Re: www/firefox can't connect to google.com

Landry Breuil Fri, 06 Jan 2017 11:32:03 -0800

On Fri, Jan 06, 2017 at 05:07:54PM +0100, Landry Breuil wrote:
> On Fri, Jan 06, 2017 at 04:55:40PM +0100, Landry Breuil wrote:
> > On Fri, Jan 06, 2017 at 10:43:08AM -0500, Daniel Jakots wrote:
> > > On Fri, 6 Jan 2017 11:08:56 +0100, Landry Breuil <[email protected]>
> > > wrote:
> > > 
> > > > On Fri, Jan 06, 2017 at 10:59:40AM +0100, Solène Rapenne wrote:
> > > > > Le 2017-01-06 10:47, Solène Rapenne a écrit :  
> > > > > > Le 2017-01-06 10:38, Landry Breuil a écrit :  
> > > > > > > On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne
> > > > > > > wrote:  
> > > > > > > > Hello,
> > > > > > > > 
> > > > > > > > I upgraded my amd64 -current this morning (OpenBSD 6.0-current
> > > > > > > > (GENERIC.MP)
> > > > > > > > #110: Thu Jan  5 20:32:18 MST 2017)
> > > > > > > > 
> > > > > > > > With the latest firefox version (firefox-50.1.0) I can't
> > > > > > > > connect to www.google.com, I get the following message
> > > > > > > > 
> > > > > > > > Your connection is not secure
> > > > > > > > The website tried to negotiate an inadequate level of
> > > > > > > > security. google.com uses security technology that is
> > > > > > > > outdated and vulnerable to
> > > > > > > > attack. An attacker could easily reveal information which you
> > > > > > > > thought to be
> > > > > > > > safe. The website administrator will need to fix the server
> > > > > > > > first before you
> > > > > > > > can visit the site.
> > > > > > > > Error code: NS_ERROR_NET_INADEQUATE_SECURITY
> > > > > > > > 
> > > > > > > > 
> > > > > > > > I tried a few others SSL websites and they all works.  
> > > > > > > 
> > > > > > > Iirc that's due to the fact that some certs were removed from
> > > > > > > cert.pem and those were in the cert chain for google. Should be
> > > > > > > fixed or a fix is
> > > > > > > in the works.
> > > > > > > 
> > > > > > > That's the perfect occasion to start using another search
> > > > > > > engine which respects users' privacy :)
> > > > > > > 
> > > > > > > Landry  
> > > > > > 
> > > > > > For what it worth, the problem occurs with firefox-esr too, but it
> > > > > > doesn't
> > > > > > show an error, it just fails silently and keep the current page
> > > > > > viewed.  
> > > > > 
> > > > > thanks to johany@ on IRC, setting network.http.spdy.enabled.http2
> > > > > to false in
> > > > > about:config works as a workaround  
> > > > 
> > > > Ah. Then maybe it's a fuckup with TLS1.3 in nss 3.28. Maybe 3.28.1
> > > > will fix this. Or not.
> > > 
> > > FYI, still broken with 3.28.1.
> > 
> > Aaah, crap, now that rings a bell. Cf
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1323209 and
> > https://bugzilla.mozilla.org/show_bug.cgi?id=1290037. Fuck. Fuckety Fuck.
> > 
> > So http/2 is broken with nss > 3.28... hm. I'm not sure waiting for 51 /
> > next esr release is the right solution, since that's planned for the 24.
> > Guess reverting the nss update is the solution. Sigh.
> 
> Two options (well, three)
> - try rebuilding nss 3.28.1 without NSS_ENABLE_TLS_1_3=1, see if that
>   helps (i think it's unrelated but who knows..)
> - apply https://bug1290037.bmoattachments.org/attachment.cgi?id=8778661
>   to firefox, rebuild - should fixit


Here are the full diffs for esr and mainline. I'll commit them when
someone confirms me this fixes the issue (cant test tonight)

Landry

Index: Makefile
===================================================================
RCS file: /cvs/ports/www/firefox-esr/Makefile,v
retrieving revision 1.44
diff -u -r1.44 Makefile
--- Makefile    14 Dec 2016 13:44:19 -0000      1.44
+++ Makefile    6 Jan 2017 19:29:34 -0000
@@ -8,6 +8,7 @@
 MOZILLA_CODENAME =     browser
 BROKEN-sparc64 =       xpcshell SIGBUS during fake
 EXTRACT_SUFX =         .tar.xz
+REVISION =     0
 
 PKGNAME =      ${MOZILLA_PROJECT}-esr-${MOZILLA_VERSION:S/esr//}
 SO_VERSION =   3.0
Index: patches/patch-netwerk_protocol_http_Http2Session_cpp
===================================================================
RCS file: patches/patch-netwerk_protocol_http_Http2Session_cpp
diff -N patches/patch-netwerk_protocol_http_Http2Session_cpp
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-netwerk_protocol_http_Http2Session_cpp        6 Jan 2017 
19:29:34 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+Bug 1290037: Fix HTTP/2 with nss 3.28.
+https://hg.mozilla.org/mozilla-central/rev/361ac226da2a
+
+--- netwerk/protocol/http/Http2Session.cpp.orig        Mon Jul 25 14:12:07 2016
++++ netwerk/protocol/http/Http2Session.cpp     Fri Jan  6 19:46:48 2017
+@@ -3521,8 +3521,8 @@ Http2Session::ConfirmTLSProfile()
+     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
+           this, keybits));
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security 
level" of 128
+-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
++  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
++    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
+           this, keybits));
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+   }

Index: Makefile
===================================================================
RCS file: /cvs/ports/www/mozilla-firefox/Makefile,v
retrieving revision 1.306
diff -u -r1.306 Makefile
--- Makefile    14 Dec 2016 13:30:34 -0000      1.306
+++ Makefile    6 Jan 2017 19:29:04 -0000
@@ -10,6 +10,7 @@
 MOZILLA_CODENAME =     browser
 BROKEN-sparc64 =       xpcshell SIGBUS during fake
 EXTRACT_SUFX =         .tar.xz
+REVISION =     0
 
 SO_VERSION =   68.0
 # NOTE: Must bump minor version if any shlib's are removed from the
Index: patches/patch-netwerk_protocol_http_Http2Session_cpp
===================================================================
RCS file: patches/patch-netwerk_protocol_http_Http2Session_cpp
diff -N patches/patch-netwerk_protocol_http_Http2Session_cpp
--- /dev/null   1 Jan 1970 00:00:00 -0000
+++ patches/patch-netwerk_protocol_http_Http2Session_cpp        6 Jan 2017 
19:29:04 -0000
@@ -0,0 +1,18 @@
+$OpenBSD$
+
+Bug 1290037: Fix HTTP/2 with nss 3.28.
+https://hg.mozilla.org/mozilla-central/rev/361ac226da2a
+
+--- netwerk/protocol/http/Http2Session.cpp.orig        Mon Oct 31 21:15:27 2016
++++ netwerk/protocol/http/Http2Session.cpp     Fri Jan  6 20:19:41 2017
+@@ -3542,8 +3542,8 @@ Http2Session::ConfirmTLSProfile()
+     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
+           this, keybits));
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security 
level" of 128
+-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
++  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
++    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
+           this, keybits));
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+   }

Re: www/firefox can't connect to google.com

Reply via email to