Bug#766062: iceweasel security update DSA 3050-1 breaks sites using SHA1 SSL certificates

Pascal Meunier pmeunier at frontier.com
Mon Oct 20 14:25:43 UTC 2014


Package: iceweasel
Version: 31.2.0esr-2~deb7u1
Severity: important

Dear Maintainer,
Since applying the iceweasel security update DSA 3050-1, sites not using SSLv3 but using 
SHA1 SSL certificates are not accessible with Iceweasel.  It gives this error message:
"You have asked Iceweasel to connect securely to xxxxxx (site name), but we can't confirm that your 
connection is secure." 

These sites are reported by https://www.ssllabs.com/ssltest/analyze.html as not serving SSLv3, 
but using a SHA1 certificate.  Sites configured absolutely identically, but not using SHA1 
certificates, are accessed correctly by Iceweasel.  

SHA1 is valid as part of TLS ciphers.  Disabling SSLv3 does not need to disable SHA1 certificates.  
I believe the security update was overly aggressive.

-- Package-specific info:

-- Extensions information
Name: Adblock Edge
Location: ${PROFILE_EXTENSIONS}/{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi
Status: enabled

Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled

Name: NoScript
Location: ${PROFILE_EXTENSIONS}/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
Status: enabled

Name: RefControl
Location: ${PROFILE_EXTENSIONS}/{455D905A-D37C-4643-A9E2-F6FEFAA0424A}.xpi
Status: enabled

Name: Restartless Restart
Location: ${PROFILE_EXTENSIONS}/restartless.restart at erikvold.com.xpi
Status: enabled

Name: RightToClick
Location: ${PROFILE_EXTENSIONS}/{cd617375-6743-4ee8-bac4-fbf10f35729e}.xpi
Status: enabled

-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled

Name: Google Talk Plugin
Location: /opt/google/talkplugin/libnpgoogletalk.so
Package: google-talkplugin
Status: enabled

Name: Google Talk Plugin Video Renderer
Location: /opt/google/talkplugin/libnpo1d.so
Package: google-talkplugin
Status: enabled

Name: IcedTea-Web Plugin (using IcedTea-Web 1.4 (1.4-3~deb7u2))
Location: /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so
Package: icedtea-7-plugin:amd64
Status: enabled

Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled

Name: Shockwave Flash (11.2.202.411)
Location: /usr/lib/flashplugin-nonfree/libflashplayer.so
Status: enabled


-- Addons package information
ii  gnome-shell    3.4.2-7+deb7 amd64        graphical shell for the GNOME des
ii  google-talkplu 5.4.2.0-1    amd64        Google Talk Plugin
ii  icedtea-7-plug 1.4-3~deb7u2 amd64        web browser plugin based on OpenJ
ii  iceweasel      31.2.0esr-2~ amd64        Web browser based on Firefox
ii  rhythmbox-plug 2.97-2.1     amd64        plugins for rhythmbox music playe

-- System Information:
Debian Release: 7.7
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16-0.bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages iceweasel depends on:
ii  debianutils               4.3.2
ii  fontconfig                2.9.0-7.1
ii  libasound2                1.0.25-4
ii  libatk1.0-0               2.4.0-2
ii  libc6                     2.13-38+deb7u6
ii  libcairo2                 1.12.2-3
ii  libdbus-1-3               1.6.8-1+deb7u4
ii  libdbus-glib-1-2          0.100.2-1
ii  libevent-2.0-5            2.0.19-stable-3
ii  libffi5                   3.0.10-3
ii  libfontconfig1            2.9.0-7.1
ii  libfreetype6              2.4.9-1.1
ii  libgcc1                   1:4.7.2-5
ii  libgdk-pixbuf2.0-0        2.26.1-1
ii  libglib2.0-0              2.33.12+really2.32.4-5
ii  libgtk2.0-0               2.24.10-2
ii  libhunspell-1.3-0         1.3.2-4
ii  libpango1.0-0             1.30.0-1
ii  libsqlite3-0              3.7.13-1+deb7u1
ii  libstartup-notification0  0.12-1
ii  libstdc++6                4.7.2-5
ii  libx11-6                  2:1.5.0-1+deb7u1
ii  libxext6                  2:1.3.1-2+deb7u1
ii  libxrender1               1:0.9.7-1+deb7u1
ii  libxt6                    1:1.1.3-1+deb7u1
ii  procps                    1:3.3.3-3
ii  zlib1g                    1:1.2.7.dfsg-13

iceweasel recommends no packages.

Versions of packages iceweasel suggests:
pn  fonts-mathjax          <none>
pn  fonts-oflb-asana-math  <none>
ii  fonts-stix [otf-stix]  1.1.0-1
ii  libcanberra0           0.28-6
ii  libgnomeui-0           2.24.5-2
ii  libgssapi-krb5-2       1.10.1+dfsg-5+deb7u2
pn  mozplugger             <none>

-- debconf-show failed



More information about the pkg-mozilla-maintainers mailing list