Project

General

Profile

Actions

Bug #7800

closed

Firefox stalls after TLS handshake on self signed certificate with a missing contact email

Added by François ARMAND almost 9 years ago. Updated over 6 years ago.

Status:
Released
Priority:
2
Category:
System integration
Target version:
Severity:
UX impact:
User visibility:
Effort required:
Priority:
0
Name check:
Fix check:
Regression:

Description

--- firefox bug and workaround ---

There is ticket opened on mozilla bug tracker: https://bugzilla.mozilla.org/show_bug.cgi?id=1240548

Edit: there was an other bug open in firefox bugtracked, without any chance to find it given the title: https://bugzilla.mozilla.org/show_bug.cgi?id=1056341

The general workaround (because that problem can happen in other case than Rudder one, so if any body land here:) is to:

  • solution 1: create a new profile (firefox -F) and use it
  • solution 2: remove all existing occurence of the certificate in firefox internal base: preference -> advanced choice -> certificates -> view certificates -> Servers tab and likelly they are in the (unknonw) entry
  • solution 3: solution 2 may not be sufficient if the cert base is somehow broken (see comment #13), so: rm ~/.mozilla/firefox/xxxx.default/cert8.db (or cert9.db)
  • solution 4: sometimes, even if you remove certX.db, ff will stall. You will have to do:
cd  ~/.mozilla/firefox/xxxx.default/
certutil -d sql:. -L | grep hostname-of-problematic-server
[you should see several entries for it]
certutil -d sql:. -D -n hostname-of-problematic-server

Description of the problem

At the end of the installation process, Rudder generates a self signed certificate and install it into Apache.
Firefox is enable to connect to Rudder in https with that certificate. Of course, it does not happen with all Firefox, but we are several to have experienced the problem with version of Firefox from at 39.x to the latest 43.0.4.
The behaviour is that Firefox status bar display "connected to 192.168.42.2...." and nothing else happen, even if we wait several minutes (i.e: we don't even get the security notification page that the site is not secured, do you want to add an exception are you really sur).

Of course, using Chrome/chromium of even Opera works without any problem.

On the network level, we can see that the TLS handshacks is ok, but then a reset happen.
On apache side, the logs say:

