pls. see https://developer.mozilla.org/en-US/docs/NSS/NSS_3.14_release_notes www-client/firefox-10.0.11 links libnss3.so and so FF does not connect to servers using such a certificate with a very ambiguous error message. Thats not a bug, at least not a Gentoo bug but a security feature. Btw: the workaround mentioned in above URL (NSS_HASH_ALG_SUPPORT=+MD5) does work. But: - firefox-bin 10.0.11 comes bundled with nss 3.13 which accepts certs with MD5 hashes. - firefox 17.0.1 accepts certs with MD5 even when nss 3.14 is installed (didn't research why) - FF bindists from mozilla.org (for instance for OSX) come bundeled with nss 3.13- So it would be helpful to get a notice after installing nss 3.14 and / or firefox 10.0.11 about this behavior and the workaround.
The rejection is for plain MD5 not HMAC-MD5, I am not in the business of asking a user to compromise security. It is not recommended upstream and sure is not recommended by Gentoo either due for the same security issues that come with using plain hashes.