On Fri, Jan 06, 2017 at 04:55:40PM +0100, Landry Breuil wrote: > On Fri, Jan 06, 2017 at 10:43:08AM -0500, Daniel Jakots wrote: > > On Fri, 6 Jan 2017 11:08:56 +0100, Landry Breuil <[email protected]> > > wrote: > > > > > On Fri, Jan 06, 2017 at 10:59:40AM +0100, Solène Rapenne wrote: > > > > Le 2017-01-06 10:47, Solène Rapenne a écrit : > > > > > Le 2017-01-06 10:38, Landry Breuil a écrit : > > > > > > On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne > > > > > > wrote: > > > > > > > Hello, > > > > > > > > > > > > > > I upgraded my amd64 -current this morning (OpenBSD 6.0-current > > > > > > > (GENERIC.MP) > > > > > > > #110: Thu Jan 5 20:32:18 MST 2017) > > > > > > > > > > > > > > With the latest firefox version (firefox-50.1.0) I can't > > > > > > > connect to www.google.com, I get the following message > > > > > > > > > > > > > > Your connection is not secure > > > > > > > The website tried to negotiate an inadequate level of > > > > > > > security. google.com uses security technology that is > > > > > > > outdated and vulnerable to > > > > > > > attack. An attacker could easily reveal information which you > > > > > > > thought to be > > > > > > > safe. The website administrator will need to fix the server > > > > > > > first before you > > > > > > > can visit the site. > > > > > > > Error code: NS_ERROR_NET_INADEQUATE_SECURITY > > > > > > > > > > > > > > > > > > > > > I tried a few others SSL websites and they all works. > > > > > > > > > > > > Iirc that's due to the fact that some certs were removed from > > > > > > cert.pem and those were in the cert chain for google. Should be > > > > > > fixed or a fix is > > > > > > in the works. > > > > > > > > > > > > That's the perfect occasion to start using another search > > > > > > engine which respects users' privacy :) > > > > > > > > > > > > Landry > > > > > > > > > > For what it worth, the problem occurs with firefox-esr too, but it > > > > > doesn't > > > > > show an error, it just fails silently and keep the current page > > > > > viewed. > > > > > > > > thanks to johany@ on IRC, setting network.http.spdy.enabled.http2 > > > > to false in > > > > about:config works as a workaround > > > > > > Ah. Then maybe it's a fuckup with TLS1.3 in nss 3.28. Maybe 3.28.1 > > > will fix this. Or not. > > > > FYI, still broken with 3.28.1. > > Aaah, crap, now that rings a bell. Cf > https://bugzilla.mozilla.org/show_bug.cgi?id=1323209 and > https://bugzilla.mozilla.org/show_bug.cgi?id=1290037. Fuck. Fuckety Fuck. > > So http/2 is broken with nss > 3.28... hm. I'm not sure waiting for 51 / > next esr release is the right solution, since that's planned for the 24. > Guess reverting the nss update is the solution. Sigh.
Two options (well, three) - try rebuilding nss 3.28.1 without NSS_ENABLE_TLS_1_3=1, see if that helps (i think it's unrelated but who knows..) - apply https://bug1290037.bmoattachments.org/attachment.cgi?id=8778661 to firefox, rebuild - should fixit - revert to 3.27.2 (id like to avoid this..) Landry