[Mon Jan 18 16:30:02 2016] [info] [client 192.168.42.1] Connection to child 10 established (server server.rudder.local:443)
[Mon Jan 18 16:30:02 2016] [info] Seeding PRNG with 656 bytes of entropy
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1818): OpenSSL: Handshake: start
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: before/accept initialization
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1897): OpenSSL: read 11/11 bytes from BIO#7fa515eeae20 [mem: 7fa515f964a0] (BIO dump follows)
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0000: 16 03 01 00 c0 01 00 00-bc 03 03                 ...........      |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1897): OpenSSL: read 186/186 bytes from BIO#7fa515eeae20 [mem: 7fa515f964ae] (BIO dump follows)
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0000: 20 d6 04 93 11 ad 47 1f-a3 7d a6 be 26 7a 33 38   .....G..}..&z38 |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0010: f3 0a 9c a9 15 ae 91 4c-47 10 a7 4f 3d 90 f2 50  .......LG..O=..P |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0020: 20 48 c8 ee c8 23 68 a3-0b 85 04 11 61 ea 42 8b   H...#h.....a.B. |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0030: 07 74 e6 9d 9f cc 2f b6-fc d8 2d 8e b1 a1 d2 ff  .t..../...-..... |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0040: dc 00 16 c0 2b c0 2f c0-0a c0 09 c0 13 c0 14 00  ....+./......... |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0050: 33 00 39 00 2f 00 35 00-0a 01 00 00 5d ff 01 00  3.9./.5.....]... |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0060: 01 00 00 0a 00 08 00 06-00 17 00 18 00 19 00 0b  ................ |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0070: 00 02 01 00 00 23 00 00-33 74 00 00 00 10 00 17  .....#..3t...... |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0080: 00 15 02 68 32 08 73 70-64 79 2f 33 2e 31 08 68  ...h2.spdy/3.1.h |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0090: 74 74 70 2f 31 2e 31 00-05 00 05 01 00 00 00 00  ttp/1.1......... |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 00a0: 00 0d 00 16 00 14 04 01-05 01 06 01 02 01 04 03  ................ |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 00b0: 05 03 06 03 02 03 04 02-02 02                    ..........       |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_scache_shmcb.c(393): ssl_scache_shmcb_retrieve (0x48 -> subcache 8)
[Mon Jan 18 16:30:02 2016] [debug] ssl_scache_shmcb.c(708): shmcb_subcache_retrieve found no match
[Mon Jan 18 16:30:02 2016] [debug] ssl_scache_shmcb.c(408): leaving ssl_scache_shmcb_retrieve successfully
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1684): Inter-Process Session Cache: request=GET status=MISSED id=48C8EEC82368A30B85041161EA428B0774E69D9FCC2FB6FCD82D8EB1A1D2FFDC (session
renewal)
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: SSLv3 read client hello A
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: SSLv3 write server hello A
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: SSLv3 write certificate A
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: SSLv3 write key exchange A
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: SSLv3 write server done A
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: SSLv3 flush data
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1897): OpenSSL: read 5/5 bytes from BIO#7fa515eeae20 [mem: 7fa515f964a3] (BIO dump follows)
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0000: 16 03 03 00 46                                   ....F            |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1897): OpenSSL: read 70/70 bytes from BIO#7fa515eeae20 [mem: 7fa515f964a8] (BIO dump follows)
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0000: 10 00 00 42 41 04 c6 23-da 59 a5 c0 ef fa 46 74  ...BA..#.Y....Ft |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0010: 25 b3 95 49 bf ef c7 58-8d 25 98 e9 5e db e1 1a  %..I...X.%..^... |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0020: 73 0b 22 74 ba 55 e0 9c-d9 e3 43 76 a7 13 99 63  s."t.U....Cv...c |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0030: d7 09 d3 7c aa 9c 7b 8b-9e 72 0b 23 60 03 41 28  ...|..{..r.#`.A( |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0040: 2d 6d 44 1b 0d 7a                                -mD..z           |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: SSLv3 read client key exchange A
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1897): OpenSSL: read 5/5 bytes from BIO#7fa515eeae20 [mem: 7fa515f964a3] (BIO dump follows)
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0000: 14 03 03 00 01                                   .....            |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1897): OpenSSL: read 1/1 bytes from BIO#7fa515eeae20 [mem: 7fa515f964a8] (BIO dump follows)
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0000: 01                                               .                |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1897): OpenSSL: read 5/5 bytes from BIO#7fa515eeae20 [mem: 7fa515f964a3] (BIO dump follows)
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0000: 16 03 03 00 28                                   ....(            |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1897): OpenSSL: read 40/40 bytes from BIO#7fa515eeae20 [mem: 7fa515f964a8] (BIO dump follows)
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1830): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0000: 00 00 00 00 00 00 00 00-89 ff fb f5 ab 7d ec 89  .............}.. |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0010: 7f d9 b9 f3 cc 6e ea f3-17 88 2b 37 90 92 44 1d  .....n....+7..D. |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1869): | 0020: 16 1f 83 62 8f e7 ed f6-                         ...b....         |
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_io.c(1875): +-------------------------------------------------------------------------+
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: SSLv3 read finished A
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: SSLv3 write session ticket A
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: SSLv3 write change cipher spec A
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: SSLv3 write finished A
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1826): OpenSSL: Loop: SSLv3 flush data
[Mon Jan 18 16:30:02 2016] [debug] ssl_engine_kernel.c(1822): OpenSSL: Handshake: done
[Mon Jan 18 16:30:02 2016] [info] Connection: Client IP: 192.168.42.1, Protocol: TLSv1.2, Cipher: ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)

[.... wait wait wait ....]

[Mon Jan 18 16:30:23 2016] [info] [client 192.168.42.1] Request header read timeout
[Mon Jan 18 16:30:23 2016] [debug] ssl_engine_io.c(1908): OpenSSL: I/O error, 5 bytes expected to read on BIO#7fa515eeae20 [mem: 7fa515f964a3]
[Mon Jan 18 16:30:23 2016] [info] [client 192.168.42.1] (70007)The timeout specified has expired: SSL input filter read failed.
[Mon Jan 18 16:30:23 2016] [debug] ssl_engine_kernel.c(1836): OpenSSL: Write: SSL negotiation finished successfully
[Mon Jan 18 16:30:23 2016] [info] [client 192.168.42.1] Connection closed to child 10 with standard shutdown (server server.rudder.local:443)

After loads of debugging, we found that the self-signed certificate in use is faulty, and that just adding an email to the subject make every thing works.

Not working certificate generation command:

openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname --fqdn)/" -keyout /opt/rudder/etc/ssl/rudder-webapp.key -out /opt/rudder/etc/ssl/rudder-webapp.crt -days 1460 -nodes -sha256

And the working one:

$ openssl req -new -x509 -newkey rsa:2048 -subj "/CN=$(hostname --fqdn)/emailAddress=root@localhost/"  -keyout rudder-webapp.key -out rudder-webapp.crt -days 1460 -nodes -sha256

(attached a couple of working and a couple of not working certificate/key).

