First Last Prev Next    No search results available      Search page      Enter new bug
Bug#: 247221
Alias:
Product:
Component:
Status: RESOLVED
Resolution: FIXED
Assigned To: Mozilla Gentoo Team <mozilla@gentoo.org>
Hardware:
OS:
Version:
Priority:
Severity:
Reporter: Rob Stradling <rob@comodo.com>
Add CC:
CC:
URL:
Summary:
Status Whiteboard:
Keywords:

Filename Description Type Creator Created Size Actions
Create a New Attachment (proposed patch, testcase, etc.) View All

Bug 247221 depends on: Show dependency tree
Bug 247221 blocks:
Votes: 0    Show votes for this bug    Vote for this bug

Additional Comments: (this is where you put emerge --info)


Not eligible to see or edit group visibility for this bug.






View Bug Activity   |   Format For Printing   |   XML   |   Clone This Bug

Description:   Opened: 2008-11-17 15:48 0000 
The official Firefox 2.x and 3.x builds from Mozilla ship with a build of NSS
that is compiled with NSS_ENABLE_ECC=1.  See
https://developer.mozilla.org/en/NSS_reference/Building_and_installing_NSS/Build_instructions
for more info.
These browsers can successfully browse to the URL I've quoted (which is an
HTTPS site that uses an SSL Certificate with an elliptic curve key).

The Gentoo dev-libs/nss ebuild appears to be omitting the NSS_ENABLE_ECC make
variable, so it is being built without ECC support.  As a result, browsing with
www-client/mozilla-firefox to the test URL returns an error page with the
message "Error code: ssl_error_no_cypher_overlap".
I'm guessing (although I haven't tried it in a while) that
www-client/mozilla-firefox-bin has the same problem.

Please would you modify the dev-libs/nss build scripts to specify
NSS_ENABLE_ECC=1 ?

------- Comment #1 From Raúl Porcel 2008-11-25 14:50:25 0000 ------- 
Added to -r1, thanks.

------- Comment #2 From Rob Stradling 2008-11-26 07:40:50 0000 ------- 
Thanks Raúl.

With dev-libs/nss-3.12-r1 and www-client/mozilla-firefox-3.0.4-r1 I now get the
message "Error code: sec_error_untrusted_issuer".  This shows that ECC is now
working, but it's still not behaving quite like vanilla Firefox 3.0.4.

https://bugzilla.mozilla.org/show_bug.cgi?id=450427 comment #20 indicates that
Mozilla are shipping Firefox 3.0.4 with a custom version of NSS that has the
tag NSS_3_12_1_WITH_CKBI_1_72_RTM.
But dev-libs/nss-3.12-r1 presumably has the tag NSS_3_12_RTM.

Could you upgrade dev-libs/nss to NSS_3_12_1_WITH_CKBI_1_72_RTM?

Or are you only prepared to use the NSS releases that get published to
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ ?

------- Comment #3 From Richard 2008-11-27 12:31:45 0000 ------- 
When did nss-3.11.9-r1 become stable on amd64? I see no mention of this in the
relevant ebuild..

------- Comment #4 From Raúl Porcel 2008-12-11 10:43:55 0000 ------- 
(In reply to comment #2)
> Thanks Raúl.
> 
> With dev-libs/nss-3.12-r1 and www-client/mozilla-firefox-3.0.4-r1 I now get the
> message "Error code: sec_error_untrusted_issuer".  This shows that ECC is now
> working, but it's still not behaving quite like vanilla Firefox 3.0.4.
> 
> https://bugzilla.mozilla.org/show_bug.cgi?id=450427 comment #20 indicates that
> Mozilla are shipping Firefox 3.0.4 with a custom version of NSS that has the
> tag NSS_3_12_1_WITH_CKBI_1_72_RTM.
> But dev-libs/nss-3.12-r1 presumably has the tag NSS_3_12_RTM.
> 
> Could you upgrade dev-libs/nss to NSS_3_12_1_WITH_CKBI_1_72_RTM?
> 
> Or are you only prepared to use the NSS releases that get published to
> ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ ?
> 

I've added 3.12.2_rc1, please test.

------- Comment #5 From Rob Stradling 2008-12-12 08:28:50 0000 ------- 
Thanks Raúl.

3.12.2_rc1 works for me.  I can now connect to
https://comodoecccertificationauthority-ev.comodoca.com successfully.

------- Comment #6 From Raúl Porcel 2008-12-12 10:21:13 0000 ------- 
Good, closing then
First Last Prev Next    No search results available      Search page      Enter new bug