logs archiveIRC Archive / Freenode / #firefox / 2015 / August / 28 / 1
criticalcat
What will cause firefox to bring up the client certificate prompt in response to a server's CertificateRequest during a TLS handshake?
kbrosnan
hm?
criticalcat
Current issue: I am connecting to a consul server that I control, it is requiring mutual authentication. But the client certificate window does not appear. Instead Firefox is sending a Certificate during the TLS handshake of length 0.
Client auth works when using https://auth.startssl.com for example
So I wonder if there is some x509 field or something that I need to make sure gets in there for firefox to cause the prompt to come up
kbrosnan
the cert supports tls 1.1 or higher?
if you created a custom cert and left feilds blank I believe that can cause firefox to reject the cert
criticalcat
I did create the cert, should I just look at the required x509 fields for TLS 1.2?
does TLS 1.2 list all those out?
kbrosnan
i don't know offhand
criticalcat
I noticed in the startssl client certificate they issued, there's an additional field "Certificate Issuer Alt Name". Or maybe in my (bad) cert there is a CN or subject missing. checking again.
The certificate seems to be valid x509v3, has the required fields (I think...)
could it be that firefox wants the Subject to be an email address?
Doh, maybe I'm missing "Data Encipherment" from key usage.
some subtle difference - maybe gnutls 3 just generates a more interoperable certificate than gnutls 2
It is working. dunno if it was the version of gnutls or the making the subject like an email address.
Johnyy
after updating firefox dev, everytime i reboot it asks for me to update again
the same one
kbrosnan
firefox dev?
         

Johnyy
yes
kbrosnan
mozilla does not have such a build
tanath
kbrosnan, try putting yourself in the user's shoes
parsnip
so in OSX, can't open another firefox window from terminal. this works fine in Xubuntu.
Johnyy
kbrosnan, fu*king developer edition
cxd13
why would you want to open another firefox window from terminal. so much faster to use a keyboard shortcut
parsnip
cxd13: i am, but i am binding the keybaord shortcut to a slow applescript. thought things might go faster if i used command line argument --new-window.
cxd13: like so: http://sprunge.us/AGZS
cxd13
parsnip: sorry i don't use mac. hope you figure it out
parsnip
:)
ICantCook
What's going to happen to extensions like Ghostery, DownloadThemAll, BetterPrivacy when Firefox drops support for XUL and implements Chrome's webextensions API?
Will there be a fork for Firefox?
b0at
why ask about something that hasn't even started?
by the time the webextension api is capable of doing what they're promising, servo might be usable
which is part of the point of moving away from the current extension model: it's hard to work with multiple-processes and rendering engine changes
by the way, ghostery is run by advertising companies. i wouldn't trust it.
and once the WE api _is_ usable, the only thing downthemall would need special is to hook in as the replacement download manager, which is likely as not planned. so i think the developer is overreacting a bit.
i would rather have a browser whose guts i can reach into like firefox works now, but all development trends towards parallelization to get benefits in speed and encapsulation
ICantCook
So it's not necessarily all doom and gloom then
b0at
not at all. it's possible we won't notice a difference. they're even adding proper gesture, shortcut, and tab-styling apis!
that's all stuff that could have happend a long time ago
ICantCook
they said the same thing about Opera mobile when it became Chrome as well
but even now, the latest Opera doesn't have the same features I had in Opera 12
2 years ago
b0at
well, opera got re-written like five times and stayed closed source
ICantCook
true (closed source). People begged Opera to opensource it but they didn't.
I guess there's less need to pannic here. Worst case scenario would be a fork
I'll check what you said about Ghostery
b0at
it's not impossible we'll all end up on a fork, but it's not yet necessary (and i'm not even counting iceweasel as different enough to be a fork)
despite the weird interface and privacy decisions mozilla has made, they're still interested in making software that does stuff, unlike google
the fact that gecko and moz's js engines are competitive with the mighty google's is evidence of that, to me
that's all to say i wouldn't worry about it becoming uncustomizable or kiosk-like
ryonaloli
are there any mitigations to https://www.mozilla.org/en-US/security/advisories/mfsa2015-94/ if updating to a newer version is not an option for now?
e.g. is there a way to disable <canvas> in about:config, or would disabling "page style" do it?
rctgamer3
ryonaloli: just update?
ryonaloli
rctgamer3: i can't do that at the moment (i'm on tails, so most likely they will come out with an official update before i manage to compile the new browser)
from googling, i can't tell if <canvas> requires javascript, or only css (i already have javascript disabled)
         

b0at
it requires javascript
but i'd suggest installing the "CanvasBlocker" extension anyway
even when you're not on Tor
https://developer.mozilla.org/en-US/docs/Web/API/Canvas_API/Tutorial shows how it generally works, fwiw
ryonaloli
how come? to avoid issues like this in the future, or because of canvas fingerprinting (an unrelated issue with cnvas)?
yeah i read that page, the "usually with javascript" made me think <canvas> could be used even with js disabled
b0at
well, there's some fallback options and things, but those don't involve the possibility of that fingerprinting
ryonaloli
tor browser already blocks canvas fingerprinting so i'm not worried about that. it's just this race condition + use after free vuln thing i dislike.
but if disabling javascript totally mitigates it, then that's all good
b0at
the extension blocks calls to getContext() entirely, when properly configured, though it's possible TTB does that already (i wish they still used a separate extension with explicit options)
ryonaloli
i believe they do block all calls to getContext() with a patch, if i am remembering correctly
iirc the extension API isn't complete enough to allow for a single tor button extension anymore, so they need to patch it
b0at
yeah, but it would have been nice to be able to use outside of tor
ryonaloli
i agree
you can disable tor in tor browser though, and get the benefits of tor browser without requiring tor
parsnip
i want to get really good at using javascript plugins :)
oops, lame-joke fail. meant firefox plugins >.<
lapion
Hello I just updated to 40.0.3 and the webpage freezing problem persists
DamienCassou
hi
since I updated to firefox 40, firefox is crashing very often. I'm now at firefox 40.2 but still see a lot of crashes. It seems random
Cork
DamienCassou: check about:crashes
copy the first, possibly the two first ids and paste them here
DamienCassou
about:crashes is not valid
Cork
ok, so your on linux and running a distro build?
DamienCassou
indeed
Cork
then try a mozilla build and see if you can reproduce the crash there
if you can't tell the distro maintainer
DamienCassou
I can't take a mozilla build, my distro won't run any downloaded binary
Cork
O_o
DamienCassou
:-)
Cork
well then you would have to report it to the distro and have them look into it
DamienCassou
ok
Cork
i would say it is most likely a build inconsistency with a system lib
but it is impossible to say with this little info
DamienCassou
Cork
it can't really help you
you need a stacktrace of some sort to say what happens
and the default distro builds normally doesn't provide one
DamienCassou
if you tell me the parameters to pass to the build script, I can easily create a new firefox binary
Cork
you would have to build firefox with symbols, then you would have to run it through gdb
load the symbols and catch the crash
DamienCassou
it is -g or something?
Cork
you can't connect to the crash stat servers unless you run a mozilla or redhat build
« prev 1 2 next »