Bug 13563

Summary: Firefox does not give possibility to load a https page when there is a "sec_error_cert_not_in_name_space" error
Product: Mageia Reporter: andre salaun <andresalaun>
Component: RPM PackagesAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: major    
Priority: Normal CC: fundawang, luigiwalser, marja11, oe, rverschelde, sysadmin-bugs, tmb
Version: 4Keywords: Triaged, UPSTREAM, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
URL: http://sacoche.ac-caen.fr
See Also: https://bugzilla.mozilla.org/show_bug.cgi?id=1028647
https://bugzilla.mozilla.org/show_bug.cgi?id=952572
Whiteboard: MGA3TOO advisory mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK
Source RPM: nss CVE:
Status comment:

Description andre salaun 2014-06-21 13:05:41 CEST 
Description of problem:
Impossible to connect https web site

Version-Release number of selected component (if applicable):
All firefox versions on mga 3 and 4 i586 and x86_64

How reproducible:
Go to this page :
https://sacoche.ac-caen.fr
You see : 
***********************
Ãchec de la connexion sécurisée

Une erreur est survenue pendant une connexion à sacoche.ac-caen.fr. L'autorité de certification pour ce certificat n'est pas autorisé à délivrer un certificat avec ce nom. (Code d'erreur : sec_error_cert_not_in_name_space)

    La page que vous essayez de consulter ne peut pas être affichée car l'authenticité des données reçues ne peut être vérifiée.
    Veuillez contacter les propriétaires du site web pour les informer de ce problème. Vous pouvez également utiliser la commande dans le menu d'aide pour signaler un site non fonctionnel.
*******************

And no button to force acceptation.

Steps to Reproduce:
1.Go to this page :
https://sacoche.ac-caen.fr

2.
You see : 
***********************
Ãchec de la connexion sécurisée

Une erreur est survenue pendant une connexion à sacoche.ac-caen.fr. L'autorité de certification pour ce certificat n'est pas autorisé à délivrer un certificat avec ce nom. (Code d'erreur : sec_error_cert_not_in_name_space)

    La page que vous essayez de consulter ne peut pas être affichée car l'authenticité des données reçues ne peut être vérifiée.
    Veuillez contacter les propriétaires du site web pour les informer de ce problème. Vous pouvez également utiliser la commande dans le menu d'aide pour signaler un site non fonctionnel.
*******************

3.And no button to force acceptation.

No problem under Debian, Ubuntu, Opensuse,Centos
No problem with Opera
With Chromium there is a button to add an exception
With firefox from Mozilla site (on the sames machines) no problem.

Only the couple Mageia3 ou 4 (but not mageia2) / Firefox (from Mga) stops the access (I suppose others sites like that one can be found)

It seems there is a compilation choice problem under Mageia 3 / 4


Reproducible: 

Steps to Reproduce:
Comment 1 Marja Van Waes 2014-06-21 16:15:11 CEST 
Looks like https://bugzilla.mozilla.org/show_bug.cgi?id=943937

However, the site mentioned there doesn't have the problem any more

CC: (none) => marja11
Version: 4 => Cauldron
See Also: (none) => https://bugzilla.mozilla.org/show_bug.cgi?id=943937
Whiteboard: (none) => MGA4TOO MGA3TOO

Marja Van Waes 2014-06-21 16:16:28 CEST

Summary: Cannot connect https web site => Firefox does not give UI access to cert when connection fails with namespace error

Comment 2 andre salaun 2014-06-21 17:23:07 CEST 
(In reply to Marja van Waes from comment #1)
> Looks like https://bugzilla.mozilla.org/show_bug.cgi?id=943937
> 
> However, the site mentioned there doesn't have the problem any more

Yes I confirm it still has the problem for me at this time but not with firefox 30 from Mozilla.
Comment 3 Marja Van Waes 2014-06-21 17:57:27 CEST 
(In reply to andre salaun from comment #2)
> (In reply to Marja van Waes from comment #1)
> > Looks like https://bugzilla.mozilla.org/show_bug.cgi?id=943937
> > 
> > However, the site mentioned there doesn't have the problem any more
> 
> Yes I confirm it still has the problem for me at this time but not with
> firefox 30 from Mozilla.

you mean that with Mageia's Firefox this link
https://mailhost.icec.ti-edu.ch/Login.aspx?ReturnUrl=%2fdefault.aspx

doesn't give you the page with (at the bottom!) the "I understand the risks" -- "Add an exception" option? In the technical details I can see the error has changed there since the upstream bug report was filed, now it is "sec_error_ca_cert_invalid"

I wouldn't want us to just show a page without any error if there is something wrong with a certificate, but it would be nice to be able to add an exception for 
"sec_error_cert_not_in_name_space" pages, too.

