www/firefox can't connect to google.com

classic Classic list List threaded Threaded
12 messages Options
Reply | Threaded
Open this post in threaded view
|

www/firefox can't connect to google.com

Solene Rapenne
Hello,

I upgraded my amd64 -current this morning (OpenBSD 6.0-current
(GENERIC.MP) #110: Thu Jan  5 20:32:18 MST 2017)

With the latest firefox version (firefox-50.1.0) I can't connect to
www.google.com, I get the following message

Your connection is not secure
The website tried to negotiate an inadequate level of security.
google.com uses security technology that is outdated and vulnerable to
attack. An attacker could easily reveal information which you thought to
be safe. The website administrator will need to fix the server first
before you can visit the site.
Error code: NS_ERROR_NET_INADEQUATE_SECURITY


I tried a few others SSL websites and they all works.

Reply | Threaded
Open this post in threaded view
|

Re: www/firefox can't connect to google.com

Landry Breuil-5
On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne wrote:

> Hello,
>
> I upgraded my amd64 -current this morning (OpenBSD 6.0-current (GENERIC.MP)
> #110: Thu Jan  5 20:32:18 MST 2017)
>
> With the latest firefox version (firefox-50.1.0) I can't connect to
> www.google.com, I get the following message
>
> Your connection is not secure
> The website tried to negotiate an inadequate level of security.
> google.com uses security technology that is outdated and vulnerable to
> attack. An attacker could easily reveal information which you thought to be
> safe. The website administrator will need to fix the server first before you
> can visit the site.
> Error code: NS_ERROR_NET_INADEQUATE_SECURITY
>
>
> I tried a few others SSL websites and they all works.

Iirc that's due to the fact that some certs were removed from cert.pem
and those were in the cert chain for google. Should be fixed or a fix is
in the works.

That's the perfect occasion to start using another search engine which
respects users' privacy :)

Landry

Reply | Threaded
Open this post in threaded view
|

Re: www/firefox can't connect to google.com

Solene Rapenne
Le 2017-01-06 10:38, Landry Breuil a écrit :

> On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne wrote:
>> Hello,
>>
>> I upgraded my amd64 -current this morning (OpenBSD 6.0-current
>> (GENERIC.MP)
>> #110: Thu Jan  5 20:32:18 MST 2017)
>>
>> With the latest firefox version (firefox-50.1.0) I can't connect to
>> www.google.com, I get the following message
>>
>> Your connection is not secure
>> The website tried to negotiate an inadequate level of security.
>> google.com uses security technology that is outdated and vulnerable to
>> attack. An attacker could easily reveal information which you thought
>> to be
>> safe. The website administrator will need to fix the server first
>> before you
>> can visit the site.
>> Error code: NS_ERROR_NET_INADEQUATE_SECURITY
>>
>>
>> I tried a few others SSL websites and they all works.
>
> Iirc that's due to the fact that some certs were removed from cert.pem
> and those were in the cert chain for google. Should be fixed or a fix
> is
> in the works.
>
> That's the perfect occasion to start using another search engine which
> respects users' privacy :)
>
> Landry

For what it worth, the problem occurs with firefox-esr too, but it
doesn't
show an error, it just fails silently and keep the current page viewed.

Reply | Threaded
Open this post in threaded view
|

Re: www/firefox can't connect to google.com

Solene Rapenne
Le 2017-01-06 10:47, Solène Rapenne a écrit :

