233728 2008-08-02 17:15 0000 www-client/mozilla-firefox-bin: breakpad cannot send crash reports because of CA issues 2008-08-29 11:18:22 0000 1 1 1 Unclassified Gentoo Linux Applications unspecified All Linux RESOLVED FIXED https://bugzilla.mozilla.org/show_bug.cgi?id=448925 P2 normal --- 1 phajdan.jr@gmail.com mozilla@gentoo.org phajdan.jr@gmail.com 2008-08-02 17:15:27 0000 Every time my nightly mozilla-firefox-bin crashed, its crash reporter, breakpad, told me it had a problem sending the report. Today I found its log in .mozilla/firefox/Crash\ Reports/submit.log (as well as pending crash reports in given directory). Here are the contents of the log: [Fri Feb 1 18:24:39 2008] Crash report submission failed: Peer certificate cannot be authenticated with known CA certificates [Fri Feb 1 18:27:18 2008] Crash report submission failed: Peer certificate cannot be authenticated with known CA certificates [Sat 28 Jun 2008 09:24:00 AM CEST] Crash report submission failed: Peer certificate cannot be authenticated with known CA certificates [Sat 28 Jun 2008 09:24:39 AM CEST] Crash report submission failed: Peer certificate cannot be authenticated with known CA certificates [Sat 02 Aug 2008 11:45:25 AM CEST] Crash report submission failed: Peer certificate cannot be authenticated with known CA certificates I'm currently using nightly build with UA of "Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.1a2pre) Gecko/2008080102 Minefield/3.1a2pre" - it's not in portage, but eventually I can test with 3.1a1 from portage, using the crash me extension. armin76@gentoo.org 2008-08-03 09:25:06 0000 Not a Gentoo bug, report it upstream. phajdan.jr@gmail.com 2008-08-04 10:18:16 0000 Mozilla closed the bug as invalid, see https://bugzilla.mozilla.org/show_bug.cgi?id=448925#c1 This is their response: "So install the right set of CA certificates. Not our problem." Please re-check our CA list, or ask Mozilla specifically. I have ca-certificates-20070303-r1. armin76@gentoo.org 2008-08-04 11:03:03 0000 Adding base-system, since ca-certificates its their package. cardoe@gentoo.org 2008-08-04 14:12:07 0000 Except Mozilla's breakpad doesn't use any system CAs.... Mozilla has it's own set of CAs it installs completely separate. Additionally, it might be worth knowing what server it's attempting to connect to and what CA signed that servers certificate. phajdan.jr@gmail.com 2008-08-04 14:45:10 0000 Created an attachment (id=162203) openssl info about crash-reports.mozilla.com Using a sniffer I discovered that breakpad connects to crash-reports.mozilla.com. This attachment is what could be retrieved using openssl from comand line (the command is included in the file, as well as full output). I also detected traffic to dyna-services-amo.nslb.sj.mozilla.com, but it seems to be irrelevant, as it's probably related to addons.mozilla.org (but I'm not sure about that). cardoe@gentoo.org 2008-08-04 15:06:30 0000 ca-certificates provides the necessary cert... openssl s_client -connect crash-reports.mozilla.com:443 -CApath /etc/ssl/certs will result in a successful cert validation. Breakpad needs to be configured to use /etc/ssl/certs in this case. armin76@gentoo.org 