Bug#766007: iceweasel: SSL error - cannot connect to certain servers
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Thu Oct 23 16:03:48 UTC 2014
Hi Norbert--
Norbert Preining wrote:
> An error occurred during a connection to MY.SERVER:PORT. SSL peer rejected a handshake message for unacceptable content. (Error code: ssl_error_illegal_parameter_alert)
[...]
> ii libnss3 2:3.17.2-1
[...]
> Hi Sylvestre,
>
>> > * tried upstream original firefox: worked out of the box
>> Same version?
>
> I tried both, 33.0 and 31.2.0esr, in both cases it works with
> original Firefox without any problems.
>
>> Or that the SSL certificat of the server is broken.
>
> It worked two or three weeks ago on the same computer.
> So either something in firefox, or the certificate has changed,
> as you mentioned, and the current Debian/firefox cannot
> work with that.
>
> The certificate as seen in firefox 33.0 looks like this:
>
> Connection Encrypted: High-grade Encryption
> TLS_RSA_WITH_3DES_EDE_CBC_SHA, 112 bit keys
>
> Certificate Signature Algrorithm: PKCS #1 SHA-1 With RSA Encryption
It sounds like you either don't want to to identify the server publicly.
I'm sure you have good reasons for this, but it makes it difficult for
other people to debug it directly.
However, I'd like to understand what is triggering the
ssl_error_illegal_parameter_alert.
It's possible that the relevant change happened in libnss3 -- can you
try rolling back to version 2:3.17.1-1 to see if that resolves the
problem with the debian iceweasel packages? If so, please reassign this
bug report to libnss3, and we can continue the diagnostics.
If you don't mind identifying the server to me privately, i'd be happy
to take a look at it directly.
Or, if i'm unlikely to have network access to the server, could you try
installing a recent version (3.x) of gnutls-bin, and sending me the
output of:
gnutls-cli-debug --debug 9999 -VVVV --port PORT MY.SERVER
Alternately (or in addition), you could install libnss3-tools, and try
connecting to the server with it:
d=$(mktemp -d)
nss-dbtest -i -d "$d"
tstclnt -v -h MY.SERVER -p PORT -d "$d"
Thanks for reporting the problem,
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 948 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-mozilla-maintainers/attachments/20141023/64e8665d/attachment.sig>
More information about the pkg-mozilla-maintainers
mailing list