> Le 2017-01-06 10:38, Landry Breuil a écrit :
>> On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne wrote:
>>> Hello,
>>>
>>> I upgraded my amd64 -current this morning (OpenBSD 6.0-current
>>> (GENERIC.MP)
>>> #110: Thu Jan  5 20:32:18 MST 2017)
>>>
>>> With the latest firefox version (firefox-50.1.0) I can't connect to
>>> www.google.com, I get the following message
>>>
>>> Your connection is not secure
>>> The website tried to negotiate an inadequate level of security.
>>> google.com uses security technology that is outdated and vulnerable
>>> to
>>> attack. An attacker could easily reveal information which you thought
>>> to be
>>> safe. The website administrator will need to fix the server first
>>> before you
>>> can visit the site.
>>> Error code: NS_ERROR_NET_INADEQUATE_SECURITY
>>>
>>>
>>> I tried a few others SSL websites and they all works.
>>
>> Iirc that's due to the fact that some certs were removed from cert.pem
>> and those were in the cert chain for google. Should be fixed or a fix
>> is
>> in the works.
>>
>> That's the perfect occasion to start using another search engine which
>> respects users' privacy :)
>>
>> Landry
>
> For what it worth, the problem occurs with firefox-esr too, but it
> doesn't
> show an error, it just fails silently and keep the current page viewed.

thanks to johany@ on IRC, setting network.http.spdy.enabled.http2 to
false in
about:config works as a workaround

Reply | Threaded
Open this post in threaded view
|

Re: www/firefox can't connect to google.com

Landry Breuil-5
On Fri, Jan 06, 2017 at 10:59:40AM +0100, Solène Rapenne wrote:

> Le 2017-01-06 10:47, Solène Rapenne a écrit :
> > Le 2017-01-06 10:38, Landry Breuil a écrit :
> > > On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne wrote:
> > > > Hello,
> > > >
> > > > I upgraded my amd64 -current this morning (OpenBSD 6.0-current
> > > > (GENERIC.MP)
> > > > #110: Thu Jan  5 20:32:18 MST 2017)
> > > >
> > > > With the latest firefox version (firefox-50.1.0) I can't connect to
> > > > www.google.com, I get the following message
> > > >
> > > > Your connection is not secure
> > > > The website tried to negotiate an inadequate level of security.
> > > > google.com uses security technology that is outdated and
> > > > vulnerable to
> > > > attack. An attacker could easily reveal information which you
> > > > thought to be
> > > > safe. The website administrator will need to fix the server
> > > > first before you
> > > > can visit the site.
> > > > Error code: NS_ERROR_NET_INADEQUATE_SECURITY
> > > >
> > > >
> > > > I tried a few others SSL websites and they all works.
> > >
> > > Iirc that's due to the fact that some certs were removed from cert.pem
> > > and those were in the cert chain for google. Should be fixed or a
> > > fix is
> > > in the works.
> > >
> > > That's the perfect occasion to start using another search engine which
> > > respects users' privacy :)
> > >
> > > Landry
> >
> > For what it worth, the problem occurs with firefox-esr too, but it
> > doesn't
> > show an error, it just fails silently and keep the current page viewed.
>
> thanks to johany@ on IRC, setting network.http.spdy.enabled.http2 to false
> in
> about:config works as a workaround

Ah. Then maybe it's a fuckup with TLS1.3 in nss 3.28. Maybe 3.28.1 will fix
this. Or not.

Landry

Reply | Threaded
Open this post in threaded view
|

Re: www/firefox can't connect to google.com

Stuart Henderson
In reply to this post by Landry Breuil-5
On 2017/01/06 10:38, Landry Breuil wrote:

> On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne wrote:
> > Hello,
> >
> > I upgraded my amd64 -current this morning (OpenBSD 6.0-current (GENERIC.MP)
> > #110: Thu Jan  5 20:32:18 MST 2017)
> >
> > With the latest firefox version (firefox-50.1.0) I can't connect to
> > www.google.com, I get the following message
> >
> > Your connection is not secure
> > The website tried to negotiate an inadequate level of security.
> > google.com uses security technology that is outdated and vulnerable to
> > attack. An attacker could easily reveal information which you thought to be
> > safe. The website administrator will need to fix the server first before you
> > can visit the site.
> > Error code: NS_ERROR_NET_INADEQUATE_SECURITY
> >
> >
> > I tried a few others SSL websites and they all works.
>
> Iirc that's due to the fact that some certs were removed from cert.pem
> and those were in the cert chain for google. Should be fixed or a fix is
> in the works.

Firefox doesn't use cert.pem.

