Bug#770508: iceweasel: cannot override certificate validation problems with mozilla::pkix, connection hangs
I found a workaround: 1. Quit iceweasel. 2. ~$ cd ~/.mozilla/firefox/x.default 3. ~/.mozilla/firefox/x.default$ mv cert8.db cert8.db.old 4. Restart iceweasel. A coworker of mine was affected by the same problem and was able to solve it using the above workaround. As far as I can tell, iceweasel is recording some information about the SSL configuration for a specific host and port in cert8.db (in our case, a development instance of a web app that uses a self-signed cert that is frequently regenerated). The information in cert8.db is either corrupt or in conflict with the certificate actually provided when the browser connects, but instead of landing at the warning-and-override page, mozilla::pkix fails silently and the connection attempt hangs. So, I think there is a bug here, but seems like it might require some deep digging to find the actual point of failure. - Peter -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#770508: iceweasel: cannot override certificate validation problems with mozilla::pkix, connection hangs
Package: iceweasel
Version: 31.2.0esr-3
Severity: important
Tags: upstream
Dear Maintainer,
Firefox 31 introduced a new certificate validation library mozilla::pkix.
This introduced regressions, where previously the user could override the
validation error and connect anyway (this connection is untrusted!), in
jessie iceweasel attempting to connect to the same sites results in a silent
hang (it appears to be loading forever with no feedback as to what is wrong).
(Subjectively, when this happens it also appears to affect the overall
stability of the browser, as it seems like other sites become slow to load or
fail to load entirely until the browser is restarted).
Based on the following discussion, it appears that this behavior is addressed
Firefox 33, and in the Enterprise Support Release (ESR) of Firefox 31:
https://bugzilla.mozilla.org/show_bug.cgi?id=1042889
Thanks
-- Package-specific info:
-- Extensions information
Name: Adblock Plus
Location:
/usr/share/mozilla/extensions/{ec8030f7-c20a-464f-9b0e-13a3a9e97384}/{d10d0bf8-f5b5-c8b4-a8b2-2b9879e08c5d}
Package: xul-ext-adblock-plus
Status: enabled
Name: Add to Search Bar
Location: ${PROFILE_EXTENSIONS}/add-to-search...@maltekraus.de.xpi
Status: enabled
Name: Default theme
Location:
/usr/lib/iceweasel/browser/extensions/{972ce4c6-7e08-4474-a285-3208198ce6fd}
Package: iceweasel
Status: enabled
Name: HTTPS-Everywhere
Location: ${PROFILE_EXTENSIONS}/https-everywh...@eff.org
Status: enabled
Name: Max Tabs
Location: ${PROFILE_EXTENSIONS}/maxt...@cheeaun.xpi
Status: user-disabled
Name: NoScript
Location: ${PROFILE_EXTENSIONS}/{73a6fe31-595d-460b-a920-fcc0f8843232}.xpi
Status: enabled
Name: Redmine Toolbar
Location: ${PROFILE_EXTENSIONS}/redminetool...@mpietsch.com.xpi
Status: enabled
Name: Remote Control
Location: ${PROFILE_EXTENSIONS}/remote-cont...@morch.com.xpi
Status: enabled
Name: Tab Mix Plus
Location: ${PROFILE_EXTENSIONS}/{dc572301-7619-498c-a57d-39143191b318}.xpi
Status: enabled
Name: Tab Scope
Location: ${PROFILE_EXTENSIONS}/tabsc...@xuldev.org.xpi
Status: user-disabled
Name: TabNavigator
Location: ${PROFILE_EXTENSIONS}/tab...@cse.iitb.ac.in.xpi
Status: user-disabled
Name: Textarea Cache
Location: ${PROFILE_EXTENSIONS}/{578e7caa-210f-4967-a0d3-88fe5b59a39f}.xpi
Status: enabled
Name: Tile Tabs
Location: ${PROFILE_EXTENSIONS}/tilet...@dw-dev.xpi
Status: user-disabled
-- Plugins information
Name: Gnome Shell Integration
Location: /usr/lib/mozilla/plugins/libgnome-shell-browser-plugin.so
Package: gnome-shell
Status: enabled
Name: Google Talk Plugin
Location: /opt/google/talkplugin/libnpgoogletalk.so
Package: google-talkplugin
Status: enabled
Name: Google Talk Plugin Video Renderer
Location: /opt/google/talkplugin/libnpo1d.so
Package: google-talkplugin
Status: enabled
Name: iTunes Application Detector
Location: /usr/lib/mozilla/plugins/librhythmbox-itms-detection-plugin.so
Package: rhythmbox-plugins
Status: enabled
Name: Shockwave Flash (11.2.202.378)
Location: /usr/lib/mozilla/plugins/libflashplayer.so
Status: enabled
-- Addons package information
ii gnome-shell3.14.1-1 amd64graphical shell for the GNOME des
ii google-talkplu 5.38.5.0-1 amd64Google Talk Plugin
ii iceweasel 31.2.0esr-3 amd64Web browser based on Firefox
ii rhythmbox-plug 3.1-1amd64plugins for rhythmbox music playe
ii xul-ext-adbloc 2.6.6+dfsg-1 all advertisement blocking extension
-- System Information:
