Thanks for the response. This bug initially surfaced for me when iceweasel was upgraded from 30 to 31 about three months ago. I re-tested for the behavior after upgrading the package yesterday and am getting the same result: attempting to make a TLS connection to a server that uses a self-signed certificate hangs without returning an error. This is puzzling since the bug reports out there seem to indicate people are experiencing the bug by having the connection fail with a non-overridable error reported, which is different from having the connection not do anything at all.
This is an about:config <about:config> workaround, with this setting I am able to override the certificate error and connect to my site: security.use_mozillapkix_verification = false This does strongly indicate that the problem is linked to the introduction of mozilla::pkix. I realize that I should re-test with a clean profile, it could be that there are old certificates and/or plugins in my regular browsing profile that are causing problems. To investigate further, I will see about setting up a dummy server with the guilty certificates to see if you can reproduce. Thanks, Peter > On Nov 21, 2014, at 5:51 PM, Mike Hommey <m...@glandium.org > <mailto:m...@glandium.org>> wrote: > > On Fri, Nov 21, 2014 at 03:49:06PM -0500, Peter Amstutz wrote: >> Package: iceweasel >> Version: 31.2.0esr-3 >> Severity: important >> Tags: upstream >> >> Dear Maintainer, >> >> Firefox 31 introduced a new certificate validation library "mozilla::pkix". >> This introduced regressions, where previously the user could override the >> validation error and connect anyway ("this connection is untrusted!"), in >> jessie iceweasel attempting to connect to the same sites results in a silent >> hang (it appears to be loading forever with no feedback as to what is wrong). >> >> (Subjectively, when this happens it also appears to affect the overall >> stability of the browser, as it seems like other sites become slow to load or >> fail to load entirely until the browser is restarted). >> >> Based on the following discussion, it appears that this behavior is addressed >> Firefox 33, and in the Enterprise Support Release (ESR) of Firefox 31: >> >> https://bugzilla.mozilla.org/show_bug.cgi?id=1042889 >> <https://bugzilla.mozilla.org/show_bug.cgi?id=1042889> > > That bug is fixed in 33 and 31.2, both of which are in Debian already. > Are you saying the versions in Debian are still affected? > > Mike