Reply | Threaded
Open this post in threaded view
|

Re: www/firefox can't connect to google.com

Daniel Jakots-3
In reply to this post by Landry Breuil-5
On Fri, 6 Jan 2017 11:08:56 +0100, Landry Breuil <[hidden email]>
wrote:

> On Fri, Jan 06, 2017 at 10:59:40AM +0100, Solène Rapenne wrote:
> > Le 2017-01-06 10:47, Solène Rapenne a écrit :  
> > > Le 2017-01-06 10:38, Landry Breuil a écrit :  
> > > > On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne
> > > > wrote:  
> > > > > Hello,
> > > > >
> > > > > I upgraded my amd64 -current this morning (OpenBSD 6.0-current
> > > > > (GENERIC.MP)
> > > > > #110: Thu Jan  5 20:32:18 MST 2017)
> > > > >
> > > > > With the latest firefox version (firefox-50.1.0) I can't
> > > > > connect to www.google.com, I get the following message
> > > > >
> > > > > Your connection is not secure
> > > > > The website tried to negotiate an inadequate level of
> > > > > security. google.com uses security technology that is
> > > > > outdated and vulnerable to
> > > > > attack. An attacker could easily reveal information which you
> > > > > thought to be
> > > > > safe. The website administrator will need to fix the server
> > > > > first before you
> > > > > can visit the site.
> > > > > Error code: NS_ERROR_NET_INADEQUATE_SECURITY
> > > > >
> > > > >
> > > > > I tried a few others SSL websites and they all works.  
> > > >
> > > > Iirc that's due to the fact that some certs were removed from
> > > > cert.pem and those were in the cert chain for google. Should be
> > > > fixed or a fix is
> > > > in the works.
> > > >
> > > > That's the perfect occasion to start using another search
> > > > engine which respects users' privacy :)
> > > >
> > > > Landry  
> > >
> > > For what it worth, the problem occurs with firefox-esr too, but it
> > > doesn't
> > > show an error, it just fails silently and keep the current page
> > > viewed.  
> >
> > thanks to johany@ on IRC, setting network.http.spdy.enabled.http2
> > to false in
> > about:config works as a workaround  
>
> Ah. Then maybe it's a fuckup with TLS1.3 in nss 3.28. Maybe 3.28.1
> will fix this. Or not.

FYI, still broken with 3.28.1.

Reply | Threaded
Open this post in threaded view
|

Re: www/firefox can't connect to google.com

Landry Breuil-5
On Fri, Jan 06, 2017 at 10:43:08AM -0500, Daniel Jakots wrote:

> On Fri, 6 Jan 2017 11:08:56 +0100, Landry Breuil <[hidden email]>
> wrote:
>
> > On Fri, Jan 06, 2017 at 10:59:40AM +0100, Solène Rapenne wrote:
> > > Le 2017-01-06 10:47, Solène Rapenne a écrit :  
> > > > Le 2017-01-06 10:38, Landry Breuil a écrit :  
> > > > > On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne
> > > > > wrote:  
> > > > > > Hello,
> > > > > >
> > > > > > I upgraded my amd64 -current this morning (OpenBSD 6.0-current
> > > > > > (GENERIC.MP)
> > > > > > #110: Thu Jan  5 20:32:18 MST 2017)
> > > > > >
> > > > > > With the latest firefox version (firefox-50.1.0) I can't
> > > > > > connect to www.google.com, I get the following message
> > > > > >
> > > > > > Your connection is not secure
> > > > > > The website tried to negotiate an inadequate level of
> > > > > > security. google.com uses security technology that is
> > > > > > outdated and vulnerable to
> > > > > > attack. An attacker could easily reveal information which you
> > > > > > thought to be
> > > > > > safe. The website administrator will need to fix the server
> > > > > > first before you
> > > > > > can visit the site.
> > > > > > Error code: NS_ERROR_NET_INADEQUATE_SECURITY
> > > > > >
> > > > > >
> > > > > > I tried a few others SSL websites and they all works.  
> > > > >
> > > > > Iirc that's due to the fact that some certs were removed from
> > > > > cert.pem and those were in the cert chain for google. Should be
> > > > > fixed or a fix is
> > > > > in the works.
> > > > >
> > > > > That's the perfect occasion to start using another search
> > > > > engine which respects users' privacy :)
> > > > >
> > > > > Landry  
> > > >
> > > > For what it worth, the problem occurs with firefox-esr too, but it
> > > > doesn't
> > > > show an error, it just fails silently and keep the current page
> > > > viewed.  
> > >
> > > thanks to johany@ on IRC, setting network.http.spdy.enabled.http2
> > > to false in
> > > about:config works as a workaround  
> >
> > Ah. Then maybe it's a fuckup with TLS1.3 in nss 3.28. Maybe 3.28.1
> > will fix this. Or not.
>
> FYI, still broken with 3.28.1.

