304995 – dev-libs/nss-3.12.5 client certificate authentication broken

Bug 304995 - dev-libs/nss-3.12.5 client certificate authentication broken

Summary: dev-libs/nss-3.12.5 client certificate authentication broken

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	High normal
Assignee:	Mozilla Gentoo Team

URL:	http://bugs.debian.org/cgi-bin/bugrep...
Whiteboard:
Keywords:

Duplicates (3):	305879 308727 311075 (view as bug list)
Depends on:
Blocks:

Reported:	2010-02-13 23:53 UTC by Guillaume Castagnino
Modified:	2010-04-20 22:31 UTC (History)
CC List:	5 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Guillaume Castagnino 2010-02-13 23:53:54 UTC

Please refer to the debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561918.

Gentoo is also affected by this issue. It's not possible to authenticate with client certificate under firefox.
Exemple at https://www.startssl.com/logon.ssl or at french tax portal https://cfspart.impots.gouv.fr/portal/dgi/public/perso?pageId=pna2par&sfid=30

symptom is a firefox error page instead of the windows asking for the x509 certificate to use for authentication.

The same workaround explained in debian bug report work for me :
start firefox with NSS_SSL_ENABLE_RENEGOTIATION=1

Could it be possible to add this to env.d when emerging nss ?

Comment 1 William Throwe 2010-02-14 04:57:54 UTC

I would recommend against doing this, or perhaps it could be enabled with a use flag.  Renegotiation is disabled in nss in response to a major security flaw in SSL (CVE-2009-3555).  People who want to leave themselves vulnerable can mask >=dev-libs/nss-3.12.5 until the flaw is addressed, or modify their environment as described in the Debian report.

Comment 2 Jory A. Pratt gentoo-dev

2010-02-14 06:08:05 UTC

nss-3.12.6 is on its way out with RENEGOTIATION support reworked, soon as it is avaliable it will be avlaiable in the tree.

Comment 3 Guillaume Castagnino 2010-02-14 09:28:11 UTC

OK, wait for 3.12.6 if it's not too long, but at least, I think it should be useful to add some notice in the ebuild.
It disables a useful feature, and when you do not know where the problem come from, it's hard do find the problem (yes, I spent HOURS googling to find why certificate authentication was broken in firefox)

Comment 4 Jory A. Pratt gentoo-dev

2010-02-20 00:36:20 UTC

*** Bug 305879 has been marked as a duplicate of this bug. ***

Comment 5 Jory A. Pratt gentoo-dev

2010-03-12 14:30:16 UTC

*** Bug 308727 has been marked as a duplicate of this bug. ***

Comment 6 Samuli Suominen (RETIRED) gentoo-dev

2010-03-24 11:00:10 UTC

*** Bug 311075 has been marked as a duplicate of this bug. ***

Comment 7 Jory A. Pratt gentoo-dev

2010-03-28 02:49:26 UTC

Could someone test with 3.12.6 to see if we re-enabled everything okay please. If not please let us know as soon as possible as we can push up the deadline for stabilization.

Comment 8 Guillaume Castagnino 2010-03-28 09:08:15 UTC

Hi,

For me it's now OK : nss 3.12.6 + firefox 3.6.2
Thanks

Comment 9 T Parys 2010-03-29 13:52:14 UTC

Still not working here on amd64, using a smartcard certificate (coolkey) ...

  dev-libs/nss-3.12.6-r1
  www-client/mozilla-firefox-3.5.8

The NSS_SSL_ENABLE_RENEGOTIATION=1 workaround produces the expected results.

Comment 10 T Parys 2010-04-20 21:46:47 UTC

Just upgraded to www-client/mozilla-firefox-3.6.3, and certificate authentication is working as expected with no workaround.

Comment 11 Jory A. Pratt gentoo-dev

2010-04-20 22:31:23 UTC

Fixed in latest nss version in tree which is moving stable for archs stabilizing firefox-3.6.3.