Bug#770508: iceweasel: cannot override certificate validation problems with mozilla::pkix, connection hangs
Peter Amstutz
peter.amstutz at curoverse.com
Sat Nov 22 01:36:16 UTC 2014
Thanks for the response.
This bug initially surfaced for me when iceweasel was upgraded from 30 to 31 about three months ago. I re-tested for the behavior after upgrading the package yesterday and am getting the same result: attempting to make a TLS connection to a server that uses a self-signed certificate hangs without returning an error. This is puzzling since the bug reports out there seem to indicate people are experiencing the bug by having the connection fail with a non-overridable error reported, which is different from having the connection not do anything at all.
This is an about:config <about:config> workaround, with this setting I am able to override the certificate error and connect to my site:
security.use_mozillapkix_verification = false
This does strongly indicate that the problem is linked to the introduction of mozilla::pkix.
I realize that I should re-test with a clean profile, it could be that there are old certificates and/or plugins in my regular browsing profile that are causing problems. To investigate further, I will see about setting up a dummy server with the guilty certificates to see if you can reproduce.
Thanks,
Peter
> On Nov 21, 2014, at 5:51 PM, Mike Hommey <mh at glandium.org <mailto:mh at glandium.org>> wrote:
>
> On Fri, Nov 21, 2014 at 03:49:06PM -0500, Peter Amstutz wrote:
>> Package: iceweasel
>> Version: 31.2.0esr-3
>> Severity: important
>> Tags: upstream
>>
>> Dear Maintainer,
>>
>> Firefox 31 introduced a new certificate validation library "mozilla::pkix".
>> This introduced regressions, where previously the user could override the
>> validation error and connect anyway ("this connection is untrusted!"), in
>> jessie iceweasel attempting to connect to the same sites results in a silent
>> hang (it appears to be loading forever with no feedback as to what is wrong).
>>
>> (Subjectively, when this happens it also appears to affect the overall
>> stability of the browser, as it seems like other sites become slow to load or
>> fail to load entirely until the browser is restarted).
>>
>> Based on the following discussion, it appears that this behavior is addressed
>> Firefox 33, and in the Enterprise Support Release (ESR) of Firefox 31:
>>
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1042889 <https://bugzilla.mozilla.org/show_bug.cgi?id=1042889>
>
> That bug is fixed in 33 and 31.2, both of which are in Debian already.
> Are you saying the versions in Debian are still affected?
>
> Mike
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20141121/88a15ef8/attachment.html>
More information about the pkg-mozilla-maintainers
mailing list