Hi, If I use nss-3.28, I get the following error in Firefox when trying to access Google services: Your connection is not secure The website tried to negotiate an inadequate level of security. www.google.com uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site. Error code: NS_ERROR_NET_INADEQUATE_SECURITY If I downgrade nss to 3.27.2, the issue goes away. Thanks, Sarnex Reproducible: Always Steps to Reproduce: 1. Have nss 3.28 2. Open Firefox 3. Go to a google website
same here. Downgrading nss to 2.73.2 and restrarting firefox made issue go away
Same here. Minecraft throws an exception when it tries to download files. Masked 3.28 and downgrading to 3.27 solves my problem.
Same here. Rebuild of Firefox didn't help. Looks like the problem is https://bugzilla.mozilla.org/show_bug.cgi?id=1290037#c9 ("Update minimum keybits in H2"). The backport request mentions: "User impact if declined: Broken HTTP/2 for --with-system-nss + NSS 3.28 builds" Which is what we're seeing here. Our www-client/firefox-50.1.0 does not have that change, and I've more or less (it's an opt build of firefox, so debugging it is a little wonky) confirmed through the debugger that the error message we're getting originates in the code changed on that bug.
commit 1970148e88dbe4a534f5a8e4b9b3c89d505c0796 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sat Dec 24 10:16:09 2016 package.mask: Masked =dev-libs/nss-3.28 (bug #603622)
Confirmed that www-client/firefox-50.1.0 with https://bug1290037.bmoattachments.org/attachment.cgi?id=8778661 applied to it can access Google using dev-libs/nss-3.28. If I understand correctly from https://bugzilla.mozilla.org/show_bug.cgi?id=1290037#c11, this fix is safe even when Firefox uses an older version of nss.
The same issue also affects Thunderbird. The here mentioned patch (https://hg.mozilla.org/mozilla-central/raw-diff/361ac226da2a/netwerk/protocol/http/Http2Session.cpp) for Firefox also works for tb 45.5.1 .
(In reply to Marien Zwart from comment #5) +1
commit 422df34e40a8ed9f0a17d509a12baa69f3fa7fe5 Author: Lars Wendler <polynomial-c@gentoo.org> Date: Sat Jan 7 02:22:27 2017 www-client/seamonkey: Added a fix for an configure issue with sed-4.3 This fixes Gentoo bug #604696 Furthermore added a patch so the package works reliably with nss-3.28 This fixes Gentoo bug #603622 Both fixes don't affect stable so no revbump necessary.
I have just pushed -r1 for esr builds and latest ~arch. Please allow mirrors to populate and you will be good to go.
The issue came back again with nss-3.28.1, so I think the problem is in upstream.
(In reply to jorgicio from comment #10) > The issue came back again with nss-3.28.1, so I think the problem is in > upstream. You have not updated firefox at same time if your seeing the issue
(In reply to Jory A. Pratt from comment #11) > (In reply to jorgicio from comment #10) > > The issue came back again with nss-3.28.1, so I think the problem is in > > upstream. > > You have not updated firefox at same time if your seeing the issue In fact, already did, and also it fails with another apps, such as java implementations (such as icedtea)
(In reply to jorgicio from comment #12) > (In reply to Jory A. Pratt from comment #11) > > (In reply to jorgicio from comment #10) > > > The issue came back again with nss-3.28.1, so I think the problem is in > > > upstream. > > > > You have not updated firefox at same time if your seeing the issue > > In fact, already did, and also it fails with another apps, such as java > implementations (such as icedtea) It's been working for me for the sites that didn't work before (namely Google and Wikipedia).
Created attachment 459662 [details] Screenshot Yes, but nss >=3.28 affects icedtea. I attached a SS to show this. This doesn't happen in 3.27 or lower.
(In reply to jorgicio from comment #14) > Created attachment 459662 [details] > Screenshot > > Yes, but nss >=3.28 affects icedtea. I attached a SS to show this. > This doesn't happen in 3.27 or lower. I can't verify as I don't use icedtea. Perhaps a new bug report needs to be created against icetea. This bug is for Firefox.
(In reply to jorgicio from comment #14) > Created attachment 459662 [details] > Screenshot > > Yes, but nss >=3.28 affects icedtea. I attached a SS to show this. > This doesn't happen in 3.27 or lower. This is a new bug report and assign to icetea maintainer. We are not gonna mask or roll back again as we are already stabilizing for security reasons.
(In reply to Albert W. Hopkins from comment #15) > (In reply to jorgicio from comment #14) > > Created attachment 459662 [details] > > Screenshot > > > > Yes, but nss >=3.28 affects icedtea. I attached a SS to show this. > > This doesn't happen in 3.27 or lower. > > I can't verify as I don't use icedtea. Perhaps a new bug report needs to be > created against icetea. This bug is for Firefox. Already done.