Bug#706008: iceweasel / nss bug or problem

[franz schaefer]

Package: iceweasel
Version: 10.0.12esr-1



after upgrading to wheezy and iceweasel 10.0.12esr-1

when i tried to connect to an older appliance (HP) via https i got:

---------------------------
 Secure Connection Failed
      
 An error occurred during a connection to x.x.x.x

  The page you are trying to view can not be shown because the authenticity
 of the received data could not be verified.
   Please contact the website owners to inform them of this problem.

 Alternatively, use the command found in the help menu to report this broken
 site.
----------------------------------


and no option to ignore this.

as a workaround:

i had to set:

before starting iceweasel

export NSS_ALLOW_WEAK_SIGNATURE_ALG=1 

it would be good to have an option to allow this on a site by site basis in
the browser.

the nss website says the above environment setting does:

>  Enables the use of MD2 and MD4 inside signatures. This was allowed by
>  default before NSS 3.12.3.

when connectiong to the server via:

 openssl s_client -connect 

i get:

New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
SSL-Session:
    Protocol  : TLSv1
    Cipher    : DHE-RSA-AES256-SHA


when i examine the self signed certificate it tells me:

$ openssl x509 -in q -text | grep Signature
    Signature Algorithm: md5WithRSAEncryption
    Signature Algorithm: md5WithRSAEncryption


so i am not really sure why this is rejected at all. but i thought i share
the sollution here in case other people have that problem as well.

mond