as a blocker.
Severity: blocker → critical
Update Summary to reflect actual problem.
Summary: Can't check account status at Amazon → Need error msg for expired CRLs. Was: Can't check account status at Amazon
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
Attached patch Patch for review. (deleted) — Splinter Review
Keywords: patch
A couple of notes: 1) These should all have absolute paths after for src (like help.js) and should all say type="application/x-javascript" as well. +<script src="chrome://global/content/strres.js" /> +<script src="pippki.js" /> +<script src="serverCrlExpired.js" /> +<script type="application/x-javascript" src="chrome://help/content/help.js" /> 2) According to Bug 88328, we shouldn't have 'width' or orient set on any buttons. The theme should decide how bug our buttons are. Fix these 2 issues, and r=javi
Attached patch Updated patch. (deleted) — Splinter Review
Keywords: review
sr=blizzard
Fixed checked in.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
On Wink2 2001-08-10-10-trunk build: Following Lord's steps, I at least got an dialog saying "Connection refused" (or something close to it) the *first* time I tried to connect. Subsequent re- submissions (clicking the submit button again and again and again) gave me no dialogs, and only a watch cursor for a few seconds. I tried this on MacOSX 2001-08-10-05-trunk build, and had no problems. Fix was checked in on 2001-08-09 15:32 so I'm reopening - Sorry David!
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
The way I understand this bug, one can't connect to sites whose ssl cert is governed by a crl that has expired. The fix is to show a dialog in that case rather than failing silently. To verify the fix, one needs to install an expired CRL, which applies to a known site, then go and visit said site, and see that rather than failing silently we get the dialog that David created. QA please revisit this.
Marking back as FIXED until there's either a compelling case for REOPENED or it's VERIFIED.
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
There is no such thing as an expired cert. Please see bug 94013 for details. This code and UI needs to take that into account. nextUpdate time does not mean "expired". Reopening.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Attached patch Patch for review. (deleted) — Splinter Review
+ rv = NS_ERROR_FAILURE;; remove the extra ; + <button id="ok-button" class="dialog" label="&ok.label;" primary="true" + onclick="doOK();" disabled="false"/> you shouldn't need to set disabled=false on buttons +<!ENTITY serverCrlNextupdate.message "Please ask your system administrator for assistance"> This is a bit unhelpful for a home user, but I can't think of anything better at the moment, so this will be ok. Fix the first two items I mentioned and r=bryner.
Attached patch Updated patch. (deleted) — Splinter Review
Check if you need flex in the xul. Other than that, sr=tor.
Attached patch Updated patch with flex in xul. (deleted) — Splinter Review
Keywords: reviewapproval
a=asa on behalf of drivers
Patch checked in. Marking FIXED.
Status: REOPENED → RESOLVED
Closed: 23 years ago23 years ago
Resolution: --- → FIXED
In order to test this, download the the RSASecureServer.crl file from crl.verisign.com and host the file on a web server that has the mime type application/x-pkcs7-crl. Download the crl into your browser, set your computer clock forward by about 6 months and then visit https://www.verisign.com.
There are multiple problems with the xul in this patch, so reopening. First of all, though, why must this alert be hand-rolled? Why can't it use the existing CommonDialog infrastructure? In the future, please have someone intimately familiar with xul review a change such as this.
Status: RESOLVED → REOPENED
Resolution: FIXED → ---
Making future. What specific problems are there for this dialog. Is the functionality broken?
Target Milestone: 2.1 → Future
OS > all
OS: Windows 2000 → All
QA Contact: ckritzer → junruh
Hardware: PC → All
Version: 2.0 → 2.1
I am also seeing this problem when trying to access my account on www.amazon.co.uk. To reproduce: - go to http://www.amazon.co.uk - click on the "Sign In" link - enter username and password - click "continue using secure server" Actual result: dialog warning: "www.amazon.co.uk was not found. Please check the name and try again." Expected result: account home page loaded O/S WinNT SP5 Mozilla 0.9.5 Build ID: 2001101117 I am yet to find a site using SSL that I _can_ access.
Please ignore previous comment. I've just discovered I had not created the correct entry for the SSL proxy; I can now access SSL sites. Apologies.
I this still an issue? I am able to connect to https sites, although I have an expired CRL for the CA that issued that sites cert. Marking worksforme. Please verify. As I believe, we no longer inhibit connecting to a site because of an expired CRL, we do not need an error message for that situation.
Status: REOPENED → RESOLVED
Closed: 23 years ago22 years ago
Resolution: --- → WORKSFORME
Verified.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.1 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: