Closed
Bug 1103600
Opened 10 years ago
Closed 6 years ago
Connection to *.live.com breaks after some minutes when history is disabled, leaving cert errors and a broken mail web app and requiring you to re-login
Categories
(Web Compatibility :: Site Reports, defect)
Web Compatibility
Site Reports
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: wilok_blue, Unassigned, NeedInfo)
Details
(Whiteboard: [country-all] [microsoft] [ssl] [contactready])
Attachments
(2 files)
certificat.jpg
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 Build ID: 20140529161749 Steps to reproduce: Actual results: Hello, I have a problem since about 2 weeks with my Outlook email (web mail). Indeed, I log on to my webmail and let the current page. After a while I come back to the page to view / write a message and it's impossible. I have a strip that appears "Unable to connect to Outlook.com. Try again later.". If I refresh the page, I have the "This connection is not certified." 'Error : sec_error_unknown_issuer' If I click on my shortcut bookmark, the page opens normally without the need to authenticate it. The problem does not exist on chrome. SO I reinstalled 2 computers completely (OS MS seven pro, firefox V33.1.1, Nothing else). Problem is the same. I downgrade Firefox to 30.0 version and now it's working correcly.
|
Reporter | |
Updated•10 years ago
|
Version: 30 Branch → 33 Branch
|
|
Reporter | |
Updated•10 years ago
|
Component: Untriaged → Disability Access
|
||
Comment 1•10 years ago
|
||
This is not an accessibility bug (for people with disabilties), but rather something security/certificate related. Moving components for further triage.
Component: Disability Access → Security
|
||
Comment 2•10 years ago
|
||
Do you connect to the internet via a proxy? What kind of proxy?
Component: Security → Security: PSM
Flags: needinfo?(wilok_blue)
Product: Firefox → Core
|
|
Reporter | |
Comment 3•10 years ago
|
||
Hello guys, So i'm working on my problem today. Fist time i don't use proxy. What i know today : I tested with 32.0.1 , 32.0.3, 33.0.1, 33.0.3 and 36.0a1.en. I replicate the problem. How to replicate the problem : - Reset firefox parameters "about:support". [URL=http://www.hostingpics.net/viewer.php?id=851747resetus.jpg][IMG]http://img15.hostingpics.net/pics/851747resetus.jpg[/IMG][/URL] - Put this options in Firefox (Tell sites that I do not want to be tracked, never remember history). [url=http://www.hostingpics.net/viewer.php?id=716473Pamametreus.png][img]http://img15.hostingpics.net/thumbs/mini_716473Pamametreus.png[/img][/url] And go to "hotmail.com". I'm gonna test other thing, but i think there is a problem. What do you think about it ?
![http://www.hostingpics.net/viewer.php?id=851747resetus.jpg][IMG]http://img15.hostingpics.net/pics/851747resetus.jpg[/IMG][/URL](http://www.hostingpics.net/viewer.php?id=851747resetus.jpg][IMG]http://img15.hostingpics.net/pics/851747resetus.jpg[/IMG][/URL){kind=link}
![http://www.hostingpics.net/viewer.php?id=716473Pamametreus.png][img]http://img15.hostingpics.net/thumbs/mini_716473Pamametreus.png[/img][/url](http://www.hostingpics.net/viewer.php?id=716473Pamametreus.png][img]http://img15.hostingpics.net/thumbs/mini_716473Pamametreus.png[/img][/url){kind=link}
Flags: needinfo?(wilok_blue)
|
|
||
Comment 4•10 years ago
|
||
I tried to follow the steps from comment #3, and I get the sign in page at this URL: https://login.live.com/login.srf?wa=wsignin1.0&rpsnv=12&ct=1416875135&rver=6.4.6456.0&wp=MBI_SSL_SHARED&wreply=https:%2F%2Fmail.live.com%2Fdefault.aspx%3Frru%3Dinbox&lc=1033&id=64855&mkt=en-us&cbcxt=mai just fine. Does the issue only occur once you're logged in for longer periods of time?
Flags: needinfo?(wilok_blue)
|
|
Reporter | |
Comment 5•10 years ago
|
||
to replicate, you wait 3 to 6 minutes. So you log to Outlook.com and go to do something else (waiting).Back, you click to create a new message or click to directory. You have the problem. I note when you click to directory just after log, before waiting, and you want access, after waiting,you can access (cache in memory).
Flags: needinfo?(wilok_blue)
|
|
Reporter | |
Comment 6•10 years ago
|
||
I tested with an other computer (Xp sp3 - firefox 33.1.1). I have the same problem (option Tell sites that I do not want to be tracked, never remember history). When i change history option, that's working correctly.
|
|
||
Comment 7•10 years ago
|
||
I created an outlook account and was able to reproduce on current Nightly. This is very odd... :-\
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows 7 → All
Hardware: x86_64 → All
|
|
||
Comment 8•10 years ago
|
||
|
|
||
Updated•10 years ago
|
Attachment #8528338 -
Attachment mime type: text/x-vhdl → text/plain
|
|
||
Comment 9•10 years ago
|
||
I'm not really able to determine why we suddenly don't trust the cert anymore. I just checked, and the cert I am initially offered is identical to the broken one. Going back to login.live.com and logging back in from there makes it work. Brian or David, any idea how/where to look further?
Flags: needinfo?(dkeeler)
Flags: needinfo?(brian)
|
|
||
Updated•10 years ago
|
Summary: outlook.com → Connection to *.live.com breaks after some minutes when history is disabled, leaving cert errors and a broken mail web app and requiring you to re-login
|
|
Reporter | |
Comment 10•10 years ago
|
||
An other information. I changed "Tell sites that I do not want to be tracked" option to an other one. I reloaded firefox and changed to "Tell sites that I do not want to be tracked" option. It's working correctly now. So problem appear when you put this 2 options in same time, when you set your firefox.
I can't reproduce this issue. Here's what I did in a fresh profile: * set DNT and never remember history (requiring a restart) * signed in to hotmail/outlook/live.com * waited for a while * clicked on compose new message or a different folder In any case, my guess is the webapp is trying to connect to a server that doesn't send the correct intermediate certificates. Since the history settings make it so we don't cache intermediates from previously successful connections (if I understand correctly), Firefox can't find the appropriate intermediates and says that the certificate has an unknown issuer. It someone can get a packet dump of the failing connection we would be able to verify this theory.
|
||
Updated•10 years ago
|
Flags: needinfo?(dkeeler)
|
|
||
Comment 12•10 years ago
|
||
(In reply to David Keeler (:keeler) [use needinfo?] from comment #11) > I can't reproduce this issue. Here's what I did in a fresh profile: > > * set DNT and never remember history (requiring a restart) > * signed in to hotmail/outlook/live.com > * waited for a while > * clicked on compose new message or a different folder > > In any case, my guess is the webapp is trying to connect to a server that > doesn't send the correct intermediate certificates. Since the history > settings make it so we don't cache intermediates from previously successful > connections (if I understand correctly), Firefox can't find the appropriate > intermediates and says that the certificate has an unknown issuer. It > someone can get a packet dump of the failing connection we would be able to > verify this theory. I'd like to help and get this, but at the risk of sounding dumb/naive, how do I do that considering it's all SSL? :-\
(In reply to :Gijs Kruitbosch from comment #12) > I'd like to help and get this, but at the risk of sounding dumb/naive, how > do I do that considering it's all SSL? :-\ No worries - that's a legitimate question. When negotiating a full handshake, the server will send the certificate chain unencrypted since the client and server haven't negotiated a shared secret key at that point. You should be able to look at these in Wireshark (filter on ssl.handshake.certificates). If the client/server are doing a session resumption, the certificates won't necessarily be there, since if the client/server already negotiated a session ticket, it's assumed the client has all the information necessary to verify the server's identity.
|
|
||
Comment 14•10 years ago
|
||
Thanks! Will try to get back on this later today or tomorrow.
Flags: needinfo?(gijskruitbosch+bugs)
|
|
Reporter | |
Comment 15•10 years ago
|
||
Hello, You can download wireshark file here. https://1fichier.com/?9tfd8xtx1v
|
|
||
Comment 16•10 years ago
|
||
Clearing needinfo considering there's a wireshark log now...
Flags: needinfo?(gijskruitbosch+bugs)
Thanks for the packet trace. It shows that the server at 204.79.197.211 isn't sending an intermediate certificate. Compare the output of `openssl s_client -connect 204.79.197.211:443 -showcerts < /dev/null` to `openssl s_client -connect 157.55.43.16:443 -showcerts < /dev/null` (157.55.43.16 is what 'dub111.mail.live.com resolves to for me, which is the host the client is attempting to connect to in the packet trace.) This is an evangelism issue, and we should get in touch with Microsoft.
Component: Security: PSM → Desktop
Flags: needinfo?(brian)
Product: Core → Tech Evangelism
Version: 33 Branch → unspecified
|
||
Updated•10 years ago
|
Whiteboard: [country-all] [microsoft] [ssl] [contactready]
|
||
Comment 18•7 years ago
|
||
Christophe, it's been quite a while since this was reported -- could you test if it reproduces before we reach out to Microsoft? Thanks!
Flags: needinfo?(wilok_blue)
|
|
||
Comment 19•6 years ago
|
||
No response, let's close. (But we can re-open if we have new info!)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → INCOMPLETE
|
Assignee | |
Updated•5 years ago
|
Product: Tech Evangelism → Web Compatibility
You need to log in
before you can comment on or make changes to this bug.
Description
•