update.rdf on HTTPS server with valid SSL certificate

[minj]

Original issue 798 created by ryan on 2011-08-18T02:40:22.000Z:

Currently the update.rdf only works for Firefox desktop, might need a dedicated update.rdf for Fennec.

[minj]

Comment #1 originally posted by ryan on 2011-08-18T02:40:44.000Z:

<empty>

Cc: -[ryan](mailto:ryan@ryanium.com), convincedd

[minj]

Comment #2 originally posted by ryan on 2011-08-18T02:40:58.000Z:

<empty>

Cc: [ryan](mailto:ryan@ryanium.com)

[minj]

Comment #3 originally posted by ryan on 2011-08-18T02:53:16.000Z:

The current server on ixwebhosting.com has the vulnerability of CVE-2009-3555, need to fix it or find a new server which doesn't have this issue.

Owner: [ryan](mailto:ryan@ryanium.com)

[minj]

Comment #4 originally posted by fkvulturul on 2011-08-20T11:56:14.000Z:

I can ask the ixwebhosting to try to fix this, where can I find description of the problem?

[minj]

Comment #5 originally posted by ryan on 2011-08-20T12:01:59.000Z:

I guess these: http://tools.ietf.org/html/rfc5746 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-3555

Just ask them to update to a newer version of OpenSSL would do.

[minj]

Comment #6 originally posted by fkvulturul on 2011-08-20T12:39:29.000Z:

I have submitted a ticket, usually they answer quickly. I'll keep you posted ;)

[minj]

Comment #7 originally posted by ryan on 2011-08-20T12:41:41.000Z:

I'm not sure whether they will do this though, usually updating software on servers are not decisions to be taken lightly. Thanks for providing the host for such a long time. :-)

[minj]

Comment #8 originally posted by ryan on 2011-08-22T02:09:38.000Z:

@convincedd:

How did you find out that the ixwebhosting server to have the CVE-2009-3555 problem? I don't see it on the error console of Firefox when navigating https://foxtrick.c6.ixwebhosting.com/nightly/

[minj]

Comment #9 originally posted by ryan on 2011-08-22T09:32:19.000Z:

I also have this problem with Firebug, failed to update from 1.8 to 1.8.1. From Firebug's net console panel I can see that both FoxTrick and Firebug's update.rdf's are correctly retrieved, but neither get updates. However, there is the line in error console when getting the update.rdf from getfirebug.com: getfirebug.com : server does not support RFC 5746, see CVE-2009-3555

No similar line for ixwebhosting.com.

[minj]

Comment #10 originally posted by convincedd on 2011-08-22T10:21:12.000Z:

i got this line for fennec at least. for firefox i don't remember, maybe i just made a test after update failed

[minj]

Comment #11 originally posted by ryan on 2011-08-22T11:57:29.000Z:

That's quite strange.

My current hosting have OpenSSL 0.9.8e and it also has this issue, versions >= 0.9.8l don't. I guess we may need to find another host, or...

@ljushaff (a.k.a. fkvulturul): Could you deliver the message that they need to update OpenSSL to at least 0.9.8l? Thanks.

Cc: ljushaff

[minj]

Comment #12 originally posted by ljushaff on 2011-08-22T12:10:21.000Z:

Done.

Dear Ljubisa, thank you for contacting our technical support team.

I have sent your concerns to our system administrators for further investigation. Please wait for a while, we will back to you shortly. Thank you for the patience.

Kind regards, Jenny Danilenko Technical Support

[minj]

Comment #13 originally posted by ryan on 2011-08-22T13:28:40.000Z:

Seems quite strange, I have a Windows 7 box with Firefox 6.0 and FoxTrick 0.7.9.7110 installed, and it can be updated to a newer version....

