Bug#770508: iceweasel: cannot override certificate validation problems with mozilla::pkix, connection hangs
I found a workaround: 1. Quit iceweasel. 2. ~$ cd ~/.mozilla/firefox/x.default 3. ~/.mozilla/firefox/x.default$ mv cert8.db cert8.db.old 4. Restart iceweasel. A coworker of mine was affected by the same problem and was able to solve it using the above workaround. As far as I can tell, iceweasel is recording some information about the SSL configuration for a specific host and port in cert8.db (in our case, a development instance of a web app that uses a self-signed cert that is frequently regenerated). The information in cert8.db is either corrupt or in conflict with the certificate actually provided when the browser connects, but instead of landing at the warning-and-override page, mozilla::pkix fails silently and the connection attempt hangs. So, I think there is a bug here, but seems like it might require some deep digging to find the actual point of failure. - Peter -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#770508: iceweasel: cannot override certificate validation problems with mozilla::pkix, connection hangs
Package: iceweasel Version: 31.2.0esr-3 Severity: important Tags: upstream Dear Maintainer, Firefox 31 introduced a new certificate validation library mozilla::pkix. This introduced regressions, where previously the user could override the validation error and connect anyway (this connection is untrusted!), in jessie iceweasel attempting to connect to the same sites results in a silent hang (it appears to be loading forever with no feedback as to what is wrong). (Subjectively, when this happens it also appears to affect the overall stability of the browser, as it seems like other sites become slow to load or fail to load entirely until the browser is restarted). Based on the following discussion, it appears that this behavior is addressed Firefox 33, and in the Enterprise Support Release (ESR) of Firefox 31: https://bugzilla.mozilla.org/show_bug.cgi?id=1042889 Thanks -- Package-specific info: -- Extensions information Name: Adblock Plus Location: /usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d} Package: xul-ext-adblock-plus Status: enabled Name: Add to Search Bar Location: ${PROFILE_EXTENSIONS}/add-to-search...@maltekraus.de.xpi Status: enabled Name: Default theme Location: /usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd} Package: iceweasel Status: enabled Name: HTTPS-Everywhere Location: ${PROFILE_EXTENSIONS}/https-everywh...@eff.org Status: enabled Name: Max Tabs Location: ${PROFILE_EXTENSIONS}/maxt...@cheeaun.xpi Status: user-disabled Name: NoScript Location: ${PROFILE_EXTENSIONS}/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi Status: enabled Name: Redmine Toolbar Location: ${PROFILE_EXTENSIONS}/redminetool...@mpietsch.com.xpi Status: enabled Name: Remote Control Location: ${PROFILE_EXTENSIONS}/remote-cont...@morch.com.xpi Status: enabled Name: Tab Mix Plus Location: ${PROFILE_EXTENSIONS}/{dc572301-7619-498c-a57d-39143191b318}.xpi Status: enabled Name: Tab Scope Location: ${PROFILE_EXTENSIONS}/tabsc...@xuldev.org.xpi Status: user-disabled Name: TabNavigator Location: ${PROFILE_EXTENSIONS}/tab...@cse.iitb.ac.in.xpi Status: user-disabled Name: Textarea Cache Location: ${PROFILE_EXTENSIONS}/{578e7caa-210f-4967-a0d3-88fe5b59a39f}.xpi Status: enabled Name: Tile Tabs Location: ${PROFILE_EXTENSIONS}/tilet...@dw-dev.xpi Status: user-disabled -- Plugins information Name: Gnome Shell Integration Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so Package: gnome-shell Status: enabled Name: Google Talk Plugin Location: /opt/google/talkplugin/libnpgoogletalk.so Package: google-talkplugin Status: enabled Name: Google Talk Plugin Video Renderer Location: /opt/google/talkplugin/libnpo1d.so Package: google-talkplugin Status: enabled Name: iTunes Application Detector Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so Package: rhythmbox-plugins Status: enabled Name: Shockwave Flash (11.2.202.378) Location: /usr/lib/mozilla/plugins/libflashplayer.so Status: enabled -- Addons package information ii gnome-shell3.14.1-1 amd64graphical shell for the GNOME des ii google-talkplu 5.38.5.0-1 amd64Google Talk Plugin ii iceweasel 31.2.0esr-3 amd64Web browser based on Firefox ii rhythmbox-plug 3.1-1amd64plugins for rhythmbox music playe ii xul-ext-adbloc 2.6.6+dfsg-1 all advertisement blocking extension -- System Information: Debian Release: jessie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages iceweasel depends on: ii debianutils 4.4+b1 ii fontconfig2.11.0-6.1 ii libasound21.0.28-1 ii libatk1.0-0 2.14.0-1 ii libc6 2.19-13 ii libcairo2 1.14.0-2.1 ii libdbus-1-3 1.8.10-1 ii libdbus-glib-1-2 0.102-1 ii libevent-2.0-52.0.21-stable-1.1 ii libffi6 3.1-2 ii libfontconfig12.11.0-6.1 ii libfreetype6 2.5.2-2 ii libgcc1 1:4.9.1-19 ii libgdk-pixbuf2.0-02.31.1-2+b1 ii libglib2.0-0 2.42.0-2 ii libgtk2.0-0 2.24.25-1 ii libhunspell-1.3-0 1.3.3-3 ii libnspr4 2:4.10.7-1 ii libnss3 2:3.17.2-1 ii libpango-1.0-01.36.8-2 ii libsqlite3-0 3.8.7.1-1 ii libstartup-notification0 0.12-4 ii libstdc++64.9.1-19 ii libvpx1 1.3.0-3 ii libx11-6 2:1.6.2-3 ii libxext6 2:1.3.3-1 ii libxrender1 1:0.9.8-1+b1 ii libxt61:1.1.4-1+b1 ii procps2:3.3.9-8 ii zlib1g1:1.2.8.dfsg-2 iceweasel
Bug#770508: iceweasel: cannot override certificate validation problems with mozilla::pkix, connection hangs
On Fri, Nov 21, 2014 at 03:49:06PM -0500, Peter Amstutz wrote: Package: iceweasel Version: 31.2.0esr-3 Severity: important Tags: upstream Dear Maintainer, Firefox 31 introduced a new certificate validation library mozilla::pkix. This introduced regressions, where previously the user could override the validation error and connect anyway (this connection is untrusted!), in jessie iceweasel attempting to connect to the same sites results in a silent hang (it appears to be loading forever with no feedback as to what is wrong). (Subjectively, when this happens it also appears to affect the overall stability of the browser, as it seems like other sites become slow to load or fail to load entirely until the browser is restarted). Based on the following discussion, it appears that this behavior is addressed Firefox 33, and in the Enterprise Support Release (ESR) of Firefox 31: https://bugzilla.mozilla.org/show_bug.cgi?id=1042889 That bug is fixed in 33 and 31.2, both of which are in Debian already. Are you saying the versions in Debian are still affected? Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#770508: iceweasel: cannot override certificate validation problems with mozilla::pkix, connection hangs
Thanks for the response. This bug initially surfaced for me when iceweasel was upgraded from 30 to 31 about three months ago. I re-tested for the behavior after upgrading the package yesterday and am getting the same result: attempting to make a TLS connection to a server that uses a self-signed certificate hangs without returning an error. This is puzzling since the bug reports out there seem to indicate people are experiencing the bug by having the connection fail with a non-overridable error reported, which is different from having the connection not do anything at all. This is an about:config about:config workaround, with this setting I am able to override the certificate error and connect to my site: security.use_mozillapkix_verification = false This does strongly indicate that the problem is linked to the introduction of mozilla::pkix. I realize that I should re-test with a clean profile, it could be that there are old certificates and/or plugins in my regular browsing profile that are causing problems. To investigate further, I will see about setting up a dummy server with the guilty certificates to see if you can reproduce. Thanks, Peter On Nov 21, 2014, at 5:51 PM, Mike Hommey m...@glandium.org mailto:m...@glandium.org wrote: On Fri, Nov 21, 2014 at 03:49:06PM -0500, Peter Amstutz wrote: Package: iceweasel Version: 31.2.0esr-3 Severity: important Tags: upstream Dear Maintainer, Firefox 31 introduced a new certificate validation library mozilla::pkix. This introduced regressions, where previously the user could override the validation error and connect anyway (this connection is untrusted!), in jessie iceweasel attempting to connect to the same sites results in a silent hang (it appears to be loading forever with no feedback as to what is wrong). (Subjectively, when this happens it also appears to affect the overall stability of the browser, as it seems like other sites become slow to load or fail to load entirely until the browser is restarted). Based on the following discussion, it appears that this behavior is addressed Firefox 33, and in the Enterprise Support Release (ESR) of Firefox 31: https://bugzilla.mozilla.org/show_bug.cgi?id=1042889 https://bugzilla.mozilla.org/show_bug.cgi?id=1042889 That bug is fixed in 33 and 31.2, both of which are in Debian already. Are you saying the versions in Debian are still affected? Mike