Aaah, crap, now that rings a bell. Cf
https://bugzilla.mozilla.org/show_bug.cgi?id=1323209 and
https://bugzilla.mozilla.org/show_bug.cgi?id=1290037. Fuck. Fuckety Fuck.

So http/2 is broken with nss > 3.28... hm. I'm not sure waiting for 51 /
next esr release is the right solution, since that's planned for the 24.
Guess reverting the nss update is the solution. Sigh.

Landry

Reply | Threaded
Open this post in threaded view
|

Re: www/firefox can't connect to google.com

Landry Breuil-5
On Fri, Jan 06, 2017 at 04:55:40PM +0100, Landry Breuil wrote:

> On Fri, Jan 06, 2017 at 10:43:08AM -0500, Daniel Jakots wrote:
> > On Fri, 6 Jan 2017 11:08:56 +0100, Landry Breuil <[hidden email]>
> > wrote:
> >
> > > On Fri, Jan 06, 2017 at 10:59:40AM +0100, Solène Rapenne wrote:
> > > > Le 2017-01-06 10:47, Solène Rapenne a écrit :  
> > > > > Le 2017-01-06 10:38, Landry Breuil a écrit :  
> > > > > > On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne
> > > > > > wrote:  
> > > > > > > Hello,
> > > > > > >
> > > > > > > I upgraded my amd64 -current this morning (OpenBSD 6.0-current
> > > > > > > (GENERIC.MP)
> > > > > > > #110: Thu Jan  5 20:32:18 MST 2017)
> > > > > > >
> > > > > > > With the latest firefox version (firefox-50.1.0) I can't
> > > > > > > connect to www.google.com, I get the following message
> > > > > > >
> > > > > > > Your connection is not secure
> > > > > > > The website tried to negotiate an inadequate level of
> > > > > > > security. google.com uses security technology that is
> > > > > > > outdated and vulnerable to
> > > > > > > attack. An attacker could easily reveal information which you
> > > > > > > thought to be
> > > > > > > safe. The website administrator will need to fix the server
> > > > > > > first before you
> > > > > > > can visit the site.
> > > > > > > Error code: NS_ERROR_NET_INADEQUATE_SECURITY
> > > > > > >
> > > > > > >
> > > > > > > I tried a few others SSL websites and they all works.  
> > > > > >
> > > > > > Iirc that's due to the fact that some certs were removed from
> > > > > > cert.pem and those were in the cert chain for google. Should be
> > > > > > fixed or a fix is
> > > > > > in the works.
> > > > > >
> > > > > > That's the perfect occasion to start using another search
> > > > > > engine which respects users' privacy :)
> > > > > >
> > > > > > Landry  
> > > > >
> > > > > For what it worth, the problem occurs with firefox-esr too, but it
> > > > > doesn't
> > > > > show an error, it just fails silently and keep the current page
> > > > > viewed.  
> > > >
> > > > thanks to johany@ on IRC, setting network.http.spdy.enabled.http2
> > > > to false in
> > > > about:config works as a workaround  
> > >
> > > Ah. Then maybe it's a fuckup with TLS1.3 in nss 3.28. Maybe 3.28.1
> > > will fix this. Or not.
> >
> > FYI, still broken with 3.28.1.
>
> Aaah, crap, now that rings a bell. Cf
> https://bugzilla.mozilla.org/show_bug.cgi?id=1323209 and
> https://bugzilla.mozilla.org/show_bug.cgi?id=1290037. Fuck. Fuckety Fuck.
>
> So http/2 is broken with nss > 3.28... hm. I'm not sure waiting for 51 /
> next esr release is the right solution, since that's planned for the 24.
> Guess reverting the nss update is the solution. Sigh.

