MediaWiki 1.35 login fails with "Secure Connection Failed" and no error code (HTTP/2 related?)
[Update: This works correctly with HTTP/2 disabled, so it is somehow HTTP/2 related. Firefox's partner is terminated with ATS 8.0.2, so this is most likely an interaction with Traffic Server, but debugging help is still needed.]
I recently upgraded from Mediawiki 1.31 to 1.35 on Debian 10. Since this upgrade, attempts to log in with Firefox are impossible -- Safari and Chrome work fine. Firefox 96.0 displays the attached error "Secure Connection Failed" but no security error is provided. This seems to be a defect in Firefox, but I am having difficulty diagnosing further.
Looking at both server trace logs as well as the Firefox debugging tools, I see Firefox does an expected POST request to the login page:
POST https://newwiki.convivian.com/mediawiki/index.php?title=Special:UserLogin&returnto=Main Page
The MediaWiki server replies with a 302 Found and redirect to the Main Page on successful login, but Firefox considers this response insecure on some way that is not indicated. The "Security" tab in DevTools shows no security errors on the transaction.
I am able to reproduce this on multiple machines running Firefox 96.0, as well as with Troubleshooting Mode enabled. No errors occur with other tested browsers.
Is there a way to extract further debugging information from the browser?
Modified
All Replies (7)
Unfortunately, there is no explanatory code on that error page which would be linked to a defect in the connection parameters, etc.
If you try the identical URL without it being a redirect, any difference in accessing it?
The 302 Redirect sets cookies to confirm a logged-in state (which are discarded due to this error), so going to the redirect page (https://newwiki.convivian.com/wiki/Main_Page) just results in a login request again.
I can give you a login to this wiki instance (it's empty) if you have better tools than I do; I just don't want to post the credentials publicly. :-) You can PM me here, or mail jered@convivian.com and I'll give you a test account.
It's clearly both 1) a Firefox issue, and 2) a server-side config matter that is tickling that issue -- I'd rather fix #2 first....
Firefox 96 turned on some new cookie-related features which can affect authentication, especially across related sites or between HTTP and HTTPS:
Hmm; interesting, but I don't think this is the issue here. The schema is https and the host doesn't change during the login process, so these cookie restrictions shouldn't be the issue (and even if so shouldn't produce the error in the screenshot above). It's really mystifying! Perhaps there's some way to enable more logging at the NSS layer on the client side?
More data: Disabling HTTP/2 causes things to work normally.
jered said
More data: Disabling HTTP/2 causes things to work normally.
This one? network.http.spdy.enabled.http2
Normally, if a server doesn't support HTTP/2, Firefox falls back to HTTP/1.1 without mentioning it. I'm connecting to the index page with 1.1. Of course, it says "Login required" so I guess the issue arises during the login process for some reason.
Here's the MDN page on logging: https://developer.mozilla.org/docs/Mozilla/Debugging/HTTP_logging
Yup; that setting. I suspect this is an incompatibility between Firefox 96 and my version of ATS -- disabling HTTP/2 on the server side also (unsurprisingly) resolves it.
The logging page is helpful, thank you! I'll try that and also see if upgrading ATS resolves things.