Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 750746 - net-misc/nss-3.58 is causing handshake failure (-12251)
Summary: net-misc/nss-3.58 is causing handshake failure (-12251)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Mozilla Gentoo Team
URL: https://bugzilla.mozilla.org/show_bug...
Whiteboard:
Keywords:
Depends on:
Blocks: CVE-2020-25648
  Show dependency tree
 
Reported: 2020-10-22 14:46 UTC by Marcin Kowalski
Modified: 2020-10-26 15:11 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
git checkout with nss-3.57 (working.log,12.17 KB, text/plain)
2020-10-22 14:46 UTC, Marcin Kowalski
Details
git checkout with nss-3.58 (problem.log,1.68 KB, text/plain)
2020-10-22 14:46 UTC, Marcin Kowalski
Details
use flags for nss, git and curl (flags.txt,2.64 KB, text/plain)
2020-10-22 14:47 UTC, Marcin Kowalski
Details
emerge --info (emerge-info.txt,8.39 KB, text/plain)
2020-10-22 14:47 UTC, Marcin Kowalski
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Marcin Kowalski 2020-10-22 14:46:01 UTC
Example log with git client is shown : 


It breaks for all users, also for portage with -9999 packages. So i assume my configuration is not to blame.

Attaching logs from working git, failing git and use flags + emerge --info

Reproducible: Always

Steps to Reproduce:
1. update nss to current ~arch
2. try git checkouts
3. downgrade nss
4. it works
Comment 1 Marcin Kowalski 2020-10-22 14:46:37 UTC
Created attachment 667943 [details]
git checkout with nss-3.57
Comment 2 Marcin Kowalski 2020-10-22 14:46:52 UTC
Created attachment 667946 [details]
git checkout with nss-3.58
Comment 3 Marcin Kowalski 2020-10-22 14:47:07 UTC
Created attachment 667949 [details]
use flags for nss, git and curl
Comment 4 Marcin Kowalski 2020-10-22 14:47:19 UTC
Created attachment 667952 [details]
emerge --info
Comment 5 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-22 14:50:17 UTC
Comment on attachment 667943 [details]
git checkout with nss-3.57