Keywords: (none) => UPSTREAM
Summary: Firefox does not give UI access to cert when connection fails with namespace error => Firefox does not give UI access to cert when connection fails with "sec_error_cert_not_in_name_space" error

Comment 4 Marja Van Waes 2014-06-21 18:12:04 CEST 
ouch, I'm waking up

FF can't give access to a certificate, if it isn't there at all.

Summary: Firefox does not give UI access to cert when connection fails with "sec_error_cert_not_in_name_space" error => Firefox does not give possibility to load a https page when there is a "sec_error_cert_not_in_name_space" error

Comment 5 andre salaun 2014-06-21 18:36:23 CEST 
(In reply to Marja van Waes from comment #4)
> ouch, I'm waking up
> 
> FF can't give access to a certificate, if it isn't there at all.

Yes it is.

The site mentionned in bugzilla.mozilla.org does not have problem any more.

But mine is different as you see.

However in this case Mageia's firefox is the only webbrowser to forbid acces. Others distributions (mentionned in description, and mint too) and "original" firefox from mozilla's site does not have.

I questionned discuss french list about this bug and they confirm, even under cauldron.
Comment 6 Marja Van Waes 2014-06-21 18:46:54 CEST 
adding some FF committers to the CC of this report.

Akien confirmed that FF30 directly from upstream doesn't have a problem with that website, and that the certificate is present

Keywords: (none) => Triaged
CC: (none) => fundawang, luigiwalser

Comment 7 Marja Van Waes 2014-06-21 18:48:26 CEST 
removing UPSTREAM because the upstream version doesn't have this issue (while our FF30 in cauldron does)

Keywords: UPSTREAM => (none)

David Walser 2014-06-21 18:50:07 CEST

CC: (none) => oe
Source RPM: firefox all versions since mga3 => firefox
Whiteboard: MGA4TOO MGA3TOO => MGA4TOO, MGA3TOO

Comment 8 Thomas Backlund 2014-06-22 10:24:07 CEST 
Actually it is an upstream issue, but not with firefox.

It's the nss 3.16.0 -> 3.16.1 update that broke this

Keywords: (none) => UPSTREAM
CC: (none) => tmb
Source RPM: firefox => nss

Comment 9 Thomas Backlund 2014-06-22 10:33:58 CEST 
(I hit return too fast)

... I confirmed this by rebuilding firefox against nss-3.16.0
Comment 10 Thomas Backlund 2014-06-22 11:10:24 CEST 
Reported upstream

See Also: https://bugzilla.mozilla.org/show_bug.cgi?id=943937 => https://bugzilla.mozilla.org/show_bug.cgi?id=1028647

Comment 11 Thomas Backlund 2014-06-22 11:24:24 CEST 
And reading 3.16.1 release notes I see:

- Imposed name constraints on the French government root CA ANSSI (DCISS).

wich points to:
https://hg.mozilla.org/projects/nss/rev/742307da0792

So it's a CA cert restriction for gouv.fr where the French gov CA now has signed a non gouv.fr site

See Also: (none) => https://bugzilla.mozilla.org/show_bug.cgi?id=952572

Comment 12 Thomas Backlund 2014-06-22 12:20:24 CEST 
And here comes the fix...

Advisory:
Updated nss packages fixes accessing French goverment root CA signed websites

The nss 3.16.1 update done as part of MGASA-2014-0260 introduced a
regression because of the upstream change: 'Imposed name constraints on
the French government root CA ANSSI (DCISS)'
The change wont work as currenlty implemented as the French government
root CA signs more than 'gouv.fr' domains.

So for now we revert that change until its properly fixed upstream.

