GNU bug report logs -
#32833
IceCat 60 certificate validation fails when using system NSS
Previous Next
Reported by: Mike Gerwitz <mtg <at> gnu.org>
Date: Tue, 25 Sep 2018 04:30:02 UTC
Severity: normal
Done: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
Bug is archived. No further changes may be made.
To add a comment to this bug, you must first unarchive it, by sending
a message to control AT debbugs.gnu.org, with unarchive 32833 in the body.
You can then email your comments to 32833 AT debbugs.gnu.org in the normal way.
Toggle the display of automated, internal messages from the tracker.
Report forwarded
to
bug-guix <at> gnu.org:
bug#32833; Package
guix.
(Tue, 25 Sep 2018 04:30:03 GMT)
Full text and
rfc822 format available.
Acknowledgement sent
to
Mike Gerwitz <mtg <at> gnu.org>:
New bug report received and forwarded. Copy sent to
bug-guix <at> gnu.org.
(Tue, 25 Sep 2018 04:30:03 GMT)
Full text and
rfc822 format available.
Message #5 received at submit <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
I don't know if this is a problem specific to Guix or upstream; I can
give IceCat a try in a Debian VM tomorrow. But I want to make others
aware of the problem in the meantime:
Even if sites are using HTTPS, IceCat is still saying "This connection
is insecure" if you click on the "i" icon in the URL bar. This seems to
be a problem with every HTTPS site I visit.
On the "Security" tab of the "Page Info" dialog, under "Technical
Details", no certificate information is listed; it simply says
"Connection Not Encrypted". That's clearly not true, otherwise the page
would fail to load. I've tried with sites that use HSTS and don't even
support plaintext connections (e.g. my own)---the pages load just fine.
I haven't played around with sites with expired certificates or anything
yet. But if IceCat is not reporting security status correctly, then
users may be at risk, so be careful in the meantime!
--
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#32833; Package
guix.
(Tue, 25 Sep 2018 22:02:02 GMT)
Full text and
rfc822 format available.
Message #8 received at 32833 <at> debbugs.gnu.org (full text, mbox):
severity 32833 critical
thanks
Hi Mike,
Mike Gerwitz <mtg <at> gnu.org> writes:
> Even if sites are using HTTPS, IceCat is still saying "This connection
> is insecure" if you click on the "i" icon in the URL bar. This seems to
> be a problem with every HTTPS site I visit.
>
> On the "Security" tab of the "Page Info" dialog, under "Technical
> Details", no certificate information is listed; it simply says
> "Connection Not Encrypted". That's clearly not true, otherwise the page
> would fail to load. I've tried with sites that use HSTS and don't even
> support plaintext connections (e.g. my own)---the pages load just fine.
>
> I haven't played around with sites with expired certificates or anything
> yet. But if IceCat is not reporting security status correctly, then
> users may be at risk, so be careful in the meantime!
Thanks for reporting this. I see the same problem, which is a surprise.
I would have expected some notification that something went wrong, but I
don't remember any.
Given the severity of this issue, we should prioritize deploying a
working fix ASAP, even if it's an ugly hack or workaround.
To begin, I'm currently building IceCat using the bundled NSPR and NSS,
to see if that helps. If that fails, I'll look more closely at IceCat's
customizations to the default "about:config" settings. The 'strace'
output might also have some clues.
I would welcome others to make their own efforts to find a fix for this
issue, or to share their ideas.
> I don't know if this is a problem specific to Guix or upstream; I can
> give IceCat a try in a Debian VM tomorrow.
Please do. It would be _very_ helpful to know if this problem is
Guix-specific.
Thanks,
Mark
Severity set to 'critical' from 'normal'
Request was from
Mark H Weaver <mhw <at> netris.org>
to
control <at> debbugs.gnu.org.
(Tue, 25 Sep 2018 22:02:03 GMT)
Full text and
rfc822 format available.
Information forwarded
to
bug-guix <at> gnu.org:
bug#32833; Package
guix.
(Wed, 26 Sep 2018 00:17:01 GMT)
Full text and
rfc822 format available.
Message #13 received at 32833 <at> debbugs.gnu.org (full text, mbox):
Mark H Weaver <mhw <at> netris.org> writes:
> To begin, I'm currently building IceCat using the bundled NSPR and NSS,
> to see if that helps.
Using the bundled NSPR and NSS works around the problem for me. I just
pushed this change in commit 6d328879378fac95240005233331f596fb5c68ed on
'master'. See also the related, immediately preceding commits
257e3247910610fe24ae1b86f38e85552d53e48c and
94e96f7f68c3b9053fdb5dee5b0ab614163aaa08.
I'm keeping this bug report open, since it would be good to find a
better fix which avoids using the bundled libraries.