Two options (well, three)
- try rebuilding nss 3.28.1 without NSS_ENABLE_TLS_1_3=1, see if that
  helps (i think it's unrelated but who knows..)
- apply https://bug1290037.bmoattachments.org/attachment.cgi?id=8778661
  to firefox, rebuild - should fixit
- revert to 3.27.2 (id like to avoid this..)

Landry

Reply | Threaded
Open this post in threaded view
|

Re: www/firefox can't connect to google.com

kwesterback


> On Jan 6, 2017, at 11:07 AM, Landry Breuil <[hidden email]> wrote:
>
>> On Fri, Jan 06, 2017 at 04:55:40PM +0100, Landry Breuil wrote:
>>> On Fri, Jan 06, 2017 at 10:43:08AM -0500, Daniel Jakots wrote:
>>> On Fri, 6 Jan 2017 11:08:56 +0100, Landry Breuil <[hidden email]>
>>> wrote:
>>>
>>>>> On Fri, Jan 06, 2017 at 10:59:40AM +0100, Solène Rapenne wrote:
>>>>> Le 2017-01-06 10:47, Solène Rapenne a écrit :  
>>>>>> Le 2017-01-06 10:38, Landry Breuil a écrit :  
>>>>>>> On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne
>>>>>>> wrote:  
>>>>>>>> Hello,
>>>>>>>>
>>>>>>>> I upgraded my amd64 -current this morning (OpenBSD 6.0-current
>>>>>>>> (GENERIC.MP)
>>>>>>>> #110: Thu Jan  5 20:32:18 MST 2017)
>>>>>>>>
>>>>>>>> With the latest firefox version (firefox-50.1.0) I can't
>>>>>>>> connect to www.google.com, I get the following message
>>>>>>>>
>>>>>>>> Your connection is not secure
>>>>>>>> The website tried to negotiate an inadequate level of
>>>>>>>> security. google.com uses security technology that is
>>>>>>>> outdated and vulnerable to
>>>>>>>> attack. An attacker could easily reveal information which you
>>>>>>>> thought to be
>>>>>>>> safe. The website administrator will need to fix the server
>>>>>>>> first before you
>>>>>>>> can visit the site.
>>>>>>>> Error code: NS_ERROR_NET_INADEQUATE_SECURITY
>>>>>>>>
>>>>>>>>
>>>>>>>> I tried a few others SSL websites and they all works.  
>>>>>>>
>>>>>>> Iirc that's due to the fact that some certs were removed from
>>>>>>> cert.pem and those were in the cert chain for google. Should be
>>>>>>> fixed or a fix is
>>>>>>> in the works.
>>>>>>>
>>>>>>> That's the perfect occasion to start using another search
>>>>>>> engine which respects users' privacy :)
>>>>>>>
>>>>>>> Landry  
>>>>>>
>>>>>> For what it worth, the problem occurs with firefox-esr too, but it
>>>>>> doesn't
>>>>>> show an error, it just fails silently and keep the current page
>>>>>> viewed.  
>>>>>
>>>>> thanks to johany@ on IRC, setting network.http.spdy.enabled.http2
>>>>> to false in
>>>>> about:config works as a workaround  
>>>>
>>>> Ah. Then maybe it's a fuckup with TLS1.3 in nss 3.28. Maybe 3.28.1
>>>> will fix this. Or not.
>>>
>>> FYI, still broken with 3.28.1.
>>
>> Aaah, crap, now that rings a bell. Cf
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1323209 and
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1290037. Fuck. Fuckety Fuck.
>>
>> So http/2 is broken with nss > 3.28... hm. I'm not sure waiting for 51 /
>> next esr release is the right solution, since that's planned for the 24.
>> Guess reverting the nss update is the solution. Sigh.
>
> Two options (well, three)
> - try rebuilding nss 3.28.1 without NSS_ENABLE_TLS_1_3=1, see if that
>  helps (i think it's unrelated but who knows..)
> - apply https://bug1290037.bmoattachments.org/attachment.cgi?id=8778661
>  to firefox, rebuild - should fixit
> - revert to 3.27.2 (id like to avoid this..)
>
> Landry
>

I like option two -- use the patch.

