The official Firefox 2.x and 3.x builds from Mozilla ship with a build of NSS that is compiled with NSS_ENABLE_ECC=1. See https://developer.mozilla.org/en/NSS_reference/Building_and_installing_NSS/Build_instructions for more info. These browsers can successfully browse to the URL I've quoted (which is an HTTPS site that uses an SSL Certificate with an elliptic curve key). The Gentoo dev-libs/nss ebuild appears to be omitting the NSS_ENABLE_ECC make variable, so it is being built without ECC support. As a result, browsing with www-client/mozilla-firefox to the test URL returns an error page with the message "Error code: ssl_error_no_cypher_overlap". I'm guessing (although I haven't tried it in a while) that www-client/mozilla-firefox-bin has the same problem. Please would you modify the dev-libs/nss build scripts to specify NSS_ENABLE_ECC=1 ?
Added to -r1, thanks.
Thanks Raúl. With dev-libs/nss-3.12-r1 and www-client/mozilla-firefox-3.0.4-r1 I now get the message "Error code: sec_error_untrusted_issuer". This shows that ECC is now working, but it's still not behaving quite like vanilla Firefox 3.0.4. https://bugzilla.mozilla.org/show_bug.cgi?id=450427 comment #20 indicates that Mozilla are shipping Firefox 3.0.4 with a custom version of NSS that has the tag NSS_3_12_1_WITH_CKBI_1_72_RTM. But dev-libs/nss-3.12-r1 presumably has the tag NSS_3_12_RTM. Could you upgrade dev-libs/nss to NSS_3_12_1_WITH_CKBI_1_72_RTM? Or are you only prepared to use the NSS releases that get published to ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ ?
When did nss-3.11.9-r1 become stable on amd64? I see no mention of this in the relevant ebuild..
(In reply to comment #2) > Thanks Raúl. > > With dev-libs/nss-3.12-r1 and www-client/mozilla-firefox-3.0.4-r1 I now get the > message "Error code: sec_error_untrusted_issuer". This shows that ECC is now > working, but it's still not behaving quite like vanilla Firefox 3.0.4. > > https://bugzilla.mozilla.org/show_bug.cgi?id=450427 comment #20 indicates that > Mozilla are shipping Firefox 3.0.4 with a custom version of NSS that has the > tag NSS_3_12_1_WITH_CKBI_1_72_RTM. > But dev-libs/nss-3.12-r1 presumably has the tag NSS_3_12_RTM. > > Could you upgrade dev-libs/nss to NSS_3_12_1_WITH_CKBI_1_72_RTM? > > Or are you only prepared to use the NSS releases that get published to > ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/ ? > I've added 3.12.2_rc1, please test.
Thanks Raúl. 3.12.2_rc1 works for me. I can now connect to https://comodoecccertificationauthority-ev.comodoca.com successfully.
Good, closing then