Bugzilla Bug 233728

Every time my nightly mozilla-firefox-bin crashed, its crash reporter,
breakpad, told me it had a problem sending the report. Today I found its log in
.mozilla/firefox/Crash\ Reports/submit.log (as well as pending crash reports in
given directory). Here are the contents of the log:

[Fri Feb  1 18:24:39 2008] Crash report submission failed: Peer certificate
cannot be authenticated with known CA certificates
[Fri Feb  1 18:27:18 2008] Crash report submission failed: Peer certificate
cannot be authenticated with known CA certificates
[Sat 28 Jun 2008 09:24:00 AM CEST] Crash report submission failed: Peer
certificate cannot be authenticated with known CA certificates
[Sat 28 Jun 2008 09:24:39 AM CEST] Crash report submission failed: Peer
certificate cannot be authenticated with known CA certificates
[Sat 02 Aug 2008 11:45:25 AM CEST] Crash report submission failed: Peer
certificate cannot be authenticated with known CA certificates

I'm currently using nightly build with UA of "Mozilla/5.0 (X11; U; Linux i686;
en-US; rv:1.9.1a2pre) Gecko/2008080102 Minefield/3.1a2pre" - it's not in
portage, but eventually I can test with 3.1a1 from portage, using the crash me
extension.

Not a Gentoo bug, report it upstream.

Mozilla closed the bug as invalid, see
https://bugzilla.mozilla.org/show_bug.cgi?id=448925#c1

This is their response: "So install the right set of CA certificates. Not our
problem."

Please re-check our CA list, or ask Mozilla specifically. I have
ca-certificates-20070303-r1.

Adding base-system, since ca-certificates its their package.

Except Mozilla's breakpad doesn't use any system CAs.... Mozilla has it's own
set of CAs it installs completely separate.

Additionally, it might be worth knowing what server it's attempting to connect
to and what CA signed that servers certificate.

Created an attachment (id=162203) [details]
openssl info about crash-reports.mozilla.com

Using a sniffer I discovered that breakpad connects to
crash-reports.mozilla.com. This attachment is what could be retrieved using
openssl from comand line (the command is included in the file, as well as full
output).

I also detected traffic to dyna-services-amo.nslb.sj.mozilla.com, but it seems
to be irrelevant, as it's probably related to addons.mozilla.org (but I'm not
sure about that).

ca-certificates provides the necessary cert...

openssl s_client -connect crash-reports.mozilla.com:443 -CApath /etc/ssl/certs

will result in a successful cert validation.

Breakpad needs to be configured to use /etc/ssl/certs in this case.

Sigh, so Mozilla says its not their problem, and firefox doesn't use external
certificates...so what? :/

https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/205992

Still, -bin has its own nss lib...so...in my opinion that certificate
crash-reports uses should be add to nss...we can't fix it.

Do you think I should re-open the upstream bug (maybe adding some additional
info to it)? How about including link to this Gentoo bug?

Yeah, if you want an answer yes. Thing is, wether we want to fix it or not, we
can't...

The crashreporter uses the system libcurl, not Firefox's built-in NSS. If your
libcurl doesn't have the necessary certs available, it will not work.

(We dlopen libcurl to get around SOversioning issues:
http://mxr.mozilla.org/mozilla-central/source/toolkit/crashreporter/google-breakpad/src/common/linux/http_upload.cc#70
)

After re-emerging curl with nss USE flag disabled breakpad could successfully
send reports, and curl could successfully validate Mozilla's certificate. Now
possibilities of fixing this bug are much better.

Removing base-system then.

The only fix here is adding a warning if someone has nss in its curl. What i
still don't understand is why that cert is not included in nss, but well.

Anyway, what version of firefox-bin are we talking about?

mozilla-firefox-bin-3.0.1-r1; I originally opened for nightly, but it also
happens with in-portage version

I've added an einfo for this.