Ticket #905 (closed Defect: fixed)
Accessing downloads.deepamehta.de with a modern firefox not possible
Reported by: | Malte | Owned by: | |
---|---|---|---|
Priority: | Blocker | Milestone: | Release 4.8 |
Component: | DeepaMehta Standard Distribution | Version: | 4.7 |
Keywords: | Cc: | JuergeN, jri, dgf | |
Complexity: | 3 | Area: | Communications |
Module: |
Description
When i try to access http://download.deepamehta.de/ with my Firefox 42.0 i get automatically redirected to https://download.deepamehta.de/ but (since some time, i don't know exactly) i cannot place an exception about this "invalid certificate" anymore and thus i am unable to retreive any page from the download.deepamehta.de pages with that standard Firefox.
The message on the site displayed by my firefox is:
This site uses HTTP Strict Transport Security (HSTS) to specify that Firefox only connect to it securely. As a result, it is not possible to add an exception for this certificate.
I am assuming that i am not the only one since my firefox is brand new (not configured or customized in that direction).
Same on https://api.deepamehta.de (and i cannot access api.deepamehta.de without HTTPS
No such issues when running on Chromium.
Attachments
Change History
comment:2 follow-up: ↓ 8 Changed 9 years ago by jri
I can't reproduce this.
Opening http://download.deepamehta.de/ in Firefox works fine. No redirection takes place. The download listing appears.
https://download.deepamehta.de/ in contrast doesn't work at all. A Syseleven error page appears.
@JuergeN: Do we actually serve download.deepamehta.de via HTTPS? (I don't think this is necessary)
Changed 9 years ago by Malte
- Attachment Screenshot from 2016-04-17 14:40:44.png added
This is the error message. HTTP redirects to HTTPS because of HSTS
comment:4 Changed 9 years ago by Malte
- Status changed from closed to reopened
- Resolution worksforme deleted
comment:5 Changed 9 years ago by Malte
When i want to access http://download.deepamehta.de/ i get, as i wrote "automatically redirected to this error page". I couldnt browse download.deepamehta.de except using wget for nearly half a year now.
comment:7 Changed 9 years ago by jri
Stil I can't reproduce the problem.
The download page works fine in all my browsers.
Possibly a local (configuration) problem at Malte's side?
JuergeN can you please chime in here.
comment:8 in reply to: ↑ 2 Changed 9 years ago by jri
Replying to jri:
I can't reproduce this.
Opening http://download.deepamehta.de/ in Firefox works fine. No redirection takes place. The download listing appears.
https://download.deepamehta.de/ in contrast doesn't work at all. A Syseleven error page appears.
@JuergeN: Do we actually serve download.deepamehta.de via HTTPS? (I don't think this is necessary)
I can't see any redirection.
curl -i http://download.deepamehta.de
results in
HTTP/1.1 200 OK
@Malte: have you tried clearing Firefox's "Browsing & Download History"
comment:9 Changed 9 years ago by Malte
I created this issue because i did not customize anything in my firefox configuration and thus found it reasonable to assume that many other people are hit by our web server configuration.
Do you see a HSTS header returned by download.deepamehta.de with your CURL client? Something like
Strict-Transport-Security: max-age=expireTime [; includeSubDomains] [; preload]
See docs on HSTS:
https://developer.mozilla.org/en-US/docs/Web/Security/HTTP_strict_transport_security
As my screenshot indicates, the actual issue is not HSTS header but the outdated certificate, for which i am not allowed to add an exception. I could probably could configure my FFOx to get around this but as i said above, the reson to report this issue that i expect others to be hit by this issue so i refuse to configure my FFOX so i might can get around that odd certificat. That said, if we would have a proper and free certificate for download.deepamehta.de the issue would not arise in first place. I would suggest to employ HTTPS and utilize letsencrypt to create a proper and free cert, works like a charm for me and other sites.
comment:10 Changed 9 years ago by jri
My curl output looks like this:
curl -i http://download.deepamehta.de HTTP/1.1 200 OK Date: Sun, 17 Apr 2016 13:18:00 GMT Server: Apache Transfer-Encoding: chunked Content-Type: text/html;charset=ISO-8859-1
No HSTS header.
As this is a HTTP request, not HTTPS, why should certificates be an issue here?
To my knowledge the download page never worked with HTTPS, only HTTP.
No redirect happens on the server's behalf (as indicated by curl).
Sometimes in Firefox it looks like a redirect, but Firefox actually transforms the URL on its own, based on its Browsing & Download History. Thus my hint:
@Malte: have you tried clearing Firefox's "Browsing & Download History"
Can you confirm you have tried this?
I don't expect you to configure something in your Firefox. Firefox Browsing & Download History is build automatically.
comment:11 Changed 9 years ago by jri
It works in your Chromium.
It works in my browsers (Safari, Firefox, Chrome).
It does NOT work in your Firefox.
To me this indicates the problem originates not at the server but in your Firefox.
Try clearing Firefox's "Browsing & Download History".
Other Firefox users will not experience the problem as they have another Browsing & Download History. (At least this is the way I see it.)
comment:12 follow-ups: ↓ 13 ↓ 14 Changed 9 years ago by Malte
As this is a HTTP request, not HTTPS, why should certificates be an issue here?
Nothing, of course :) My browser does not allow me to receive the response for a HTTP request i once successfully used HTTPS on the resource (which i did, as i could add exceptions before the self-signed cert was still timely valid), which is where i must have received a HSTS Header for this domain and FFOX has stored this now. So, up to my understanding now this issue might only affect people who earlier (before the certificate expired, see below 2013) added a security exception for browsing https://download.deepamehta.de in their browser successfully. For these visitors the HSTS enforcement is pulling in now.
No HSTS header.
Yes, this response is according to the SPECs (see below). I now understand that this HEADER is NOT sent back when requesting HTTP.
Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.
@Malte: have you tried clearing Firefox's "Browsing & Download History"
Can you confirm you have tried this?
Sorry, i can not clear my browsing history for you, even if this would clear the HSTS flag set.
Please repair your CERT.
The reason i cannot access HTTPS seems to be the following:
download.deepamehta.de uses an invalid security certificate. The certificate is not trusted because the issuer certificate is unknown. The server might not be sending the appropriate intermediate certificates. An additional root certificate may need to be imported. The certificate is only valid for localhost The certificate expired on 23.03.2013 18:40. The current time is 17.04.2016 15:54. Error code: SEC_ERROR_UNKNOWN_ISSUER
comment:13 in reply to: ↑ 12 Changed 9 years ago by jri
Replying to Malte:
Sorry, i can not clear my browsing history for you, even if this would clear the HSTS flag set.
Please repair your CERT.
HTTPS was never a requirement for the download page.
Yes, we could provide HTTPS, but who could force us to do so when our HTTP service runs perfectly fine?
Sorry, I'm out now.
comment:14 in reply to: ↑ 12 Changed 9 years ago by JuergeN
Replying to Malte:
The reason i cannot access HTTPS seems to be the following:
`download.deepamehta.de uses an invalid security certificate.
I have just updated the certificate. Can you try again, pls.
comment:15 Changed 9 years ago by Malte
Great, i have access to the download server with my firefox again.
It would be great if you could do the same with the certificate for http://api.deepamehta.de - as the issue seems to apply there.
Thank you very much!
comment:16 Changed 9 years ago by JuergeN
- Status changed from reopened to closed
- Resolution set to fixed
Done.