.... Ken
Reply | Threaded
Open this post in threaded view
|

Re: www/firefox can't connect to google.com

Landry Breuil-5
In reply to this post by Landry Breuil-5
On Fri, Jan 06, 2017 at 05:07:54PM +0100, Landry Breuil wrote:

> On Fri, Jan 06, 2017 at 04:55:40PM +0100, Landry Breuil wrote:
> > On Fri, Jan 06, 2017 at 10:43:08AM -0500, Daniel Jakots wrote:
> > > On Fri, 6 Jan 2017 11:08:56 +0100, Landry Breuil <[hidden email]>
> > > wrote:
> > >
> > > > On Fri, Jan 06, 2017 at 10:59:40AM +0100, Solène Rapenne wrote:
> > > > > Le 2017-01-06 10:47, Solène Rapenne a écrit :  
> > > > > > Le 2017-01-06 10:38, Landry Breuil a écrit :  
> > > > > > > On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne
> > > > > > > wrote:  
> > > > > > > > Hello,
> > > > > > > >
> > > > > > > > I upgraded my amd64 -current this morning (OpenBSD 6.0-current
> > > > > > > > (GENERIC.MP)
> > > > > > > > #110: Thu Jan  5 20:32:18 MST 2017)
> > > > > > > >
> > > > > > > > With the latest firefox version (firefox-50.1.0) I can't
> > > > > > > > connect to www.google.com, I get the following message
> > > > > > > >
> > > > > > > > Your connection is not secure
> > > > > > > > The website tried to negotiate an inadequate level of
> > > > > > > > security. google.com uses security technology that is
> > > > > > > > outdated and vulnerable to
> > > > > > > > attack. An attacker could easily reveal information which you
> > > > > > > > thought to be
> > > > > > > > safe. The website administrator will need to fix the server
> > > > > > > > first before you
> > > > > > > > can visit the site.
> > > > > > > > Error code: NS_ERROR_NET_INADEQUATE_SECURITY
> > > > > > > >
> > > > > > > >
> > > > > > > > I tried a few others SSL websites and they all works.  
> > > > > > >
> > > > > > > Iirc that's due to the fact that some certs were removed from
> > > > > > > cert.pem and those were in the cert chain for google. Should be
> > > > > > > fixed or a fix is
> > > > > > > in the works.
> > > > > > >
> > > > > > > That's the perfect occasion to start using another search
> > > > > > > engine which respects users' privacy :)
> > > > > > >
> > > > > > > Landry  
> > > > > >
> > > > > > For what it worth, the problem occurs with firefox-esr too, but it
> > > > > > doesn't
> > > > > > show an error, it just fails silently and keep the current page
> > > > > > viewed.  
> > > > >
> > > > > thanks to johany@ on IRC, setting network.http.spdy.enabled.http2
> > > > > to false in
> > > > > about:config works as a workaround  
> > > >
> > > > Ah. Then maybe it's a fuckup with TLS1.3 in nss 3.28. Maybe 3.28.1
> > > > will fix this. Or not.
> > >
> > > FYI, still broken with 3.28.1.
> >
> > Aaah, crap, now that rings a bell. Cf
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1323209 and
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1290037. Fuck. Fuckety Fuck.
> >
> > So http/2 is broken with nss > 3.28... hm. I'm not sure waiting for 51 /
> > next esr release is the right solution, since that's planned for the 24.
> > Guess reverting the nss update is the solution. Sigh.
>
> Two options (well, three)
> - try rebuilding nss 3.28.1 without NSS_ENABLE_TLS_1_3=1, see if that
>   helps (i think it's unrelated but who knows..)
> - apply https://bug1290037.bmoattachments.org/attachment.cgi?id=8778661
>   to firefox, rebuild - should fixit
Here are the full diffs for esr and mainline. I'll commit them when
someone confirms me this fixes the issue (cant test tonight)