2008-08-04 15:30:14 0000 Sigh, so Mozilla says its not their problem, and firefox doesn't use external certificates...so what? :/ armin76@gentoo.org 2008-08-04 15:36:43 0000 https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/205992 Still, -bin has its own nss lib...so...in my opinion that certificate crash-reports uses should be add to nss...we can't fix it. phajdan.jr@gmail.com 2008-08-04 17:07:00 0000 Do you think I should re-open the upstream bug (maybe adding some additional info to it)? How about including link to this Gentoo bug? armin76@gentoo.org 2008-08-04 19:03:05 0000 Yeah, if you want an answer yes. Thing is, wether we want to fix it or not, we can't... ted.mielczarek@gmail.com 2008-08-04 21:14:21 0000 The crashreporter uses the system libcurl, not Firefox's built-in NSS. If your libcurl doesn't have the necessary certs available, it will not work. (We dlopen libcurl to get around SOversioning issues: http://mxr.mozilla.org/mozilla-central/source/toolkit/crashreporter/google-breakpad/src/common/linux/http_upload.cc#70 ) phajdan.jr@gmail.com 2008-08-06 09:12:26 0000 After re-emerging curl with nss USE flag disabled breakpad could successfully send reports, and curl could successfully validate Mozilla's certificate. Now possibilities of fixing this bug are much better. armin76@gentoo.org 2008-08-28 17:34:35 0000 Removing base-system then. The only fix here is adding a warning if someone has nss in its curl. What i still don't understand is why that cert is not included in nss, but well. Anyway, what version of firefox-bin are we talking about? phajdan.jr@gmail.com 2008-08-28 17:48:45 0000 mozilla-firefox-bin-3.0.1-r1; I originally opened for nightly, but it also happens with in-portage version armin76@gentoo.org 2008-08-29 11:18:22 0000 I've added an einfo for this. 162203 2008-08-04 14:45 0000 openssl info about crash-reports.mozilla.com crash-reports.mozilla.com.txt text/plain JCBvcGVuc3NsIHNfY2xpZW50IC1jb25uZWN0IGNyYXNoLXJlcG9ydHMubW96aWxsYS5jb206NDQz CkNPTk5FQ1RFRCgwMDAwMDAwMykKZGVwdGg9MCAvQz1VUy9PPWNyYXNoLXJlcG9ydHMubW96aWxs YS5jb20vT1U9R1Q1ODk3NzI5NS9PVT1TZWUgd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJjZXMvY3Bz IChjKTA4L09VPURvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFF1aWNrU1NMIFByZW1pdW0oUikv Q049Y3Jhc2gtcmVwb3J0cy5tb3ppbGxhLmNvbQp2ZXJpZnkgZXJyb3I6bnVtPTIwOnVuYWJsZSB0 byBnZXQgbG9jYWwgaXNzdWVyIGNlcnRpZmljYXRlCnZlcmlmeSByZXR1cm46MQpkZXB0aD0wIC9D PVVTL089Y3Jhc2gtcmVwb3J0cy5tb3ppbGxhLmNvbS9PVT1HVDU4OTc3Mjk1L09VPVNlZSB3d3cu Z2VvdHJ1c3QuY29tL3Jlc291cmNlcy9jcHMgKGMpMDgvT1U9RG9tYWluIENvbnRyb2wgVmFsaWRh dGVkIC0gUXVpY2tTU0wgUHJlbWl1bShSKS9DTj1jcmFzaC1yZXBvcnRzLm1vemlsbGEuY29tCnZl cmlmeSBlcnJvcjpudW09Mjc6Y2VydGlmaWNhdGUgbm90IHRydXN0ZWQKdmVyaWZ5IHJldHVybjox CmRlcHRoPTAgL0M9VVMvTz1jcmFzaC1yZXBvcnRzLm1vemlsbGEuY29tL09VPUdUNTg5NzcyOTUv T1U9U2VlIHd3dy5nZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwcyAoYykwOC9PVT1Eb21haW4gQ29u dHJvbCBWYWxpZGF0ZWQgLSBRdWlja1NTTCBQcmVtaXVtKFIpL0NOPWNyYXNoLXJlcG9ydHMubW96 aWxsYS5jb20KdmVyaWZ5IGVycm9yOm51bT0yMTp1bmFibGUgdG8gdmVyaWZ5IHRoZSBmaXJzdCBj ZXJ0aWZpY2F0ZQp2ZXJpZnkgcmV0dXJuOjEKLS0tCkNlcnRpZmljYXRlIGNoYWluCiAwIHM6L0M9 