>After downgrading nss to 3.57 : 
>---------------------------------------------------
>รข  ~ GIT_CURL_VERBOSE=1  GIT_TRACE=1 git clone https://github.com/icinga/icinga2
>16:41:29.229082 git.c:444               trace: built-in: git clone https://github.com/icinga/icinga2
>Cloning into 'icinga2'...
>16:41:29.231692 run-command.c:663       trace: run_command: git remote-https origin https://github.com/icinga/icinga2
>16:41:29.232414 git.c:729               trace: exec: git-remote-https origin https://github.com/icinga/icinga2
>16:41:29.232434 run-command.c:663       trace: run_command: git-remote-https origin https://github.com/icinga/icinga2
>16:41:29.235269 http.c:756              == Info: Couldn't find host github.com in the .netrc file; using defaults
>16:41:29.258859 http.c:756              == Info:   Trying 140.82.121.4:443...
>16:41:29.284455 http.c:756              == Info: Connected to github.com (140.82.121.4) port 443 (#0)
>16:41:29.284488 http.c:756              == Info: Initializing NSS with certpath: none
>16:41:29.286623 http.c:756              == Info:  CAfile: /etc/ssl/certs/ca-certificates.crt
>16:41:29.286638 http.c:756              == Info:  CApath: /etc/ssl/certs
>16:41:29.289747 http.c:756              == Info: failed to load '/etc/ssl/certs/java' from CURLOPT_CAPATH
>16:41:29.334812 http.c:756              == Info: ALPN, server accepted to use http/1.1
>16:41:29.334848 http.c:756              == Info: SSL connection using TLS_AES_128_GCM_SHA256
>16:41:29.334858 http.c:756              == Info: Server certificate:
>16:41:29.334879 http.c:756              == Info:    subject: CN=github.com,O="GitHub, Inc.",L=San Francisco,ST=California,C=US
>16:41:29.334897 http.c:756              == Info:    start date: maj 05 00:00:00 2020 GMT
>16:41:29.334905 http.c:756              == Info:    expire date: maj 10 12:00:00 2022 GMT
>16:41:29.334912 http.c:756              == Info:    common name: github.com
>16:41:29.334919 http.c:756              == Info:    issuer: CN=DigiCert SHA2 High Assurance Server CA,OU=www.digicert.com,O=DigiCert Inc,C=US
>16:41:29.334981 http.c:703              => Send header, 0000000235 bytes (0x000000eb)
>16:41:29.334993 http.c:715              => Send header: GET /icinga/icinga2/info/refs?service=git-upload-pack HTTP/1.1
>16:41:29.334999 http.c:715              => Send header: Host: github.com
>16:41:29.335005 http.c:715              => Send header: User-Agent: git/2.29.0
>16:41:29.335012 http.c:715              => Send header: Accept: */*
>16:41:29.335018 http.c:715              => Send header: Accept-Encoding: deflate, gzip, zstd
>16:41:29.335024 http.c:715              => Send header: Accept-Language: pl-PL, *;q=0.9
>16:41:29.335030 http.c:715              => Send header: Pragma: no-cache
>16:41:29.335035 http.c:715              => Send header: Git-Protocol: version=2
>16:41:29.335041 http.c:715              => Send header:
>16:41:29.668188 http.c:756              == Info: Mark bundle as not supporting multiuse
>16:41:29.668219 http.c:703              <= Recv header, 0000000017 bytes (0x00000011)
>16:41:29.668229 http.c:715              <= Recv header: HTTP/1.1 200 OK
>16:41:29.668238 http.c:703              <= Recv header, 0000000026 bytes (0x0000001a)
>16:41:29.668245 http.c:715              <= Recv header: Server: GitHub Babel 2.0
>16:41:29.668253 http.c:703              <= Recv header, 0000000059 bytes (0x0000003b)
>16:41:29.668260 http.c:715              <= Recv header: Content-Type: application/x-git-upload-pack-advertisement
>16:41:29.668269 http.c:703              <= Recv header, 0000000028 bytes (0x0000001c)
>16:41:29.668274 http.c:715              <= Recv header: Transfer-Encoding: chunked
>16:41:29.668281 http.c:703              <= Recv header, 0000000040 bytes (0x00000028)
>16:41:29.668289 http.c:715              <= Recv header: Expires: Fri, 01 Jan 1980 00:00:00 GMT
>16:41:29.668297 http.c:703              <= Recv header, 0000000018 bytes (0x00000012)
>16:41:29.668303 http.c:715              <= Recv header: Pragma: no-cache
>16:41:29.668309 http.c:703              <= Recv header, 0000000053 bytes (0x00000035)
>16:41:29.668315 http.c:715              <= Recv header: Cache-Control: no-cache, max-age=0, must-revalidate
>16:41:29.668322 http.c:703              <= Recv header, 0000000023 bytes (0x00000017)
>16:41:29.668328 http.c:715              <= Recv header: Vary: Accept-Encoding
>16:41:29.668335 http.c:703              <= Recv header, 0000000023 bytes (0x00000017)
>16:41:29.668341 http.c:715              <= Recv header: X-Frame-Options: DENY
>16:41:29.668347 http.c:703              <= Recv header, 0000000057 bytes (0x00000039)
>16:41:29.668352 http.c:715              <= Recv header: X-GitHub-Request-Id: 9046:18D3:A8571EA:F314C5E:5F919A19
>16:41:29.668360 http.c:703              <= Recv header, 0000000002 bytes (0x00000002)
>16:41:29.668365 http.c:715              <= Recv header:
>16:41:29.674417 http.c:756              == Info: Connection #0 to host github.com left intact
>16:41:29.674635 http.c:756              == Info: Couldn't find host github.com in the .netrc file; using defaults
>16:41:29.674659 http.c:756              == Info: Found bundle for host github.com: 0x55c1d8056700 [serially]
>16:41:29.674668 http.c:756              == Info: Can not multiplex, even if we wanted to!
>16:41:29.674685 http.c:756              == Info: Re-using existing connection! (#0) with host github.com
>16:41:29.674698 http.c:756              == Info: Connected to github.com (140.82.121.4) port 443 (#0)
>16:41:29.674763 http.c:703              => Send header, 0000000274 bytes (0x00000112)
>16:41:29.674775 http.c:715              => Send header: POST /icinga/icinga2/git-upload-pack HTTP/1.1
>16:41:29.674781 http.c:715              => Send header: Host: github.com
>16:41:29.674795 http.c:715              => Send header: User-Agent: git/2.29.0
>16:41:29.674803 http.c:715              => Send header: Accept-Encoding: deflate, gzip, zstd
>16:41:29.674812 http.c:715              => Send header: Content-Type: application/x-git-upload-pack-request
>16:41:29.674820 http.c:715              => Send header: Accept: application/x-git-upload-pack-result
>16:41:29.674826 http.c:715              => Send header: Git-Protocol: version=2
>16:41:29.674834 http.c:715              => Send header: Content-Length: 142
>16:41:29.674842 http.c:715              => Send header:
>16:41:29.674854 http.c:756              == Info: upload completely sent off: 142 out of 142 bytes