Landry


fix-nss328-esr.diff (1K) Download Attachment
fix-nss328.diff (1K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: www/firefox can't connect to google.com

kwesterback
On 01/06, Landry Breuil wrote:

> On Fri, Jan 06, 2017 at 05:07:54PM +0100, Landry Breuil wrote:
> > On Fri, Jan 06, 2017 at 04:55:40PM +0100, Landry Breuil wrote:
> > > On Fri, Jan 06, 2017 at 10:43:08AM -0500, Daniel Jakots wrote:
> > > > On Fri, 6 Jan 2017 11:08:56 +0100, Landry Breuil <[hidden email]>
> > > > wrote:
> > > >
> > > > > On Fri, Jan 06, 2017 at 10:59:40AM +0100, Sol?ne Rapenne wrote:
> > > > > > Le 2017-01-06 10:47, Sol?ne Rapenne a ?crit?:  
> > > > > > > Le 2017-01-06 10:38, Landry Breuil a ?crit?:  
> > > > > > > > On Fri, Jan 06, 2017 at 10:33:04AM +0100, Sol?ne Rapenne
> > > > > > > > wrote:  
> > > > > > > > > Hello,
> > > > > > > > >
> > > > > > > > > I upgraded my amd64 -current this morning (OpenBSD 6.0-current
> > > > > > > > > (GENERIC.MP)
> > > > > > > > > #110: Thu Jan  5 20:32:18 MST 2017)
> > > > > > > > >
> > > > > > > > > With the latest firefox version (firefox-50.1.0) I can't
> > > > > > > > > connect to www.google.com, I get the following message
> > > > > > > > >
> > > > > > > > > Your connection is not secure
> > > > > > > > > The website tried to negotiate an inadequate level of
> > > > > > > > > security. google.com uses security technology that is
> > > > > > > > > outdated and vulnerable to
> > > > > > > > > attack. An attacker could easily reveal information which you
> > > > > > > > > thought to be
> > > > > > > > > safe. The website administrator will need to fix the server
> > > > > > > > > first before you
> > > > > > > > > can visit the site.
> > > > > > > > > Error code: NS_ERROR_NET_INADEQUATE_SECURITY
> > > > > > > > >
> > > > > > > > >
> > > > > > > > > I tried a few others SSL websites and they all works.  
> > > > > > > >
> > > > > > > > Iirc that's due to the fact that some certs were removed from
> > > > > > > > cert.pem and those were in the cert chain for google. Should be
> > > > > > > > fixed or a fix is
> > > > > > > > in the works.
> > > > > > > >
> > > > > > > > That's the perfect occasion to start using another search
> > > > > > > > engine which respects users' privacy :)
> > > > > > > >
> > > > > > > > Landry  
> > > > > > >
> > > > > > > For what it worth, the problem occurs with firefox-esr too, but it
> > > > > > > doesn't
> > > > > > > show an error, it just fails silently and keep the current page
> > > > > > > viewed.  
> > > > > >
> > > > > > thanks to johany@ on IRC, setting network.http.spdy.enabled.http2
> > > > > > to false in
> > > > > > about:config works as a workaround  
> > > > >
> > > > > Ah. Then maybe it's a fuckup with TLS1.3 in nss 3.28. Maybe 3.28.1
> > > > > will fix this. Or not.
> > > >
> > > > FYI, still broken with 3.28.1.
> > >
> > > Aaah, crap, now that rings a bell. Cf
> > > https://bugzilla.mozilla.org/show_bug.cgi?id=1323209 and
> > > https://bugzilla.mozilla.org/show_bug.cgi?id=1290037. Fuck. Fuckety Fuck.
> > >
> > > So http/2 is broken with nss > 3.28... hm. I'm not sure waiting for 51 /
> > > next esr release is the right solution, since that's planned for the 24.
> > > Guess reverting the nss update is the solution. Sigh.
> >
> > Two options (well, three)
> > - try rebuilding nss 3.28.1 without NSS_ENABLE_TLS_1_3=1, see if that
> >   helps (i think it's unrelated but who knows..)
> > - apply https://bug1290037.bmoattachments.org/attachment.cgi?id=8778661
> >   to firefox, rebuild - should fixit
>
> Here are the full diffs for esr and mainline. I'll commit them when
> someone confirms me this fixes the issue (cant test tonight)
>
> Landry
>