Mga3:
SRPM:
nss-3.16.1-1.1.mga3.src.rpm

i586:
libnss3-3.16.1-1.1.mga3.i586.rpm
libnss-devel-3.16.1-1.1.mga3.i586.rpm
libnss-static-devel-3.16.1-1.1.mga3.i586.rpm
nss-3.16.1-1.1.mga3.i586.rpm
nss-doc-3.16.1-1.1.mga3.noarch.rpm

x86_64:
lib64nss3-3.16.1-1.1.mga3.x86_64.rpm
lib64nss-devel-3.16.1-1.1.mga3.x86_64.rpm
lib64nss-static-devel-3.16.1-1.1.mga3.x86_64.rpm
nss-3.16.1-1.1.mga3.x86_64.rpm
nss-doc-3.16.1-1.1.mga3.noarch.rpm



Mga4:
nss-3.16.1-1.1.mga4.src.rpm

i586:
libnss3-3.16.1-1.1.mga4.i586.rpm
libnss-devel-3.16.1-1.1.mga4.i586.rpm
libnss-static-devel-3.16.1-1.1.mga4.i586.rpm
nss-3.16.1-1.1.mga4.i586.rpm
nss-doc-3.16.1-1.1.mga4.noarch.rpm

x86_64:
lib64nss3-3.16.1-1.1.mga4.x86_64.rpm
lib64nss-devel-3.16.1-1.1.mga4.x86_64.rpm
lib64nss-static-devel-3.16.1-1.1.mga4.x86_64.rpm
nss-3.16.1-1.1.mga4.x86_64.rpm
nss-doc-3.16.1-1.1.mga4.noarch.rpm

Cauldron:
fixed with nss-3.16.1-2.mga5



Simple testcase:

Before, try to access:
https://sacoche.ac-caen.fr/

and you get:

Error: sec_error_cert_not_in_name_space

then close firefox and update the nss packages.

After:
restart firefox and access:
https://sacoche.ac-caen.fr/

It should now work.

Assignee: bugsquad => qa-bugs

Comment 13 Rémi Verschelde 2014-06-22 12:31:48 CEST 
Fix confirmed on Cauldron x86_64.

CC: (none) => remi

Comment 14 Rémi Verschelde 2014-06-22 12:39:38 CEST 
As a an additional to the test procedure, you could also check for regression with: https://mailhost.icec.ti-edu.ch/Login.aspx?ReturnUrl=%2fdefault.aspx
This is supposed to be uncertified, so you should be offered to add an exception  (both before and after the update).
Comment 15 Rémi Verschelde 2014-06-22 12:58:47 CEST 
Tested Mageia 4 x86_64 in a VM, the update candidate fixes the issue and does not seem to introduce evident regressions.

Whiteboard: MGA4TOO, MGA3TOO => MGA4TOO, MGA3TOO MGA4-64-OK

Rémi Verschelde 2014-06-22 13:23:46 CEST

Version: Cauldron => 4
Whiteboard: MGA4TOO, MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK

Comment 16 Rémi Verschelde 2014-06-22 14:22:41 CEST 
Testing complete on Mageia 4 i586 on real hardware.

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-32-OK MGA4-64-OK

Comment 17 andre salaun 2014-06-23 11:43:57 CEST 
Complete on Mageia 3 i586 Mageia 3 x86_64 Ma
Comment 18 andre salaun 2014-06-23 11:45:04 CEST 
Oups ! complete on Mageia 4 x86_64
Comment 19 claire robinson 2014-06-23 13:02:31 CEST 
Testing complete mga3 32 & 64

https://sacoche.ac-caen.fr/
https://mailhost.icec.ti-edu.ch/Login.aspx?ReturnUrl=%2fdefault.aspx
https://cfspart.impots.gouv.fr/LoginAccess?op=c

and general https browsing
claire robinson 2014-06-23 13:02:46 CEST

Whiteboard: MGA3TOO MGA4-32-OK MGA4-64-OK => MGA3TOO mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK

Comment 20 claire robinson 2014-06-23 18:40:15 CEST 
Validating. Advisory uploaded.

Could sysadmin please push to 3 & 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: MGA3TOO mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK => MGA3TOO advisory mga3-32-ok mga3-64-ok MGA4-32-OK MGA4-64-OK
CC: (none) => sysadmin-bugs

Comment 21 Thomas Backlund 2014-06-24 00:14:56 CEST 
Update pushed:
http://advisories.mageia.org/MGAA-2014-0135.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED