Bug#766062: iceweasel security update DSA 3050-1 breaks sites using SHA1 SSL certificates
Pascal Meunier
pmeunier at frontier.com
Mon Oct 20 14:25:43 UTC 2014
Package: iceweasel
Version: 31.2.0esr-2~deb7u1
Severity: important
Dear Maintainer,
Since applying the iceweasel security update DSA 3050-1, sites not using SSLv3 but using
SHA1 SSL certificates are not accessible with Iceweasel. It gives this error message:
"You have asked Iceweasel to connect securely to xxxxxx (site name), but we can't confirm that your
connection is secure."
These sites are reported by https://www.ssllabs.com/ssltest/analyze.html as not serving SSLv3,
but using a SHA1 certificate. Sites configured absolutely identically, but not using SHA1
certificates, are accessed correctly by Iceweasel.
SHA1 is valid as part of TLS ciphers. Disabling SSLv3 does not need to disable SHA1 certificates.
I believe the security update was overly aggressive.
-- Package-specific info:
-- Extensions information
Name: Adblock Edge
Location: ${PROFILE_EXTENSIONS}/{fe272bd1-5f76-4ea4-8501-a05d35d823fc}.xpi
Status: enabled
Name: Default theme
Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
Name: NoScript
Location: ${PROFILE_EXTENSIONS}/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
Status: enabled
Name: RefControl
Location: ${PROFILE_EXTENSIONS}/{455D905A-D37C-4643-A9E2-F6FEFAA0424A}.xpi
Status: enabled
Name: Restartless Restart
Location: ${PROFILE_EXTENSIONS}/restartless.restart at erikvold.com.xpi
Status: enabled
Name: RightToClick
Location: ${PROFILE_EXTENSIONS}/{cd617375-6743-4ee8-bac4-fbf10f35729e}.xpi
Status: enabled
-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled
Name: Google Talk Plugin
Location: /opt/google/talkplugin/libnpgoogletalk.so
Package: google-talkplugin
Status: enabled
Name: Google Talk Plugin Video Renderer
Location: /opt/google/talkplugin/libnpo1d.so
Package: google-talkplugin
Status: enabled
Name: IcedTea-Web Plugin (using IcedTea-Web 1.4 (1.4-3~deb7u2))
Location: /usr/lib/jvm/java-7-openjdk-amd64/jre/lib/amd64/IcedTeaPlugin.so
Package: icedtea-7-plugin:amd64
Status: enabled
Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled
Name: Shockwave Flash (11.2.202.411)
Location: /usr/lib/flashplugin-nonfree/libflashplayer.so
Status: enabled
-- Addons package information
ii gnome-shell 3.4.2-7+deb7 amd64 graphical shell for the GNOME des
ii google-talkplu 5.4.2.0-1 amd64 Google Talk Plugin
ii icedtea-7-plug 1.4-3~deb7u2 amd64 web browser plugin based on OpenJ
ii iceweasel 31.2.0esr-2~ amd64 Web browser based on Firefox
ii rhythmbox-plug 2.97-2.1 amd64 plugins for rhythmbox music playe
-- System Information:
Debian Release: 7.7
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16-0.bpo.2-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages iceweasel depends on:
ii debianutils 4.3.2
ii fontconfig 2.9.0-7.1
ii libasound2 1.0.25-4
ii libatk1.0-0 2.4.0-2
ii libc6 2.13-38+deb7u6
ii libcairo2 1.12.2-3
ii libdbus-1-3 1.6.8-1+deb7u4
ii libdbus-glib-1-2 0.100.2-1
ii libevent-2.0-5 2.0.19-stable-3
ii libffi5 3.0.10-3
ii libfontconfig1 2.9.0-7.1
ii libfreetype6 2.4.9-1.1
ii libgcc1 1:4.7.2-5
ii libgdk-pixbuf2.0-0 2.26.1-1
ii libglib2.0-0 2.33.12+really2.32.4-5
ii libgtk2.0-0 2.24.10-2
ii libhunspell-1.3-0 1.3.2-4
ii libpango1.0-0 1.30.0-1
ii libsqlite3-0 3.7.13-1+deb7u1
ii libstartup-notification0 0.12-1
ii libstdc++6 4.7.2-5
ii libx11-6 2:1.5.0-1+deb7u1
ii libxext6 2:1.3.1-2+deb7u1
ii libxrender1 1:0.9.7-1+deb7u1
ii libxt6 1:1.1.3-1+deb7u1
ii procps 1:3.3.3-3
ii zlib1g 1:1.2.7.dfsg-13
iceweasel recommends no packages.
Versions of packages iceweasel suggests:
pn fonts-mathjax <none>
pn fonts-oflb-asana-math <none>
ii fonts-stix [otf-stix] 1.1.0-1
ii libcanberra0 0.28-6
ii libgnomeui-0 2.24.5-2
ii libgssapi-krb5-2 1.10.1+dfsg-5+deb7u2
pn mozplugger <none>
-- debconf-show failed
More information about the pkg-mozilla-maintainers
mailing list