Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 603622 - =dev-libs/nss-3.28 - Firefox refuses to load Google and other http2 websites ( NS_ERROR_NET_INADEQUATE_SECURITY )
Summary: =dev-libs/nss-3.28 - Firefox refuses to load Google and other http2 websites ...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Mozilla Gentoo Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2016-5285, CVE-2016-8635
  Show dependency tree
 
Reported: 2016-12-23 22:45 UTC by Nick Sarnie
Modified: 2017-01-14 14:27 UTC (History)
13 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Screenshot (Pantallazo-2017-01-11 22-45-02.png,842.67 KB, image/png)
2017-01-12 01:46 UTC, jorgicio
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Nick Sarnie gentoo-dev 2016-12-23 22:45:17 UTC
Hi,

If I use nss-3.28, I get the following error in Firefox when trying to access Google services:
Your connection is not secure

The website tried to negotiate an inadequate level of security.

www.google.com uses security technology that is outdated and vulnerable to attack. An attacker could easily reveal information which you thought to be safe. The website administrator will need to fix the server first before you can visit the site.

Error code: NS_ERROR_NET_INADEQUATE_SECURITY

If I downgrade nss to 3.27.2, the issue goes away.

Thanks,
Sarnex

Reproducible: Always

Steps to Reproduce:
1. Have nss 3.28
2. Open Firefox
3. Go to a google website
Comment 1 Wojciech Myrda 2016-12-23 23:35:49 UTC
same here. Downgrading nss to 2.73.2 and restrarting firefox made issue go away
Comment 2 jorgicio 2016-12-24 02:30:36 UTC
Same here. Minecraft throws an exception when it tries to download files.
Masked 3.28 and downgrading to 3.27 solves my problem.
Comment 3 Marien Zwart 2016-12-24 09:16:40 UTC
Same here. Rebuild of Firefox didn't help.

Looks like the problem is https://bugzilla.mozilla.org/show_bug.cgi?id=1290037#c9 ("Update minimum keybits in H2"). The backport request mentions:

"User impact if declined: Broken HTTP/2 for --with-system-nss + NSS 3.28 builds"

Which is what we're seeing here. Our www-client/firefox-50.1.0 does not have that change, and I've more or less (it's an opt build of firefox, so debugging it is a little wonky) confirmed through the debugger that the error message we're getting originates in the code changed on that bug.
Comment 4 Lars Wendler (Polynomial-C) gentoo-dev 2016-12-24 09:19:13 UTC
commit 1970148e88dbe4a534f5a8e4b9b3c89d505c0796
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sat Dec 24 10:16:09 2016

    package.mask: Masked =dev-libs/nss-3.28 (bug #603622)
Comment 5 Marien Zwart 2016-12-24 09:44:53 UTC
Confirmed that www-client/firefox-50.1.0 with https://bug1290037.bmoattachments.org/attachment.cgi?id=8778661 applied to it can access Google using dev-libs/nss-3.28.

If I understand correctly from https://bugzilla.mozilla.org/show_bug.cgi?id=1290037#c11, this fix is safe even when Firefox uses an older version of nss.
Comment 6 Sven B. 2016-12-24 09:53:31 UTC
The same issue also affects Thunderbird. The here mentioned patch (https://hg.mozilla.org/mozilla-central/raw-diff/361ac226da2a/netwerk/protocol/http/Http2Session.cpp) for Firefox also works for tb 45.5.1 .
Comment 7 Thomas Bettler 2016-12-25 10:13:58 UTC
(In reply to Marien Zwart from comment #5)

+1
Comment 8 Lars Wendler (Polynomial-C) gentoo-dev 2017-01-07 01:25:12 UTC
commit 422df34e40a8ed9f0a17d509a12baa69f3fa7fe5
Author: Lars Wendler <polynomial-c@gentoo.org>
Date:   Sat Jan 7 02:22:27 2017

    www-client/seamonkey: Added a fix for an configure issue with sed-4.3

    This fixes Gentoo bug #604696

    Furthermore added a patch so the package works reliably with nss-3.28
    This fixes Gentoo bug #603622

    Both fixes don't affect stable so no revbump necessary.
Comment 9 Jory A. Pratt gentoo-dev 2017-01-08 21:44:34 UTC
I have just pushed -r1 for esr builds and latest ~arch. Please allow mirrors to populate and you will be good to go.
Comment 10 jorgicio 2017-01-08 23:16:52 UTC
The issue came back again with nss-3.28.1, so I think the problem is in upstream.
Comment 11 Jory A. Pratt gentoo-dev 2017-01-08 23:18:25 UTC
(In reply to jorgicio from comment #10)
> The issue came back again with nss-3.28.1, so I think the problem is in
> upstream.

You have not updated firefox at same time if your seeing the issue
Comment 12 jorgicio 2017-01-12 01:38:08 UTC
(In reply to Jory A. Pratt from comment #11)
> (In reply to jorgicio from comment #10)
> > The issue came back again with nss-3.28.1, so I think the problem is in
> > upstream.
> 
> You have not updated firefox at same time if your seeing the issue

In fact, already did, and also it fails with another apps, such as java implementations (such as icedtea)
Comment 13 Albert W. Hopkins 2017-01-12 01:42:09 UTC
(In reply to jorgicio from comment #12)
> (In reply to Jory A. Pratt from comment #11)
> > (In reply to jorgicio from comment #10)
> > > The issue came back again with nss-3.28.1, so I think the problem is in
> > > upstream.
> > 
> > You have not updated firefox at same time if your seeing the issue
> 
> In fact, already did, and also it fails with another apps, such as java
> implementations (such as icedtea)

It's been working for me for the sites that didn't work before (namely Google and Wikipedia).
Comment 14 jorgicio 2017-01-12 01:46:45 UTC
Created attachment 459662 [details]
Screenshot

Yes, but nss >=3.28 affects icedtea. I attached a SS to show this.
This doesn't happen in 3.27 or lower.
Comment 15 Albert W. Hopkins 2017-01-12 01:51:56 UTC
(In reply to jorgicio from comment #14)
> Created attachment 459662 [details]
> Screenshot
> 
> Yes, but nss >=3.28 affects icedtea. I attached a SS to show this.
> This doesn't happen in 3.27 or lower.

I can't verify as I don't use icedtea. Perhaps a new bug report needs to be created against icetea.  This bug is for Firefox.
Comment 16 Jory A. Pratt gentoo-dev 2017-01-12 03:54:50 UTC
(In reply to jorgicio from comment #14)
> Created attachment 459662 [details]
> Screenshot
> 
> Yes, but nss >=3.28 affects icedtea. I attached a SS to show this.
> This doesn't happen in 3.27 or lower.

This is a new bug report and assign to icetea maintainer. We are not gonna mask or roll back again as we are already stabilizing for security reasons.
Comment 17 jorgicio 2017-01-12 23:35:06 UTC
(In reply to Albert W. Hopkins from comment #15)
> (In reply to jorgicio from comment #14)
> > Created attachment 459662 [details]
> > Screenshot
> > 
> > Yes, but nss >=3.28 affects icedtea. I attached a SS to show this.
> > This doesn't happen in 3.27 or lower.
> 
> I can't verify as I don't use icedtea. Perhaps a new bug report needs to be
> created against icetea.  This bug is for Firefox.

Already done.