Comparing the log.moz_log from running thunderbird with MOZ_LOG=nsHttp:3
and MOZ_LOG_FILE=log in the environment shows
Http2Session::ConfirmTLSProfile gets version=304 from
ssl->GetSSLVersionUsed() in 78.10.0 and version=ffffffff
(nsISSLSocketControl::SSL_VERSION_UNKNOWN) in 78.11.0, which causes
Http2Session::ConfirmTLSProfile "FAILED due to lack of TLS1.2" and
INADEQUATE_SECURITY[1]:
I/nsHttp Http2Session::ConfirmTLSProfile 0x7f78dbdb7000 version=ffffffff
I/nsHttp Http2Session::ConfirmTLSProfile 0x7f78dbdb7000 FAILED due to lack
of TLS1.2
I/nsHttp Http2Session::SessionError 0x7f78dbdb7000 reason=0xc
mPeerGoAwayReason=0x1f
I/nsHttp Http2Session::ReadSegments 0x7f78dbdb7000 returning
INADEQUATE_SECURITY 804b0052
Setting a breakpoint on SSL_GetChannelInfo revealed that it is called by
PreliminaryHandshakeDone with len = 128 by 78.10.0 and len = 136 by
78.11.0, which causes `len > sizeof inf` to fail and return SECFailure
(because `sizeof inf` is 128).
It appears that SSLChannelInfo added pskType in NSS 3.54, echAccepted
in NSS 3.60, and isFIPS in NSS 3.66. Perhaps there is a version
mismatch?
Best,
Kevin
[ConfirmTLSProfile]:
https://hg.mozilla.org/releases/mozilla-esr78/file/FIREFOX_78_11_0esr_RELEASE/netwerk/protocol/http/Http2Session.cpp#l4194
[PreliminaryHandshakeDone]:
https://hg.mozilla.org/releases/mozilla-esr78/file/FIREFOX_78_11_0esr_RELEASE/security/manager/ssl/nsNSSCallbacks.cpp#l700
[SSL_GetChannelInfo]:
https://hg.mozilla.org/releases/mozilla-esr78/file/FIREFOX_78_11_0esr_RELEASE/security/nss/lib/ssl/sslinfo.c#l13
[SSLChannelInfo FF78]:
https://hg.mozilla.org/releases/mozilla-esr78/file/FIREFOX_78_11_0esr_RELEASE/security/nss/lib/ssl/sslt.h#l293
[SSLChannelInfo tip]:
https://hg.mozilla.org/mozilla-central/file/tip/security/nss/lib/ssl/sslt.h#l299
