The problem for me has began from few earlier versions. Can't be exact for the version. When try to connect to site which content requires user to identify yourself using opensc-pkcs11.so, firefox shows page which content is as follows: Secure Connection Failed An error occurred during a connection to somesecuresite.com * The page you are trying to view can not be shown because the authenticity of the received data could not be verified. * Please contact the web site owners to inform them of this problem. Alternatively, use the command found in the help menu to report this broken site. Related packages pcsc-lite and opensc are working well, because I have tested them with tools from opensc package. What I've found is when site requires reading the cert from pkcs11 token, browser doesn't ask for PIN (Login call). I'd tried with different USE flags on both mozilla-firefox and xulrunner without success. Reproducible: Always
nb-ent-225 ~ # emerge --info Portage 2.1.7.17 (default/linux/x86/10.0/desktop, gcc-4.3.4, glibc-2.11-r1, 2.6.33-gentoo i686) ================================================================= System uname: Linux-2.6.33-gentoo-i686-Intel-R-_Core-TM-2_Duo_CPU_T7500_@_2.20GHz-with-gentoo-2.0.1 Timestamp of tree: Tue, 09 Mar 2010 11:45:02 +0000 app-shells/bash: 4.1_p2 dev-java/java-config: 2.1.10 dev-lang/python: 2.6.4-r1, 3.1.1-r1 dev-python/pycrypto: 2.0.1-r8 dev-util/cmake: 2.8.0-r2 sys-apps/baselayout: 2.0.1 sys-apps/openrc: 0.6.0-r1 sys-apps/sandbox: 2.2 sys-devel/autoconf: 2.13, 2.65 sys-devel/automake: 1.4_p6, 1.5, 1.7.9-r1, 1.8.5-r3, 1.9.6-r3, 1.10.3, 1.11.1 sys-devel/binutils: 2.20 sys-devel/gcc: 4.3.4, 4.4.3 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.32 ACCEPT_KEYWORDS="x86 ~x86" ACCEPT_LICENSE="*" CBUILD="i686-pc-linux-gnu" CFLAGS="-march=core2 -mtune=core2 -O3 -pipe -mfpmath=sse -mmmx -mssse3" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/env.d/java/ /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/splash /etc/terminfo" CXXFLAGS="-march=core2 -mtune=core2 -O3 -pipe -mfpmath=sse -mmmx -mssse3" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://ftp.gentoo.bg/ http://distfiles.gentoo.bg/" LANG="C" LDFLAGS="-Wl,-O1" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage" USE="X a52 aac acl acpi alsa avahi bash-completion battery berkdb bluetooth branding bzip2 cairo cdr cli consolekit cracklib crypt cups cxx dbus dri dts dvd dvdnav dvdr dvdread emboss encode evo firefox flac gdbm gif gnome gpm gstreamer gtk hal iconv ieee1394 jpeg ldap libnotify mad mikmod mmx mng modules mp3 mp4 mpeg mudflap ncurses nls nptl nptlonly ogg opengl openmp pam pcmcia pcre pdf perl png ppds pppd python qt3support quicktime readline reflection sdl session sound spell spl sse sse2 sse3 ssl ssse3 startup-notification svg sysfs tcpd threads thunar tiff truetype unicode usb vorbis wifi win32codecs x264 x86 xml xorg xulrunner xv xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse synaptics evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="vesa intel" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
I'm not familiar with opensc, but that's the same message I get for cert renegotiation requests as described in bug 304995. This might be related to the same vulnerability.
After downgrade to nss-3.12.3-r1 which lead to downgrade xulrunner-1.9.1.8 and firefox-3.5.8 problem is fixed. Probably as you say it's the same as 304995 here. Thanks.
*** This bug has been marked as a duplicate of bug 304995 ***