VVMvTz1jcmFzaC1yZXBvcnRzLm1vemlsbGEuY29tL09VPUdUNTg5NzcyOTUvT1U9U2VlIHd3dy5n ZW90cnVzdC5jb20vcmVzb3VyY2VzL2NwcyAoYykwOC9PVT1Eb21haW4gQ29udHJvbCBWYWxpZGF0 ZWQgLSBRdWlja1NTTCBQcmVtaXVtKFIpL0NOPWNyYXNoLXJlcG9ydHMubW96aWxsYS5jb20KICAg aTovQz1VUy9PPUVxdWlmYXgvT1U9RXF1aWZheCBTZWN1cmUgQ2VydGlmaWNhdGUgQXV0aG9yaXR5 Ci0tLQpTZXJ2ZXIgY2VydGlmaWNhdGUKLS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURU RENDQXJXZ0F3SUJBZ0lEQ0pTT01BMEdDU3FHU0liM0RRRUJCUVVBTUU0eEN6QUpCZ05WQkFZVEFs VlQKTVJBd0RnWURWUVFLRXdkRmNYVnBabUY0TVMwd0t3WURWUVFMRXlSRmNYVnBabUY0SUZObFkz VnlaU0JEWlhKMAphV1pwWTJGMFpTQkJkWFJvYjNKcGRIa3dIaGNOTURnd01URTFNakV5TWpFMFdo Y05NVEF3TVRFMU1qRXlNakUwCldqQ0IxakVMTUFrR0ExVUVCaE1DVlZNeElqQWdCZ05WQkFvVEdX TnlZWE5vTFhKbGNHOXlkSE11Ylc5NmFXeHMKWVM1amIyMHhFekFSQmdOVkJBc1RDa2RVTlRnNU56 Y3lPVFV4TVRBdkJnTlZCQXNUS0ZObFpTQjNkM2N1WjJWdgpkSEoxYzNRdVkyOXRMM0psYzI5MWNt TmxjeTlqY0hNZ0tHTXBNRGd4TnpBMUJnTlZCQXNUTGtSdmJXRnBiaUJECmIyNTBjbTlzSUZaaGJH bGtZWFJsWkNBdElGRjFhV05yVTFOTUlGQnlaVzFwZFcwb1Vpa3hJakFnQmdOVkJBTVQKR1dOeVlY Tm9MWEpsY0c5eWRITXViVzk2YVd4c1lTNWpiMjB3Z1o4d0RRWUpLb1pJaHZjTkFRRUJCUUFEZ1kw QQpNSUdKQW9HQkFNcnJqeFFXdGdoNnhKa0ZiNkRlYmpsZG1McjBJVTNTVXltSGFNY29zNklTSjR3 OElra0dHSlMrCjU5c01wTEdSNmJNWm1pb0g0ZHBTWnF3UXFDWVBwTVF4aThYamRrZUl6eFA4UTIr MDFsWVlLL2ZUVnFwMmpoM1QKV3dPazFnYmlOQnpZWVl4eGtoWE9SNXlqajZwZlNIZFdCSlpaSlJh allvL3hkZHptcTVwOUFnTUJBQUdqZ2E0dwpnYXN3RGdZRFZSMFBBUUgvQkFRREFnVHdNQjBHQTFV ZERnUVdCQlRkMnA3QVJ0TFQzblZlaDhhL001TmRBVVd5ClR6QTZCZ05WSFI4RU16QXhNQytnTGFB cmhpbG9kSFJ3T2k4dlkzSnNMbWRsYjNSeWRYTjBMbU52YlM5amNteHoKTDNObFkzVnlaV05oTG1O eWJEQWZCZ05WSFNNRUdEQVdnQlJJNW1qNUs5S3lsZGRIMkNNZ0VFOHptSkNmMURBZApCZ05WSFNV RUZqQVVCZ2dyQmdFRkJRY0RBUVlJS3dZQkJRVUhBd0l3RFFZSktvWklodmNOQVFFRkJRQURnWUVB ClBtNExCdnREOHlzUGRBWnNTVmJRNi84ck9HdEdxQ3NCSlJ0bWN5RjNGS2VJQlpRRUdva2hlcWVp b2ZETDVIT1cKbTdnY01rMXNIK2o5aWJLZzlZTHBONVd3VDlaYkNuV2tBbVZVZ1VyeHgrT0wyeVZ0 QktkcWlWcGErTFc1VGlGbQpjVzlXcHN3RlJOL1crNWxPWk5MVVZIeFB6Nmltek9HUGhDY3REbDFr Y3RNPQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCnN1YmplY3Q9L0M9VVMvTz1jcmFzaC1yZXBv cnRzLm1vemlsbGEuY29tL09VPUdUNTg5NzcyOTUvT1U9U2VlIHd3dy5nZW90cnVzdC5jb20vcmVz b3VyY2VzL2NwcyAoYykwOC9PVT1Eb21haW4gQ29udHJvbCBWYWxpZGF0ZWQgLSBRdWlja1NTTCBQ cmVtaXVtKFIpL0NOPWNyYXNoLXJlcG9ydHMubW96aWxsYS5jb20KaXNzdWVyPS9DPVVTL089RXF1 aWZheC9PVT1FcXVpZmF4IFNlY3VyZSBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkKLS0tCk5vIGNsaWVu dCBjZXJ0aWZpY2F0ZSBDQSBuYW1lcyBzZW50Ci0tLQpTU0wgaGFuZHNoYWtlIGhhcyByZWFkIDk4 NCBieXRlcyBhbmQgd3JpdHRlbiAzMjQgYnl0ZXMKLS0tCk5ldywgVExTdjEvU1NMdjMsIENpcGhl ciBpcyBSQzQtTUQ1ClNlcnZlciBwdWJsaWMga2V5IGlzIDEwMjQgYml0CkNvbXByZXNzaW9uOiBO T05FCkV4cGFuc2lvbjogTk9ORQpTU0wtU2Vzc2lvbjoKICAgIFByb3RvY29sICA6IFRMU3YxCiAg ICBDaXBoZXIgICAgOiBSQzQtTUQ1CiAgICBTZXNzaW9uLUlEOiA5Q0U2NjU5REJBQzRBRUU5NjBG OUNFMEMxMEJDNzI0Nzg5QkNFRjEyRDMzRjJGOUJGRDlGRDg0NTAyNDU1NTA3CiAgICBTZXNzaW9u LUlELWN0eDoKICAgIE1hc3Rlci1LZXk6IEU3N0FFNzUxODJCRDA4NjMxQ0Y3OTY4Qzk3NkQxQ0ZE NTJEQzUxQkMwMzI5QzEyN0E4NTUxRjlENjhDMEY5MDJDNjk0MzMyNjJBRDVDREJCRUJENUJFRDUw RkJGMDc2NQogICAgS2V5LUFyZyAgIDogTm9uZQogICAgU3RhcnQgVGltZTogMTIxNzg2MDcyNAog ICAgVGltZW91dCAgIDogMzAwIChzZWMpCiAgICBWZXJpZnkgcmV0dXJuIGNvZGU6IDIxICh1bmFi bGUgdG8gdmVyaWZ5IHRoZSBmaXJzdCBjZXJ0aWZpY2F0ZSkKLS0tCg==