Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 304995

Summary: dev-libs/nss-3.12.5 client certificate authentication broken
Product: Gentoo Linux Reporter: Guillaume Castagnino <casta>
Component: Current packagesAssignee: Mozilla Gentoo Team <mozilla>
Status: RESOLVED FIXED    
Severity: normal CC: lori, notordoktor, sfgets, tparys, wtt6
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561918
Whiteboard:
Package list:
Runtime testing required: ---

Description Guillaume Castagnino 2010-02-13 23:53:54 UTC 
Please refer to the debian bug http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561918.

Gentoo is also affected by this issue. It's not possible to authenticate with client certificate under firefox.
Exemple at https://www.startssl.com/logon.ssl or at french tax portal https://cfspart.impots.gouv.fr/portal/dgi/public/perso?pageId=pna2par&sfid=30

symptom is a firefox error page instead of the windows asking for the x509 certificate to use for authentication.

The same workaround explained in debian bug report work for me :
start firefox with NSS_SSL_ENABLE_RENEGOTIATION=1

Could it be possible to add this to env.d when emerging nss ?
Comment 1 William Throwe 2010-02-14 04:57:54 UTC 
I would recommend against doing this, or perhaps it could be enabled with a use flag.  Renegotiation is disabled in nss in response to a major security flaw in SSL (CVE-2009-3555).  People who want to leave themselves vulnerable can mask >=dev-libs/nss-3.12.5 until the flaw is addressed, or modify their environment as described in the Debian report.
Comment 2 Jory A. Pratt gentoo-dev 2010-02-14 06:08:05 UTC 
nss-3.12.6 is on its way out with RENEGOTIATION support reworked, soon as it is avaliable it will be avlaiable in the tree.
Comment 3 Guillaume Castagnino 2010-02-14 09:28:11 UTC 
OK, wait for 3.12.6 if it's not too long, but at least, I think it should be useful to add some notice in the ebuild.
It disables a useful feature, and when you do not know where the problem come from, it's hard do find the problem (yes, I spent HOURS googling to find why certificate authentication was broken in firefox)
Comment 4 Jory A. Pratt gentoo-dev 2010-02-20 00:36:20 UTC 
*** Bug 305879 has been marked as a duplicate of this bug. ***
Comment 5 Jory A. Pratt gentoo-dev 2010-03-12 14:30:16 UTC 
*** Bug 308727 has been marked as a duplicate of this bug. ***
Comment 6 Samuli Suominen (RETIRED) gentoo-dev 2010-03-24 11:00:10 UTC 
*** Bug 311075 has been marked as a duplicate of this bug. ***
Comment 7 Jory A. Pratt gentoo-dev 2010-03-28 02:49:26 UTC 
Could someone test with 3.12.6 to see if we re-enabled everything okay please. If not please let us know as soon as possible as we can push up the deadline for stabilization.
Comment 8 Guillaume Castagnino 2010-03-28 09:08:15 UTC 
Hi,

For me it's now OK : nss 3.12.6 + firefox 3.6.2
Thanks
Comment 9 T Parys 2010-03-29 13:52:14 UTC 
Still not working here on amd64, using a smartcard certificate (coolkey) ...

  dev-libs/nss-3.12.6-r1
  www-client/mozilla-firefox-3.5.8

The NSS_SSL_ENABLE_RENEGOTIATION=1 workaround produces the expected results.
Comment 10 T Parys 2010-04-20 21:46:47 UTC 
Just upgraded to www-client/mozilla-firefox-3.6.3, and certificate authentication is working as expected with no workaround.
Comment 11 Jory A. Pratt gentoo-dev 2010-04-20 22:31:23 UTC 
Fixed in latest nss version in tree which is moving stable for archs stabilizing firefox-3.6.3.