Mark
Information forwarded
to
bug-guix <at> gnu.org:
bug#32833; Package
guix.
(Wed, 26 Sep 2018 00:35:02 GMT)
Full text and
rfc822 format available.
Message #16 received at 32833 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Sep 25, 2018 at 20:16:16 -0400, Mark H Weaver wrote:
> Mark H Weaver <mhw <at> netris.org> writes:
>> To begin, I'm currently building IceCat using the bundled NSPR and NSS,
>> to see if that helps.
>
> Using the bundled NSPR and NSS works around the problem for me. I just
> pushed this change in commit 6d328879378fac95240005233331f596fb5c68ed on
> 'master'. See also the related, immediately preceding commits
> 257e3247910610fe24ae1b86f38e85552d53e48c and
> 94e96f7f68c3b9053fdb5dee5b0ab614163aaa08.
Great!
> I'm keeping this bug report open, since it would be good to find a
> better fix which avoids using the bundled libraries.
I wish I knew enough to suggest a better solution.
It's a little late now, but I just tested the IceCat binary on a Debian
machine and HTTPS works as expected.
Thanks again for your work on this. Maybe I'll let IceCat build
overnight so I can give it a try tomorrow (still on my X200).
--
Mike Gerwitz
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to
bug-guix <at> gnu.org:
bug#32833; Package
guix.
(Wed, 26 Sep 2018 04:57:02 GMT)
Full text and
rfc822 format available.
Message #19 received at 32833 <at> debbugs.gnu.org (full text, mbox):
[Message part 1 (text/plain, inline)]
On Tue, Sep 25, 2018 at 20:30:57 -0400, Mike Gerwitz wrote:
> Thanks again for your work on this. Maybe I'll let IceCat build
> overnight so I can give it a try tomorrow (still on my X200).
LGTM.
--
Mike Gerwitz
[signature.asc (application/pgp-signature, inline)]
Changed bug title to 'IceCat 60 certificate validation fails when using system NSS' from 'IceCat 60 showing sites as "insecure" despite using HTTPS'
Request was from
Mark H Weaver <mhw <at> netris.org>
to
control <at> debbugs.gnu.org.
(Wed, 26 Sep 2018 22:50:02 GMT)
Full text and
rfc822 format available.
Severity set to 'normal' from 'critical'
Request was from
Mark H Weaver <mhw <at> netris.org>
to
control <at> debbugs.gnu.org.
(Wed, 26 Sep 2018 22:50:02 GMT)
Full text and
rfc822 format available.
Reply sent
to
Maxim Cournoyer <maxim.cournoyer <at> gmail.com>:
You have taken responsibility.
(Tue, 29 Aug 2023 03:41:02 GMT)
Full text and
rfc822 format available.
Notification sent
to
Mike Gerwitz <mtg <at> gnu.org>:
bug acknowledged by developer.
(Tue, 29 Aug 2023 03:41:02 GMT)
Full text and
rfc822 format available.
Message #28 received at 32833-done <at> debbugs.gnu.org (full text, mbox):
Hello,
Mike Gerwitz <mtg <at> gnu.org> writes:
> On Tue, Sep 25, 2018 at 20:16:16 -0400, Mark H Weaver wrote:
>> Mark H Weaver <mhw <at> netris.org> writes:
>>> To begin, I'm currently building IceCat using the bundled NSPR and NSS,
>>> to see if that helps.
>>
>> Using the bundled NSPR and NSS works around the problem for me. I just
>> pushed this change in commit 6d328879378fac95240005233331f596fb5c68ed on
>> 'master'. See also the related, immediately preceding commits
>> 257e3247910610fe24ae1b86f38e85552d53e48c and
>> 94e96f7f68c3b9053fdb5dee5b0ab614163aaa08.
>
> Great!
>
>> I'm keeping this bug report open, since it would be good to find a
>> better fix which avoids using the bundled libraries.
>
> I wish I knew enough to suggest a better solution.
>
> It's a little late now, but I just tested the IceCat binary on a Debian
> machine and HTTPS works as expected.
>
> Thanks again for your work on this. Maybe I'll let IceCat build
> overnight so I can give it a try tomorrow (still on my X200).
I'm closing this issue, since we're now using the Guix provided nss and
nspr packages for building IceCat since a while, and there doesn't
appear to be an issue with doing so.
--
Thanks,
Maxim
bug archived.
Request was from
Debbugs Internal Request <help-debbugs <at> gnu.org>
to
internal_control <at> debbugs.gnu.org.
(Tue, 26 Sep 2023 11:24:06 GMT)
Full text and
rfc822 format available.
This bug report was last modified 206 days ago.
Previous Next
GNU bug tracking system
Copyright (C) 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson.