Re: www/firefox can't connect to google.com

Kenneth R Westerback Fri, 06 Jan 2017 12:10:33 -0800

On 01/06, Landry Breuil wrote:
> On Fri, Jan 06, 2017 at 05:07:54PM +0100, Landry Breuil wrote:
> > On Fri, Jan 06, 2017 at 04:55:40PM +0100, Landry Breuil wrote:
> > > On Fri, Jan 06, 2017 at 10:43:08AM -0500, Daniel Jakots wrote:
> > > > On Fri, 6 Jan 2017 11:08:56 +0100, Landry Breuil <lan...@openbsd.org>
> > > > wrote:
> > > > 
> > > > > On Fri, Jan 06, 2017 at 10:59:40AM +0100, Sol?ne Rapenne wrote:
> > > > > > Le 2017-01-06 10:47, Sol?ne Rapenne a ?crit?:  
> > > > > > > Le 2017-01-06 10:38, Landry Breuil a ?crit?:  
> > > > > > > > On Fri, Jan 06, 2017 at 10:33:04AM +0100, Sol?ne Rapenne
> > > > > > > > wrote:  
> > > > > > > > > Hello,
> > > > > > > > > 
> > > > > > > > > I upgraded my amd64 -current this morning (OpenBSD 6.0-current
> > > > > > > > > (GENERIC.MP)
> > > > > > > > > #110: Thu Jan  5 20:32:18 MST 2017)
> > > > > > > > > 
> > > > > > > > > With the latest firefox version (firefox-50.1.0) I can't
> > > > > > > > > connect to www.google.com, I get the following message
> > > > > > > > > 
> > > > > > > > > Your connection is not secure
> > > > > > > > > The website tried to negotiate an inadequate level of
> > > > > > > > > security. google.com uses security technology that is
> > > > > > > > > outdated and vulnerable to
> > > > > > > > > attack. An attacker could easily reveal information which you
> > > > > > > > > thought to be
> > > > > > > > > safe. The website administrator will need to fix the server
> > > > > > > > > first before you
> > > > > > > > > can visit the site.
> > > > > > > > > Error code: NS_ERROR_NET_INADEQUATE_SECURITY
> > > > > > > > > 
> > > > > > > > > 
> > > > > > > > > I tried a few others SSL websites and they all works.  
> > > > > > > > 
> > > > > > > > Iirc that's due to the fact that some certs were removed from
> > > > > > > > cert.pem and those were in the cert chain for google. Should be
> > > > > > > > fixed or a fix is
> > > > > > > > in the works.
> > > > > > > > 
> > > > > > > > That's the perfect occasion to start using another search
> > > > > > > > engine which respects users' privacy :)
> > > > > > > > 
> > > > > > > > Landry  
> > > > > > > 
> > > > > > > For what it worth, the problem occurs with firefox-esr too, but it
> > > > > > > doesn't
> > > > > > > show an error, it just fails silently and keep the current page
> > > > > > > viewed.  
> > > > > > 
> > > > > > thanks to johany@ on IRC, setting network.http.spdy.enabled.http2
> > > > > > to false in
> > > > > > about:config works as a workaround  
> > > > > 
> > > > > Ah. Then maybe it's a fuckup with TLS1.3 in nss 3.28. Maybe 3.28.1
> > > > > will fix this. Or not.
> > > > 
> > > > FYI, still broken with 3.28.1.
> > > 
> > > Aaah, crap, now that rings a bell. Cf
> > > https://bugzilla.mozilla.org/show_bug.cgi?id=1323209 and
> > > https://bugzilla.mozilla.org/show_bug.cgi?id=1290037. Fuck. Fuckety Fuck.
> > > 
> > > So http/2 is broken with nss > 3.28... hm. I'm not sure waiting for 51 /
> > > next esr release is the right solution, since that's planned for the 24.
> > > Guess reverting the nss update is the solution. Sigh.
> > 
> > Two options (well, three)
> > - try rebuilding nss 3.28.1 without NSS_ENABLE_TLS_1_3=1, see if that
> >   helps (i think it's unrelated but who knows..)
> > - apply https://bug1290037.bmoattachments.org/attachment.cgi?id=8778661
> >   to firefox, rebuild - should fixit
> 
> Here are the full diffs for esr and mainline. I'll commit them when
> someone confirms me this fixes the issue (cant test tonight)
> 
> Landry
>


> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/firefox-esr/Makefile,v
> retrieving revision 1.44
> diff -u -r1.44 Makefile
> --- Makefile  14 Dec 2016 13:44:19 -0000      1.44
> +++ Makefile  6 Jan 2017 19:29:34 -0000
> @@ -8,6 +8,7 @@
>  MOZILLA_CODENAME =   browser
>  BROKEN-sparc64 =     xpcshell SIGBUS during fake
>  EXTRACT_SUFX =               .tar.xz
> +REVISION =   0
>  
>  PKGNAME =    ${MOZILLA_PROJECT}-esr-${MOZILLA_VERSION:S/esr//}
>  SO_VERSION = 3.0
> Index: patches/patch-netwerk_protocol_http_Http2Session_cpp
> ===================================================================
> RCS file: patches/patch-netwerk_protocol_http_Http2Session_cpp
> diff -N patches/patch-netwerk_protocol_http_Http2Session_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-netwerk_protocol_http_Http2Session_cpp      6 Jan 2017 
> 19:29:34 -0000
> @@ -0,0 +1,18 @@
> +$OpenBSD$
> +
> +Bug 1290037: Fix HTTP/2 with nss 3.28.
> +https://hg.mozilla.org/mozilla-central/rev/361ac226da2a
> +
> +--- netwerk/protocol/http/Http2Session.cpp.orig      Mon Jul 25 14:12:07 2016
> ++++ netwerk/protocol/http/Http2Session.cpp   Fri Jan  6 19:46:48 2017
> +@@ -3521,8 +3521,8 @@ Http2Session::ConfirmTLSProfile()
> +     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
> +           this, keybits));
> +     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
> +-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is 
> "security level" of 128
> +-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 
> 256\n",
> ++  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
> ++    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 
> 224\n",
> +           this, keybits));
> +     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
> +   }

> Index: Makefile
> ===================================================================
> RCS file: /cvs/ports/www/mozilla-firefox/Makefile,v
> retrieving revision 1.306
> diff -u -r1.306 Makefile
> --- Makefile  14 Dec 2016 13:30:34 -0000      1.306
> +++ Makefile  6 Jan 2017 19:29:04 -0000
> @@ -10,6 +10,7 @@
>  MOZILLA_CODENAME =   browser
>  BROKEN-sparc64 =     xpcshell SIGBUS during fake
>  EXTRACT_SUFX =               .tar.xz
> +REVISION =   0
>  
>  SO_VERSION = 68.0
>  # NOTE: Must bump minor version if any shlib's are removed from the
> Index: patches/patch-netwerk_protocol_http_Http2Session_cpp
> ===================================================================
> RCS file: patches/patch-netwerk_protocol_http_Http2Session_cpp
> diff -N patches/patch-netwerk_protocol_http_Http2Session_cpp
> --- /dev/null 1 Jan 1970 00:00:00 -0000
> +++ patches/patch-netwerk_protocol_http_Http2Session_cpp      6 Jan 2017 
> 19:29:04 -0000
> @@ -0,0 +1,18 @@
> +$OpenBSD$
> +
> +Bug 1290037: Fix HTTP/2 with nss 3.28.
> +https://hg.mozilla.org/mozilla-central/rev/361ac226da2a
> +
> +--- netwerk/protocol/http/Http2Session.cpp.orig      Mon Oct 31 21:15:27 2016
> ++++ netwerk/protocol/http/Http2Session.cpp   Fri Jan  6 20:19:41 2017
> +@@ -3542,8 +3542,8 @@ Http2Session::ConfirmTLSProfile()
> +     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
> +           this, keybits));
> +     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
> +-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is 
> "security level" of 128
> +-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 
> 256\n",
> ++  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
> ++    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 
> 224\n",
> +           this, keybits));
> +     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
> +   }

I will toss this on the build cycle I was about to start. The non-ESR
one at least. Should know tomorrow or late tonight. :-)

.... Ken

Re: www/firefox can't connect to google.com

Reply via email to