Ticket #905 (closed Defect: fixed)

Opened 6 years ago

Last modified 6 years ago

Accessing downloads.deepamehta.de with a modern firefox not possible

Reported by: Malte Owned by:
Priority: Blocker Milestone: Release 4.8
Component: DeepaMehta Standard Distribution Version: 4.7
Keywords: Cc: JuergeN, jri, dgf
Complexity: 3 Area: Communications
Module:

Description

When i try to access http://download.deepamehta.de/ with my Firefox 42.0 i get automatically redirected to https://download.deepamehta.de/ but (since some time, i don't know exactly) i cannot place an exception about this "invalid certificate" anymore and thus i am unable to retreive any page from the download.deepamehta.de pages with that standard Firefox.

The message on the site displayed by my firefox is:

This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.

I am assuming that i am not the only one since my firefox is brand new (not configured or customized in that direction).

Same on https://api.deepamehta.de (and i cannot access api.deepamehta.de without HTTPS

No such issues when running on Chromium.

Attachments

Screenshot from 2016-04-17 14:40:44.png (47.9 KB) - added by Malte 6 years ago.
This is the error message. HTTP redirects to HTTPS because of HSTS

Change History

comment:1 Changed 6 years ago by Malte

  • Priority changed from Major to Blocker

comment:2 follow-up: ↓ 8 Changed 6 years ago by jri

I can't reproduce this.

Opening http://download.deepamehta.de/ in Firefox works fine. No redirection takes place. The download listing appears.

https://download.deepamehta.de/ in contrast doesn't work at all. A Syseleven error page appears.

@JuergeN: Do we actually serve download.deepamehta.de via HTTPS? (I don't think this is necessary)

comment:3 Changed 6 years ago by jri

  • Status changed from new to closed
  • Resolution set to worksforme

Changed 6 years ago by Malte

This is the error message. HTTP redirects to HTTPS because of HSTS

comment:4 Changed 6 years ago by Malte

  • Status changed from closed to reopened
  • Resolution worksforme deleted

comment:5 Changed 6 years ago by Malte

When i want to access ​http://download.deepamehta.de/ i get, as i wrote "automatically redirected to this error page". I couldnt browse download.deepamehta.de except using wget for nearly half a year now.

comment:6 Changed 6 years ago by jri

  • Cc JuergeN added; JueregN removed

comment:7 Changed 6 years ago by jri

Stil I can't reproduce the problem.
The download page works fine in all my browsers.
Possibly a local (configuration) problem at Malte's side?
JuergeN can you please chime in here.

comment:8 in reply to: ↑ 2 Changed 6 years ago by jri

Replying to jri:

I can't reproduce this.

Opening http://download.deepamehta.de/ in Firefox works fine. No redirection takes place. The download listing appears.

https://download.deepamehta.de/ in contrast doesn't work at all. A Syseleven error page appears.

@JuergeN: Do we actually serve download.deepamehta.de via HTTPS? (I don't think this is necessary)

I can't see any redirection.

curl -i http://download.deepamehta.de

results in

HTTP/1.1 200 OK

@Malte: have you tried clearing Firefox's "Browsing & Download History"

comment:9 Changed 6 years ago by Malte

I created this issue because i did not customize anything in my firefox configuration and thus found it reasonable to assume that many other people are hit by our web server configuration.

Do you see a HSTS header returned by download.deepamehta.de with your CURL client? Something like

Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]

See docs on HSTS:
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security

As my screenshot indicates, the actual issue is not HSTS header but the outdated certificate, for which i am not allowed to add an exception. I could probably could configure my FFOx to get around this but as i said above, the reson to report this issue that i expect others to be hit by this issue so i refuse to configure my FFOX so i might can get around that odd certificat. That said, if we would have a proper and free certificate for download.deepamehta.de the issue would not arise in first place. I would suggest to employ HTTPS and utilize letsencrypt to create a proper and free cert, works like a charm for me and other sites.

comment:10 Changed 6 years ago by jri

My curl output looks like this:

curl -i http://download.deepamehta.de

HTTP/1.1 200 OK
Date: Sun, 17 Apr 2016 13:18:00 GMT
Server: Apache
Transfer-Encoding: chunked
Content-Type: text/html;charset=ISO-8859-1

No HSTS header.

As this is a HTTP request, not HTTPS, why should certificates be an issue here?

To my knowledge the download page never worked with HTTPS, only HTTP.

No redirect happens on the server's behalf (as indicated by curl).

Sometimes in Firefox it looks like a redirect, but Firefox actually transforms the URL on its own, based on its Browsing & Download History. Thus my hint:

@Malte: have you tried clearing Firefox's "Browsing & Download History"

Can you confirm you have tried this?

I don't expect you to configure something in your Firefox. Firefox Browsing & Download History is build automatically.

comment:11 Changed 6 years ago by jri

It works in your Chromium.
It works in my browsers (Safari, Firefox, Chrome).
It does NOT work in your Firefox.
To me this indicates the problem originates not at the server but in your Firefox.

Try clearing Firefox's "Browsing & Download History".

Other Firefox users will not experience the problem as they have another Browsing & Download History. (At least this is the way I see it.)

comment:12 follow-ups: ↓ 13 ↓ 14 Changed 6 years ago by Malte

As this is a HTTP request, not HTTPS, why should certificates be an issue here?

Nothing, of course :) My browser does not allow me to receive the response for a HTTP request i once successfully used HTTPS on the resource (which i did, as i could add exceptions before the self-signed cert was still timely valid), which is where i must have received a HSTS Header for this domain and FFOX has stored this now. So, up to my understanding now this issue might only affect people who earlier (before the certificate expired, see below 2013) added a security exception for browsing https://download.deepamehta.de in their browser successfully. For these visitors the HSTS enforcement is pulling in now.

No HSTS header.

Yes, this response is according to the SPECs (see below). I now understand that this HEADER is NOT sent back when requesting HTTP.

Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

@Malte: have you tried clearing Firefox's "Browsing & Download History"

Can you confirm you have tried this?

Sorry, i can not clear my browsing history for you, even if this would clear the HSTS flag set.
Please repair your CERT.

The reason i cannot access HTTPS seems to be the following:
download.deepamehta.de uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. The certificate is only valid for localhost The certificate expired on 23.03.2013 18:40. The current time is 17.04.2016 15:54. Error code: SEC_ERROR_UNKNOWN_ISSUER

comment:13 in reply to: ↑ 12 Changed 6 years ago by jri

Replying to Malte:

Sorry, i can not clear my browsing history for you, even if this would clear the HSTS flag set.
Please repair your CERT.

HTTPS was never a requirement for the download page.
Yes, we could provide HTTPS, but who could force us to do so when our HTTP service runs perfectly fine?
Sorry, I'm out now.

comment:14 in reply to: ↑ 12 Changed 6 years ago by JuergeN

Replying to Malte:

The reason i cannot access HTTPS seems to be the following:
`download.deepamehta.de uses an invalid security certificate.

I have just updated the certificate. Can you try again, pls.

comment:15 Changed 6 years ago by Malte

Great, i have access to the download server with my firefox again.
It would be great if you could do the same with the certificate for http://api.deepamehta.de - as the issue seems to apply there.

Thank you very much!

comment:16 Changed 6 years ago by JuergeN

  • Status changed from reopened to closed
  • Resolution set to fixed

Done.

Note: See TracTickets for help on using tickets.