247221 – dev-libs/nss and www-client/mozilla-firefox not built with ECC support

Bug 247221 - dev-libs/nss and www-client/mozilla-firefox not built with ECC support

Summary: dev-libs/nss and www-client/mozilla-firefox not built with ECC support

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	New packages (show other bugs)
Hardware:	All All

Importance:	High normal (vote)
Assignee:	Mozilla Gentoo Team

URL:	https://comodoecccertificationauthori...
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2008-11-17 15:48 UTC by Rob Stradling
Modified:	2008-12-12 10:21 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Rob Stradling 2008-11-17 15:48:30 UTC

The official Firefox 2.x and 3.x builds from Mozilla ship with a build of NSS that is compiled with NSS_ENABLE_ECC=1.  See https://developer.mozilla.org/en/NSS_reference/Building_and_installing_NSS/Build_instructions for more info.
These browsers can successfully browse to the URL I've quoted (which is an HTTPS site that uses an SSL Certificate with an elliptic curve key).

The Gentoo dev-libs/nss ebuild appears to be omitting the NSS_ENABLE_ECC make variable, so it is being built without ECC support.  As a result, browsing with www-client/mozilla-firefox to the test URL returns an error page with the message "Error code: ssl_error_no_cypher_overlap".
I'm guessing (although I haven't tried it in a while) that www-client/mozilla-firefox-bin has the same problem.

Please would you modify the dev-libs/nss build scripts to specify NSS_ENABLE_ECC=1 ?

Comment 1 Raúl Porcel (RETIRED) gentoo-dev

2008-11-25 14:50:25 UTC

Added to -r1, thanks.

Comment 2 Rob Stradling 2008-11-26 07:40:50 UTC

Thanks Raúl.

With dev-libs/nss-3.12-r1 and www-client/mozilla-firefox-3.0.4-r1 I now get the message "Error code: sec_error_untrusted_issuer".  This shows that ECC is now working, but it's still not behaving quite like vanilla Firefox 3.0.4.

https://bugzilla.mozilla.org/show_bug.cgi?id=450427 comment #20 indicates that Mozilla are shipping Firefox 3.0.4 with a custom version of NSS that has the tag NSS_3_12_1_WITH_CKBI_1_72_RTM.
But dev-libs/nss-3.12-r1 presumably has the tag NSS_3_12_RTM.

Could you upgrade dev-libs/nss to NSS_3_12_1_WITH_CKBI_1_72_RTM?

Or are you only prepared to use the NSS releases that get published to ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ ?

Comment 3 Richard 2008-11-27 12:31:45 UTC

When did nss-3.11.9-r1 become stable on amd64? I see no mention of this in the relevant ebuild..

Comment 4 Raúl Porcel (RETIRED) gentoo-dev

2008-12-11 10:43:55 UTC

(In reply to comment #2)
> Thanks Raúl.
> 
> With dev-libs/nss-3.12-r1 and www-client/mozilla-firefox-3.0.4-r1 I now get the
> message "Error code: sec_error_untrusted_issuer".  This shows that ECC is now
> working, but it's still not behaving quite like vanilla Firefox 3.0.4.
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=450427 comment #20 indicates that
> Mozilla are shipping Firefox 3.0.4 with a custom version of NSS that has the
> tag NSS_3_12_1_WITH_CKBI_1_72_RTM.
> But dev-libs/nss-3.12-r1 presumably has the tag NSS_3_12_RTM.
> 
> Could you upgrade dev-libs/nss to NSS_3_12_1_WITH_CKBI_1_72_RTM?
> 
> Or are you only prepared to use the NSS releases that get published to
> ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ ?
> 

I've added 3.12.2_rc1, please test.

Comment 5 Rob Stradling 2008-12-12 08:28:50 UTC

Thanks Raúl.

3.12.2_rc1 works for me.  I can now connect to https://comodoecccertificationauthority-ev.comodoca.com successfully.

Comment 6 Raúl Porcel (RETIRED) gentoo-dev

2008-12-12 10:21:13 UTC

Good, closing then