Some more information: it happens for firefox on at least Archlinux, Mint, Fedora (but perhaps not always Debian or Ubuntu). It seems to not be related with the Apache version or server distribution (happens in both centos and debian at least).


Files

rudder-webapp-BAD.crt (1.1 KB) rudder-webapp-BAD.crt François ARMAND, 2016-01-18 17:39
rudder-webapp-BAD.key (1.66 KB) rudder-webapp-BAD.key François ARMAND, 2016-01-18 17:39
rudder-webapp-GOOD.crt (1.18 KB) rudder-webapp-GOOD.crt François ARMAND, 2016-01-18 17:39
rudder-webapp-GOOD.key (1.67 KB) rudder-webapp-GOOD.key François ARMAND, 2016-01-18 17:39

Related issues 1 (0 open1 closed)

Related to Rudder - Bug #9566: Firefox stalls after TLS handshake on self signed certificateReleasedAlexis Mousset2016-10-31Actions
Actions #1

Updated by Jonathan CLARKE almost 9 years ago

  • Assignee set to Jonathan CLARKE
Actions #2

Updated by Jonathan CLARKE almost 9 years ago

  • Status changed from In progress to Pending technical review
  • Assignee changed from Jonathan CLARKE to François ARMAND
  • Pull Request set to https://github.com/Normation/rudder-packages/pull/865
Actions #3

Updated by François ARMAND almost 9 years ago

  • Description updated (diff)

Add info about OS displaying the problem.

Actions #4

Updated by Jonathan CLARKE almost 9 years ago

  • Status changed from Pending technical review to Pending release
  • % Done changed from 0 to 100
Actions #5

Updated by François ARMAND almost 9 years ago

  • Description updated (diff)
  • % Done changed from 100 to 0

Add reference to Firefox ticket in description.

Actions #6

Updated by François ARMAND almost 9 years ago

  • Description updated (diff)

Add reference to the other firefox bug and workaround.

Actions #7

Updated by Vincent MEMBRÉ almost 9 years ago

  • Status changed from Pending release to Released

This bug has been fixed in Rudder 2.11.18, 3.0.13, 3.1.6 and 3.2.0 which were released today.

Actions #8

Updated by Nicolas CHARLES over 8 years ago

Using Firefox 44.0.2, Rudder 3.0.15 and rudder-tests current master, I still have the issue

Actions #9

Updated by Nicolas CHARLES over 8 years ago

After about 10 minutes, I get:
Le certificat n'est pas sûr car il est auto-signé. Le certificat n'est valide que pour server.rudder.local.

Asking for certificate details stalls completely Firefox for 10 extra minutes (can't use it at all), but resulting certificate looks correct

Actions #10

Updated by François ARMAND over 8 years ago

Perhaps you have far too many broken certificates already present, and they have side effects.

Could you remove all you old test/labo certificate ? It's on preferences => advanced => certifcates => view certificates, and in the pop-up => servers, remove all the "unknowns" which look like rudder tests servers.

Actions #11

Updated by Nicolas CHARLES over 8 years ago

removing all old certificates fixes the issue, thank you Francois

Actions #12

Updated by Benoît PECCATTE about 8 years ago

  • Related to Bug #9566: Firefox stalls after TLS handshake on self signed certificate added
Actions #13

Updated by François ARMAND almost 8 years ago

  • Description updated (diff)

Sometime, even when you remove certificate from the UI, Firefox STILL remains slow. In that case, you can do the procedure explain here: https://bugzilla.redhat.com/show_bug.cgi?id=1204670#c34

% cd .mozilla/firefox/xxx.default
% certutil -d dbm:. -L | grep -i loca
....
server.rudder.local
...
relay.rudder.local
...
server1.rudder.local
...
% certutil -d dbm:. -D -n server1.rudder.local
(again and again with all rudder entries)

In my case, I wasn't able to delete all local certificates for rudder, so perhaps my base was just broken. I deleted it

% rm -f cert8.db

It is recreated by firefox and contains nothing that you can do again (accepting certs). And now, Firefox is QUICK AGAIN !

Actions #14

Updated by François ARMAND almost 8 years ago

  • Description updated (diff)
Actions #15

Updated by François ARMAND almost 8 years ago

  • Description updated (diff)
Actions #16

Updated by François ARMAND over 6 years ago

  • Description updated (diff)
  • Priority set to 0
Actions

Also available in: Atom PDF