Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

TCP FastOpen incompatibility #309

Closed
Eugene-Savenko opened this issue May 8, 2018 · 22 comments
Closed

TCP FastOpen incompatibility #309

Eugene-Savenko opened this issue May 8, 2018 · 22 comments
Assignees
Labels
Milestone

Comments

@Eugene-Savenko
Copy link
Member

@Eugene-Savenko Eugene-Savenko commented May 8, 2018

Description

Unable to reach HTTPs websites, importing the certificate manually doesn't help.

Steps to reproduce

  1. Install Firefox 61.0b2
  2. Go to an HTTPs website, the https://facebook.com for instance
  3. Import the cert from /Library/Application Support/com.adguard.Adguard/NfApiConfiguration/SSL
  4. Repeat step 2, still can't access

Actual behavior

Screenshot:

image

image

image

Customer ID

Originally reported here - 1858581, UPD: we were unable to reproduce

Your environment

  • Environment name and version: (e.g. Chrome 59): Firefox 61.0b2
  • Any specific potentially conflicting software installed: (e.g. antiviruses, firewalls, traffic counters, cleaners) none
  • macOS 10.13.3
  • AdGuard 1.5.6
@ameshkov ameshkov added this to the 1.5.7 milestone May 8, 2018
@Eugene-Savenko

This comment has been minimized.

Copy link
Member Author

@Eugene-Savenko Eugene-Savenko commented May 8, 2018

Q: Could you confirm that you have checked these boxes when importing?
image
A: I originally only checked the first of the two, but trying again with both did not make any difference.

Q: Also, the problem might be in the Firefox Sync feature, are you using it?
A: I am not using Firefox Sync.

Q: Does the issue persist in the stable version of the browser?
A: Just tried now, and no it does not. Seems to be something that’s changed in Firefox 61. Interesting that it doesn’t seem to happen on your end though. Even though the issue is intermittent, it usually surfaces after navigating a couple pages or a couple of unique Google searches. I could try on another machine, but I can only get access to one in a week or so.

@Bo98

This comment has been minimized.

Copy link

@Bo98 Bo98 commented May 8, 2018

A subtle note, but on HSTS websites it doesn't mention anything about HSTS like your screenshot.

So instead of this without any certificate imported, the error with the certificate imported is the same as non-HSTS websites as seen here.

The next Firefox Developer Edition update is 61.0b7 in two weeks time, but I could opt into the beta channel and keep an eye on b3-b6 in the meantime.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 8, 2018

I've failed to reproduce this issue in both FF Dev and nightly.

Could you please try it with a new FF profile?

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 8, 2018

A subtle note, but on HSTS websites it doesn't mention anything about HSTS like your screenshot.

Hm, one moment, so you see the "secure connection failed" everywhere? It means that the problem might be not in the certificate -- something else is wrong.

@Bo98

This comment has been minimized.

Copy link

@Bo98 Bo98 commented May 8, 2018

Could you please try it with a new FF profile?

I've tried that and it did not make a difference.

Hm, one moment, so you see the "secure connection failed" everywhere?

Well, only on HTTPS sites of course. But it doesn't go as far as detecting HSTS is seems, or at least the error doesn't indicate HSTS.

What's interesting is how it's intermittent. I can consistently reproduce it, but not on every page load.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 8, 2018

Well, only on HTTPS sites of course. But it doesn't go as far as detecting HSTS is seems, or at least the error doesn't indicate HSTS.

This is definitely not a certificate trust issue. This error indicates that the handshake fails.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 8, 2018

Could you please do the following:

  1. Archive the /Library/Application Support/com.adguard.Adguard/NfApiConfiguration/SSL and send it to devteam at adguard.com
  2. Then let's reset the network configuration
    1. Exit AG
    2. Close all the browsers
    3. Delete that directory
    4. Run AG
    5. Run the FF dev and try reproducing the issue
@Bo98

This comment has been minimized.

Copy link

@Bo98 Bo98 commented May 8, 2018

The issue still persists unfortunately, but I've sent the archive regardless.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 8, 2018

@Stillness-2 plz prepare a debug build, we need network logs in order to troubleshoot this

@Stillness-2

This comment has been minimized.

Copy link
Member

@Stillness-2 Stillness-2 commented May 8, 2018

@Bo98
Because we can't reproduce this issue we ask to collect logs to you. :)
This is debug version for collecting network log: https://uploads.adguard.com/AdGuard.app.zip
Please run it and reproduce issue.
After that send as all files from ~/Library/Logs/Adguard and time when issue occured.

@Bo98

This comment has been minimized.

Copy link

@Bo98 Bo98 commented May 8, 2018

Sent to devteam email.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 8, 2018

@Bo98 could it be that you have another network-level filtering software?

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 8, 2018

@Bo98 and one more idea: go to about:config and try disabling network.tcp.tcp_fastopen_enable there

@Bo98

This comment has been minimized.

Copy link

@Bo98 Bo98 commented May 8, 2018

could it be that you have another network-level filtering software?

The closest I can think of is VPN, but that was definitely not running at the time.

and one more idea: go to about:config and try disabling network.tcp.tcp_fastopen_enable there

Yep, that seems to stop the issue from happening.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 8, 2018

Awesome, thank you very much for confirming it!

@ameshkov ameshkov changed the title Secure connections are blocked in Firefox 61.0b2 even after importing the certificate manually TCP FastOpen incompatibility May 8, 2018
@Bo98

This comment has been minimized.

Copy link

@Bo98 Bo98 commented May 8, 2018

That also explains why it worked in Firefox 60: it was disabled by default and now it's enabled by default as of 61.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 8, 2018

It does not explain why it works on our side, though.

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 8, 2018

Anyway, the fix will arrive soon and I'd be grateful if you check it as you're the only one I know who experiences this issue :)

@Bo98

This comment has been minimized.

Copy link

@Bo98 Bo98 commented May 8, 2018

I can do that. Let me know when it's ready and I'll give it a try.

@Stillness-2

This comment has been minimized.

Copy link
Member

@Stillness-2 Stillness-2 commented May 14, 2018

@Bo98 This is debug build with fix (may be): https://uploads.adguard.com/AdGuard-ffd.app.zip
Please check it.

@Bo98

This comment has been minimized.

Copy link

@Bo98 Bo98 commented May 14, 2018

The fix seems to be working from my testing. Thanks!

@ameshkov

This comment has been minimized.

Copy link
Member

@ameshkov ameshkov commented May 14, 2018

Yay, thank you for testing it!

@zebrum zebrum closed this May 23, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.