>16:41:29.994731 http.c:756              == Info: Mark bundle as not supporting multiuse
>16:41:29.994761 http.c:703              <= Recv header, 0000000017 bytes (0x00000011)
>16:41:29.994775 http.c:715              <= Recv header: HTTP/1.1 200 OK
>16:41:29.994786 http.c:703              <= Recv header, 0000000026 bytes (0x0000001a)
>16:41:29.994795 http.c:715              <= Recv header: Server: GitHub Babel 2.0
>16:41:29.994806 http.c:703              <= Recv header, 0000000052 bytes (0x00000034)
>16:41:29.994812 http.c:715              <= Recv header: Content-Type: application/x-git-upload-pack-result
>16:41:29.994823 http.c:703              <= Recv header, 0000000028 bytes (0x0000001c)
>16:41:29.994831 http.c:715              <= Recv header: Transfer-Encoding: chunked
>16:41:29.994840 http.c:703              <= Recv header, 0000000040 bytes (0x00000028)
>16:41:29.994850 http.c:715              <= Recv header: Expires: Fri, 01 Jan 1980 00:00:00 GMT
>16:41:29.994860 http.c:703              <= Recv header, 0000000018 bytes (0x00000012)
>16:41:29.994867 http.c:715              <= Recv header: Pragma: no-cache
>16:41:29.994877 http.c:703              <= Recv header, 0000000053 bytes (0x00000035)
>16:41:29.994883 http.c:715              <= Recv header: Cache-Control: no-cache, max-age=0, must-revalidate
>16:41:29.994892 http.c:703              <= Recv header, 0000000023 bytes (0x00000017)
>16:41:29.994901 http.c:715              <= Recv header: Vary: Accept-Encoding
>16:41:29.994909 http.c:703              <= Recv header, 0000000023 bytes (0x00000017)
>16:41:29.994918 http.c:715              <= Recv header: X-Frame-Options: DENY
>16:41:29.994926 http.c:703              <= Recv header, 0000000057 bytes (0x00000039)
>16:41:29.994933 http.c:715              <= Recv header: X-GitHub-Request-Id: 9046:18D3:A857223:F314CA4:5F919A19
>16:41:29.994943 http.c:703              <= Recv header, 0000000002 bytes (0x00000002)
>16:41:29.994949 http.c:715              <= Recv header:
>16:41:30.241010 http.c:756              == Info: Connection #0 to host github.com left intact
>16:41:30.247712 http.c:756              == Info: Couldn't find host github.com in the .netrc file; using defaults
>16:41:30.247732 http.c:756              == Info: Found bundle for host github.com: 0x55c1d8056700 [serially]
>16:41:30.247736 http.c:756              == Info: Can not multiplex, even if we wanted to!
>16:41:30.247742 http.c:756              == Info: Re-using existing connection! (#0) with host github.com
>16:41:30.247748 http.c:756              == Info: Connected to github.com (140.82.121.4) port 443 (#0)
>16:41:30.247805 http.c:703              => Send header, 0000000300 bytes (0x0000012c)
>16:41:30.247812 http.c:715              => Send header: POST /icinga/icinga2/git-upload-pack HTTP/1.1
>16:41:30.247815 http.c:715              => Send header: Host: github.com
>16:41:30.247822 http.c:715              => Send header: User-Agent: git/2.29.0
>16:41:30.247825 http.c:715              => Send header: Accept-Encoding: deflate, gzip, zstd
>16:41:30.247829 http.c:715              => Send header: Content-Type: application/x-git-upload-pack-request
>16:41:30.247832 http.c:715              => Send header: Accept: application/x-git-upload-pack-result
>16:41:30.247843 http.c:715              => Send header: Git-Protocol: version=2
>16:41:30.247846 http.c:715              => Send header: Content-Encoding: gzip
>16:41:30.247857 http.c:715              => Send header: Content-Length: 13016
>16:41:30.247860 http.c:715              => Send header:
>16:41:30.247865 http.c:756              == Info: upload completely sent off: 13016 out of 13016 bytes
>16:41:30.564461 http.c:756              == Info: Mark bundle as not supporting multiuse
>16:41:30.564492 http.c:703              <= Recv header, 0000000017 bytes (0x00000011)
>16:41:30.564499 http.c:715              <= Recv header: HTTP/1.1 200 OK
>16:41:30.564516 http.c:703              <= Recv header, 0000000026 bytes (0x0000001a)
>16:41:30.564524 http.c:715              <= Recv header: Server: GitHub Babel 2.0
>16:41:30.564534 http.c:703              <= Recv header, 0000000052 bytes (0x00000034)
>16:41:30.564542 http.c:715              <= Recv header: Content-Type: application/x-git-upload-pack-result
>16:41:30.564551 http.c:703              <= Recv header, 0000000028 bytes (0x0000001c)
>16:41:30.564558 http.c:715              <= Recv header: Transfer-Encoding: chunked
>16:41:30.564566 http.c:703              <= Recv header, 0000000040 bytes (0x00000028)
>16:41:30.564573 http.c:715              <= Recv header: Expires: Fri, 01 Jan 1980 00:00:00 GMT
>16:41:30.564581 http.c:703              <= Recv header, 0000000018 bytes (0x00000012)
>16:41:30.564587 http.c:715              <= Recv header: Pragma: no-cache
>16:41:30.564595 http.c:703              <= Recv header, 0000000053 bytes (0x00000035)
>16:41:30.564602 http.c:715              <= Recv header: Cache-Control: no-cache, max-age=0, must-revalidate
>16:41:30.564611 http.c:703              <= Recv header, 0000000023 bytes (0x00000017)
>16:41:30.564617 http.c:715              <= Recv header: Vary: Accept-Encoding
>16:41:30.564625 http.c:703              <= Recv header, 0000000023 bytes (0x00000017)
>16:41:30.564632 http.c:715              <= Recv header: X-Frame-Options: DENY
>16:41:30.564640 http.c:703              <= Recv header, 0000000057 bytes (0x00000039)
>16:41:30.564647 http.c:715              <= Recv header: X-GitHub-Request-Id: 9046:18D3:A857299:F314D4C:5F919A1A
>16:41:30.564656 http.c:703              <= Recv header, 0000000002 bytes (0x00000002)
>16:41:30.564663 http.c:715              <= Recv header:
>16:41:30.649354 run-command.c:663       trace: run_command: git index-pack --stdin -v --fix-thin '--keep=fetch-pack 32851 on box' --check-self-contained-and-connected
>16:41:30.651375 git.c:444               trace: built-in: git index-pack --stdin -v --fix-thin '--keep=fetch-pack 32851 on box' --check-self-contained-and-connected
>remote: Enumerating objects: 214, done.
>---------------------------------------------------
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-10-22 14:52:09 UTC
I'll tentatively add the blocker but I suspect this is somehow related to exactly what that bug fixes (middlebox interference). Whissi and Polynomial-C talked through a similar problem before...
Comment 7 Larry the Git Cow gentoo-dev 2020-10-23 12:16:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6ebfd820b1074bbdd0409328af0af1328fdd3ee9