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/firefox-esr/Makefile,v
> retrieving revision 1.44
> diff -u -r1.44 Makefile
> --- Makefile 14 Dec 2016 13:44:19 -0000 1.44
> +++ Makefile 6 Jan 2017 19:29:34 -0000
> @@ -8,6 +8,7 @@
>  MOZILLA_CODENAME = browser
>  BROKEN-sparc64 = xpcshell SIGBUS during fake
>  EXTRACT_SUFX = .tar.xz
> +REVISION = 0
>  
>  PKGNAME = ${MOZILLA_PROJECT}-esr-${MOZILLA_VERSION:S/esr//}
>  SO_VERSION = 3.0
> Index: patches/patch-netwerk_protocol_http_Http2Session_cpp
> ===================================================================
> RCS file: patches/patch-netwerk_protocol_http_Http2Session_cpp
> diff -N patches/patch-netwerk_protocol_http_Http2Session_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-netwerk_protocol_http_Http2Session_cpp 6 Jan 2017 19:29:34 -0000
> @@ -0,0 +1,18 @@
> +$OpenBSD$
> +
> +Bug 1290037: Fix HTTP/2 with nss 3.28.
> +https://hg.mozilla.org/mozilla-central/rev/361ac226da2a
> +
> +--- netwerk/protocol/http/Http2Session.cpp.orig Mon Jul 25 14:12:07 2016
> ++++ netwerk/protocol/http/Http2Session.cpp Fri Jan  6 19:46:48 2017
> +@@ -3521,8 +3521,8 @@ Http2Session::ConfirmTLSProfile()
> +     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
> +           this, keybits));
> +     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
> +-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
> +-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
> ++  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
> ++    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
> +           this, keybits));
> +     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
> +   }

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/mozilla-firefox/Makefile,v
> retrieving revision 1.306
> diff -u -r1.306 Makefile
> --- Makefile 14 Dec 2016 13:30:34 -0000 1.306
> +++ Makefile 6 Jan 2017 19:29:04 -0000
> @@ -10,6 +10,7 @@
>  MOZILLA_CODENAME = browser
>  BROKEN-sparc64 = xpcshell SIGBUS during fake
>  EXTRACT_SUFX = .tar.xz
> +REVISION = 0
>  
>  SO_VERSION = 68.0
>  # NOTE: Must bump minor version if any shlib's are removed from the
> Index: patches/patch-netwerk_protocol_http_Http2Session_cpp
> ===================================================================
> RCS file: patches/patch-netwerk_protocol_http_Http2Session_cpp
> diff -N patches/patch-netwerk_protocol_http_Http2Session_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-netwerk_protocol_http_Http2Session_cpp 6 Jan 2017 19:29:04 -0000
> @@ -0,0 +1,18 @@
> +$OpenBSD$
> +
> +Bug 1290037: Fix HTTP/2 with nss 3.28.
> +https://hg.mozilla.org/mozilla-central/rev/361ac226da2a
> +
> +--- netwerk/protocol/http/Http2Session.cpp.orig Mon Oct 31 21:15:27 2016
> ++++ netwerk/protocol/http/Http2Session.cpp Fri Jan  6 20:19:41 2017
> +@@ -3542,8 +3542,8 @@ Http2Session::ConfirmTLSProfile()
> +     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
> +           this, keybits));
> +     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
> +-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
> +-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
> ++  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
> ++    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
> +           this, keybits));
> +     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
> +   }

I will toss this on the build cycle I was about to start. The non-ESR
one at least. Should know tomorrow or late tonight. :-)

.... Ken