[minj]

Comment #14 originally posted by convincedd on 2011-08-22T13:44:43.000Z:

tried again. still get with win7, ff6, ft 0.7.9.7098

Warnung: WARN addons.updates: HTTP Request failed for an unknown reason Quelldatei: resource:///modules/AddonUpdateChecker.jsm Zeile: 516

the first try and

versioncheck.addons.mozilla.org : server does not support RFC 5746, see CVE-2009-3555

the second time

[minj]

Comment #15 originally posted by convincedd on 2011-08-22T13:47:36.000Z:

oh, and it can get updated, but only manually if that is what you said. (also tested with 0.7.9.7110 now. no autoupdate as well)

[minj]

Comment #16 originally posted by ryan on 2011-08-22T13:52:13.000Z:

But when I was using 9.0a1 on Linux earlier today, updating didn't work even if manually. Will try lower versions of Firefox on that machine tomorrow and see what happens.

[minj]

Comment #17 originally posted by convincedd on 2011-08-22T14:06:24.000Z:

i've got the exact same behaviour for ff 9.0a1 on win7 than i got with ff6, manual yes, automatic no

[minj]

Comment #18 originally posted by ryan on 2011-08-22T14:07:28.000Z:

What is your setting of security.ssl.require_safe_negotiation? False here. Seems that turning it on will result in the warnings.

References: https://bugzilla.mozilla.org/show_bug.cgi?id=555952 https://bugzilla.mozilla.org/show_bug.cgi?id=535649

[minj]

Comment #19 originally posted by convincedd on 2011-08-22T14:15:40.000Z:

i messed there in fennec to allow unsafe update urls. didn't help

as for ff6: security.ssl.allow_unrestricted_renego_everywhere__temporarily_available_pref;false security.ssl.renego_unrestricted_hosts; (empty) security.ssl.require_safe_negotiation;false security.ssl.treat_unsafe_negotiation_as_broken;false security.ssl.warn_missing_rfc5746;1

so they are all still the default values

[minj]

Comment #20 originally posted by ryan on 2011-08-22T14:25:19.000Z:

Same here, maybe it's different on Linux, I'll check.

[minj]

Comment #21 originally posted by convincedd on 2011-08-22T14:30:02.000Z:

oh, and with those defaults it should still autoupdate, right? doesn't though

[minj]

Comment #22 originally posted by ryan on 2011-08-22T14:33:07.000Z:

I don't know for me since I only use this Windows for about two hours every day. It's indeed strange and after checking tomorrow I will create a bug on Bugzilla if still puzzling.

[minj]

Comment #23 originally posted by ryan on 2011-08-23T14:28:48.000Z:

Well, auto update works here today on Windows....

[minj]

Comment #24 originally posted by convincedd on 2011-08-23T15:41:02.000Z:

not for me. tried to downgrade and use check-for-updates feature?

[minj]

Comment #25 originally posted by fkvulturul on 2011-08-23T19:17:34.000Z:

Guys this is the answer I got:

Dear Ljubisa Vrencev,

The status of your ticket (1560281) has been changed from Working to Answered by Yuliya G.

This update was added: Dear Ljubisa,

Let me please inform you that the latest available vendor's build of openssl (openssssl-0.9.8e-20.el5.i686) for CentOS-5 and RHES-5 is installed on that server and it must incorporate fixes for all currently known security problems. Please check it from your end once again and let us know if you need further assistance. Thank you for cooperation with us.

Kind regards, Yuliya Gordeeva Technical Support Dpt.

[minj]

Comment #26 originally posted by convincedd on 2011-08-23T19:57:30.000Z:

did a bit of googling. seems redhat wasn't happy with the standard solution and they made their own or so. see https://bugzilla.redhat.com/show_bug.cgi?id=533125#c37

also: https://access.redhat.com/kb/docs/DOC-20491#Updates_adding_RFC_5746_support https://access.redhat.com/kb/docs/DOC-28439

[minj]

Comment #27 originally posted by ljushaff on 2011-08-23T20:06:09.000Z:

So what shold I tell theese guys at ixwebhosting? Close the ticket?