commit 6ebfd820b1074bbdd0409328af0af1328fdd3ee9
Author:     Sam James <sam@gentoo.org>
AuthorDate: 2020-10-23 12:16:11 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2020-10-23 12:16:16 +0000

    dev-libs/nss: drop 3.58 stable keywords
    
    There is a regression in 3.58 currently being
    investigated. See the bug for details.
    
    Bug: https://bugs.gentoo.org/750746
    Bug: https://bugs.gentoo.org/750254
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-libs/nss/nss-3.58.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)
Comment 8 Thomas Deutschmann gentoo-dev 2020-10-23 12:54:36 UTC
Removing git because git itself is not affected. It's only cURL using NSS backend and git because of git[curl] using that version.
Comment 9 Larry the Git Cow gentoo-dev 2020-10-23 16:19:33 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0b684bfbdff41cbaab1a6c1969c931a1670395d7

commit 0b684bfbdff41cbaab1a6c1969c931a1670395d7
Author:     Thomas Deutschmann <whissi@gentoo.org>
AuthorDate: 2020-10-23 16:19:06 +0000
Commit:     Thomas Deutschmann <whissi@gentoo.org>
CommitDate: 2020-10-23 16:19:06 +0000

    dev-libs/nss: always tolerate the first CCS in TLS 1.3
    
    Bug: https://bugs.gentoo.org/750746
    Package-Manager: Portage-3.0.8, Repoman-3.0.2
    Signed-off-by: Thomas Deutschmann <whissi@gentoo.org>

 ...8-always-tolerate-the-first-CCS-in-TLS1.3.patch | 111 +++++++++++++++++++++
 .../nss/{nss-3.58.ebuild => nss-3.58-r1.ebuild}    |   1 +
 2 files changed, 112 insertions(+)
Comment 10 Thomas Deutschmann gentoo-dev 2020-10-26 15:11:13 UTC
Fixed in -r1.