Bug 233728 - www-client/mozilla-firefox-bin: breakpad cannot send crash reports because of CA issues
Bug#: 233728 Product:  Gentoo Linux Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: normal Priority: P2
Resolution: FIXED Assigned To: mozilla@gentoo.org Reported By: phajdan.jr@gmail.com
Component: Applications
URL:  https://bugzilla.mozilla.org/show_bug.cgi?id=448925
Summary: www-client/mozilla-firefox-bin: breakpad cannot send crash reports because of CA issues
Keywords:  
Status Whiteboard: 
Opened: 2008-08-02 17:15 0000
Description:   Opened: 2008-08-02 17:15 0000 
Every time my nightly mozilla-firefox-bin crashed, its crash reporter,
breakpad, told me it had a problem sending the report. Today I found its log in
.mozilla/firefox/Crash\ Reports/submit.log (as well as pending crash reports in
given directory). Here are the contents of the log:

[Fri Feb  1 18:24:39 2008] Crash report submission failed: Peer certificate
cannot be authenticated with known CA certificates
[Fri Feb  1 18:27:18 2008] Crash report submission failed: Peer certificate
cannot be authenticated with known CA certificates
[Sat 28 Jun 2008 09:24:00 AM CEST] Crash report submission failed: Peer
certificate cannot be authenticated with known CA certificates
[Sat 28 Jun 2008 09:24:39 AM CEST] Crash report submission failed: Peer
certificate cannot be authenticated with known CA certificates
[Sat 02 Aug 2008 11:45:25 AM CEST] Crash report submission failed: Peer
certificate cannot be authenticated with known CA certificates

I'm currently using nightly build with UA of "Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.9.1a2pre) Gecko/2008080102 Minefield/3.1a2pre" - it's not in
portage, but eventually I can test with 3.1a1 from portage, using the crash me
extension.

------- Comment #1 From Raúl Porcel 2008-08-03 09:25:06 0000 ------- 
Not a Gentoo bug, report it upstream.

------- Comment #2 From Paweł Hajdan jr (ph) 2008-08-04 10:18:16 0000 ------- 
Mozilla closed the bug as invalid, see
https://bugzilla.mozilla.org/show_bug.cgi?id=448925#c1

This is their response: "So install the right set of CA certificates. Not our
problem."

Please re-check our CA list, or ask Mozilla specifically. I have
ca-certificates-20070303-r1.

------- Comment #3 From Raúl Porcel 2008-08-04 11:03:03 0000 ------- 
Adding base-system, since ca-certificates its their package.

------- Comment #4 From Doug Goldstein 2008-08-04 14:12:07 0000 ------- 
Except Mozilla's breakpad doesn't use any system CAs.... Mozilla has it's own
set of CAs it installs completely separate.

Additionally, it might be worth knowing what server it's attempting to connect
to and what CA signed that servers certificate.

------- Comment #5 From Paweł Hajdan jr (ph) 2008-08-04 14:45:10 0000 ------- 
Created an attachment (id=162203) [details]
openssl info about crash-reports.mozilla.com

Using a sniffer I discovered that breakpad connects to
crash-reports.mozilla.com. This attachment is what could be retrieved using
openssl from comand line (the command is included in the file, as well as full
output).

I also detected traffic to dyna-services-amo.nslb.sj.mozilla.com, but it seems
to be irrelevant, as it's probably related to addons.mozilla.org (but I'm not
sure about that).

------- Comment #6 From Doug Goldstein 2008-08-04 15:06:30 0000 ------- 
ca-certificates provides the necessary cert...

openssl s_client -connect crash-reports.mozilla.com:443 -CApath /etc/ssl/certs

will result in a successful cert validation.

Breakpad needs to be configured to use /etc/ssl/certs in this case.

------- Comment #7 From Raúl Porcel 2008-08-04 15:30:14 0000 ------- 
Sigh, so Mozilla says its not their problem, and firefox doesn't use external
certificates...so what? :/

------- Comment #8 From Raúl Porcel 2008-08-04 15:36:43 0000 ------- 
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/205992

Still, -bin has its own nss lib...so...in my opinion that certificate
crash-reports uses should be add to nss...we can't fix it.

------- Comment #9 From Paweł Hajdan jr (ph) 2008-08-04 17:07:00 0000 ------- 
Do you think I should re-open the upstream bug (maybe adding some additional
info to it)? How about including link to this Gentoo bug?

------- Comment #10 From Raúl Porcel 2008-08-04 19:03:05 0000 ------- 
Yeah, if you want an answer yes. Thing is, wether we want to fix it or not, we
can't...

------- Comment #11 From Ted Mielczarek 2008-08-04 21:14:21 0000 ------- 
The crashreporter uses the system libcurl, not Firefox's built-in NSS. If your
libcurl doesn't have the necessary certs available, it will not work.

(We dlopen libcurl to get around SOversioning issues:
http://mxr.mozilla.org/mozilla-central/source/toolkit/crashreporter/google-breakpad/src/common/linux/http_upload.cc#70
)

------- Comment #12 From Paweł Hajdan jr (ph) 2008-08-06 09:12:26 0000 ------- 
After re-emerging curl with nss USE flag disabled breakpad could successfully
send reports, and curl could successfully validate Mozilla's certificate. Now
possibilities of fixing this bug are much better.

------- Comment #13 From Raúl Porcel 2008-08-28 17:34:35 0000 ------- 
Removing base-system then.

The only fix here is adding a warning if someone has nss in its curl. What i
still don't understand is why that cert is not included in nss, but well.

Anyway, what version of firefox-bin are we talking about?

------- Comment #14 From Paweł Hajdan jr (ph) 2008-08-28 17:48:45 0000 ------- 
mozilla-firefox-bin-3.0.1-r1; I originally opened for nightly, but it also
happens with in-portage version

------- Comment #15 From Raúl Porcel 2008-08-29 11:18:22 0000 ------- 
I've added an einfo for this.