[minj]

Comment #28 originally posted by ryan on 2011-08-24T06:56:40.000Z:

Thanks, closing would be fine then. openssl-0.9.8e-20.el5.i686 should have already fixed the bug: https://bugzilla.redhat.com/show_bug.cgi?id=560681 http://rhn.redhat.com/errata/RHBA-2011-1010.html

Maybe it's something wrong with Firefox, I've opened a ticket at Mozilla: https://bugzilla.redhat.com/show_bug.cgi?id=560681

[minj]

Comment #29 originally posted by ryan on 2011-08-24T10:24:19.000Z:

Well, link to Mozilla's Bugzilla was wrong, it's: https://bugzilla.mozilla.org/show_bug.cgi?id=681573

They found out that it was not related to CVE-2009-3555 but due to missing intermediate CA: http://www.sslshopper.com/ssl-checker.html#hostname=foxtrick.c6.ixwebhosting.com

I think it should be much easier to fix.

@ljushaff: Could you ask them to put a correct chain certificate? Just give this link to them: https://bugzilla.mozilla.org/show_bug.cgi?id=681573

[minj]

Comment #30 originally posted by ljushaff on 2011-08-24T10:39:32.000Z:

I did, we will see what happens ...

[minj]

Comment #31 originally posted by ljushaff on 2011-08-24T13:08:19.000Z:

The status of your ticket (1560281) has been changed from Working to Open by Dennis F.

This update was added: Dear Ljubisa, Thank you for contacting tech support.

Once again let me express our most sincere apologies for this inconvenience. To check the issue further I have forwarded your ticket to our administrators. Please wait for their reply. Thank you for your patience and kind understanding.

Kind regards, Dennis Fischuk Technical Support 24/7 Live Chat

[minj]

Comment #32 originally posted by ryan on 2011-08-24T13:13:48.000Z:

Nicer attitude than my host provider. :-)

[minj]

Comment #33 originally posted by ljushaff on 2011-08-24T14:39:45.000Z:

These ones really take care, I am very happy with them :D

[minj]

Comment #34 originally posted by ryan on 2011-08-28T09:46:08.000Z:

<empty>

Labels: -Milestone-1.0, Milestone-0.8

[minj]

Comment #35 originally posted by ryan on 2011-09-01T07:43:35.000Z:

@ljushaff: The certificate on ixwebhosting is not that important now as I have set up HTTPS on foxtrick.org. Thanks for providing the space over the months, personally I am very grateful. :-)

[minj]

Comment #36 originally posted by ljushaff on 2011-09-01T08:14:36.000Z:

Should I put the automatic redirection to http://foxtrick.org/nightly ?

[minj]

Comment #37 originally posted by ryan on 2011-09-01T09:58:15.000Z:

We will need to do that in near future, but only after I set up the stuffs on the new server. Thank you. :-)

[minj]

Comment #38 originally posted by ljushaff on 2011-09-01T12:12:36.000Z:

Meanwhile I got the final repply from IXwebhosting

The status of your ticket (1560281) has been changed from Open to Answered by Jenny D.

This update was added: Dear Ljubisa,

I'm glad to inform you that the issue has been successfully fixed by our system administrators at your web server, certificate chain is complete now and shared ssl certificate is working properly. Thank you for the patience.

If you have any further questions, please feel free to contact us at anytime. We are available 24/7.

Kind regards, Jenny Danilenko Technical Support

[minj]

Comment #39 originally posted by ljushaff on 2011-09-01T12:15:00.000Z:

I have checked it and it really works

http://www.sslshopper.com/ssl-checker.html#hostname=foxtrick.c6.ixwebhosting.com

[minj]

Comment #40 originally posted by ryan on 2011-09-01T12:21:46.000Z:

Terrific, when I see that the installation on my Linux box got auto updated. Wasn't even working when I last checked two hours ago. We could expect smooth migration then…

[minj]

Comment #41 originally posted by ryan on 2011-09-01T15:28:09.000Z:

Solved now.

Status: Done