Bug#770508: iceweasel: cannot override certificate validation problems with mozilla::pkix, connection hangs

Peter Amstutz peter.amstutz at curoverse.com
Sat Nov 22 01:36:16 UTC 2014


Thanks for the response.

This bug initially surfaced for me when iceweasel was upgraded from 30 to 31 about three months ago.  I re-tested for the behavior after upgrading the package yesterday and am getting the same result: attempting to make a TLS connection to a server that uses a self-signed certificate hangs without returning an error.  This is puzzling since the bug reports out there seem to indicate people are experiencing the bug by having the connection fail with a non-overridable error reported, which is different from having the connection not do anything at all.  

This is an about:config <about:config> workaround, with this setting I am able to override the certificate error and connect to my site:

security.use_mozillapkix_verification = false

This does strongly indicate that the problem is linked to the introduction of mozilla::pkix.

I realize that I should re-test with a clean profile, it could be that there are old certificates and/or plugins in my regular browsing profile that are causing problems.  To investigate further, I will see about setting up a dummy server with the guilty certificates to see if you can reproduce.

Thanks,
Peter

> On Nov 21, 2014, at 5:51 PM, Mike Hommey <mh at glandium.org <mailto:mh at glandium.org>> wrote:
> 
> On Fri, Nov 21, 2014 at 03:49:06PM -0500, Peter Amstutz wrote:
>> Package: iceweasel
>> Version: 31.2.0esr-3
>> Severity: important
>> Tags: upstream
>> 
>> Dear Maintainer,
>> 
>> Firefox 31 introduced a new certificate validation library "mozilla::pkix".
>> This introduced regressions, where previously the user could override the
>> validation error and connect anyway ("this connection is untrusted!"), in
>> jessie iceweasel attempting to connect to the same sites results in a silent
>> hang (it appears to be loading forever with no feedback as to what is wrong).
>> 
>> (Subjectively, when this happens it also appears to affect the overall
>> stability of the browser, as it seems like other sites become slow to load or
>> fail to load entirely until the browser is restarted).
>> 
>> Based on the following discussion, it appears that this behavior is addressed
>> Firefox 33, and in the Enterprise Support Release (ESR) of Firefox 31:
>> 
>> https://bugzilla.mozilla.org/show_bug.cgi?id=1042889 <https://bugzilla.mozilla.org/show_bug.cgi?id=1042889>
> 
> That bug is fixed in 33 and 31.2, both of which are in Debian already.
> Are you saying the versions in Debian are still affected?
> 
> Mike

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20141121/88a15ef8/attachment.html>


More information about the pkg-mozilla-maintainers mailing list