> On Jan 6, 2017, at 11:07 AM, Landry Breuil <[email protected]> wrote: > >> On Fri, Jan 06, 2017 at 04:55:40PM +0100, Landry Breuil wrote: >>> On Fri, Jan 06, 2017 at 10:43:08AM -0500, Daniel Jakots wrote: >>> On Fri, 6 Jan 2017 11:08:56 +0100, Landry Breuil <[email protected]> >>> wrote: >>> >>>>> On Fri, Jan 06, 2017 at 10:59:40AM +0100, Solène Rapenne wrote: >>>>> Le 2017-01-06 10:47, Solène Rapenne a écrit : >>>>>> Le 2017-01-06 10:38, Landry Breuil a écrit : >>>>>>> On Fri, Jan 06, 2017 at 10:33:04AM +0100, Solène Rapenne >>>>>>> wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> I upgraded my amd64 -current this morning (OpenBSD 6.0-current >>>>>>>> (GENERIC.MP) >>>>>>>> #110: Thu Jan 5 20:32:18 MST 2017) >>>>>>>> >>>>>>>> With the latest firefox version (firefox-50.1.0) I can't >>>>>>>> connect to www.google.com, I get the following message >>>>>>>> >>>>>>>> Your connection is not secure >>>>>>>> The website tried to negotiate an inadequate level of >>>>>>>> security. google.com uses security technology that is >>>>>>>> outdated and vulnerable to >>>>>>>> attack. An attacker could easily reveal information which you >>>>>>>> thought to be >>>>>>>> safe. The website administrator will need to fix the server >>>>>>>> first before you >>>>>>>> can visit the site. >>>>>>>> Error code: NS_ERROR_NET_INADEQUATE_SECURITY >>>>>>>> >>>>>>>> >>>>>>>> I tried a few others SSL websites and they all works. >>>>>>> >>>>>>> Iirc that's due to the fact that some certs were removed from >>>>>>> cert.pem and those were in the cert chain for google. Should be >>>>>>> fixed or a fix is >>>>>>> in the works. >>>>>>> >>>>>>> That's the perfect occasion to start using another search >>>>>>> engine which respects users' privacy :) >>>>>>> >>>>>>> Landry >>>>>> >>>>>> For what it worth, the problem occurs with firefox-esr too, but it >>>>>> doesn't >>>>>> show an error, it just fails silently and keep the current page >>>>>> viewed. >>>>> >>>>> thanks to johany@ on IRC, setting network.http.spdy.enabled.http2 >>>>> to false in >>>>> about:config works as a workaround >>>> >>>> Ah. Then maybe it's a fuckup with TLS1.3 in nss 3.28. Maybe 3.28.1 >>>> will fix this. Or not. >>> >>> FYI, still broken with 3.28.1. >> >> Aaah, crap, now that rings a bell. Cf >> https://bugzilla.mozilla.org/show_bug.cgi?id=1323209 and >> https://bugzilla.mozilla.org/show_bug.cgi?id=1290037. Fuck. Fuckety Fuck. >> >> So http/2 is broken with nss > 3.28... hm. I'm not sure waiting for 51 / >> next esr release is the right solution, since that's planned for the 24. >> Guess reverting the nss update is the solution. Sigh. > > Two options (well, three) > - try rebuilding nss 3.28.1 without NSS_ENABLE_TLS_1_3=1, see if that > helps (i think it's unrelated but who knows..) > - apply https://bug1290037.bmoattachments.org/attachment.cgi?id=8778661 > to firefox, rebuild - should fixit > - revert to 3.27.2 (id like to avoid this..) > > Landry >
I like option two -- use the patch. .... Ken