Debian Release: jessie/sid
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_US.utf8, LC_CTYPE=en_US.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages iceweasel depends on:
ii debianutils 4.4+b1
ii fontconfig2.11.0-6.1
ii libasound21.0.28-1
ii libatk1.0-0 2.14.0-1
ii libc6 2.19-13
ii libcairo2 1.14.0-2.1
ii libdbus-1-3 1.8.10-1
ii libdbus-glib-1-2 0.102-1
ii libevent-2.0-52.0.21-stable-1.1
ii libffi6 3.1-2
ii libfontconfig12.11.0-6.1
ii libfreetype6 2.5.2-2
ii libgcc1 1:4.9.1-19
ii libgdk-pixbuf2.0-02.31.1-2+b1
ii libglib2.0-0 2.42.0-2
ii libgtk2.0-0 2.24.25-1
ii libhunspell-1.3-0 1.3.3-3
ii libnspr4 2:4.10.7-1
ii libnss3 2:3.17.2-1
ii libpango-1.0-01.36.8-2
ii libsqlite3-0 3.8.7.1-1
ii libstartup-notification0 0.12-4
ii libstdc++64.9.1-19
ii libvpx1 1.3.0-3
ii libx11-6 2:1.6.2-3
ii libxext6 2:1.3.3-1
ii libxrender1 1:0.9.8-1+b1
ii libxt61:1.1.4-1+b1
ii procps2:3.3.9-8
ii zlib1g1:1.2.8.dfsg-2
iceweasel
Bug#770508: iceweasel: cannot override certificate validation problems with mozilla::pkix, connection hangs
On Fri, Nov 21, 2014 at 03:49:06PM -0500, Peter Amstutz wrote: Package: iceweasel Version: 31.2.0esr-3 Severity: important Tags: upstream Dear Maintainer, Firefox 31 introduced a new certificate validation library mozilla::pkix. This introduced regressions, where previously the user could override the validation error and connect anyway (this connection is untrusted!), in jessie iceweasel attempting to connect to the same sites results in a silent hang (it appears to be loading forever with no feedback as to what is wrong). (Subjectively, when this happens it also appears to affect the overall stability of the browser, as it seems like other sites become slow to load or fail to load entirely until the browser is restarted). Based on the following discussion, it appears that this behavior is addressed Firefox 33, and in the Enterprise Support Release (ESR) of Firefox 31: https://bugzilla.mozilla.org/show_bug.cgi?id=1042889 That bug is fixed in 33 and 31.2, both of which are in Debian already. Are you saying the versions in Debian are still affected? Mike -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org
Bug#770508: iceweasel: cannot override certificate validation problems with mozilla::pkix, connection hangs
Thanks for the response. This bug initially surfaced for me when iceweasel was upgraded from 30 to 31 about three months ago. I re-tested for the behavior after upgrading the package yesterday and am getting the same result: attempting to make a TLS connection to a server that uses a self-signed certificate hangs without returning an error. This is puzzling since the bug reports out there seem to indicate people are experiencing the bug by having the connection fail with a non-overridable error reported, which is different from having the connection not do anything at all. This is an about:config about:config workaround, with this setting I am able to override the certificate error and connect to my site: security.use_mozillapkix_verification = false This does strongly indicate that the problem is linked to the introduction of mozilla::pkix. I realize that I should re-test with a clean profile, it could be that there are old certificates and/or plugins in my regular browsing profile that are causing problems. To investigate further, I will see about setting up a dummy server with the guilty certificates to see if you can reproduce. Thanks, Peter On Nov 21, 2014, at 5:51 PM, Mike Hommey m...@glandium.org mailto:m...@glandium.org wrote: On Fri, Nov 21, 2014 at 03:49:06PM -0500, Peter Amstutz wrote: Package: iceweasel Version: 31.2.0esr-3 Severity: important Tags: upstream Dear Maintainer, Firefox 31 introduced a new certificate validation library mozilla::pkix. This introduced regressions, where previously the user could override the validation error and connect anyway (this connection is untrusted!), in jessie iceweasel attempting to connect to the same sites results in a silent hang (it appears to be loading forever with no feedback as to what is wrong). (Subjectively, when this happens it also appears to affect the overall stability of the browser, as it seems like other sites become slow to load or fail to load entirely until the browser is restarted). Based on the following discussion, it appears that this behavior is addressed Firefox 33, and in the Enterprise Support Release (ESR) of Firefox 31: https://bugzilla.mozilla.org/show_bug.cgi?id=1042889 https://bugzilla.mozilla.org/show_bug.cgi?id=1042889 That bug is fixed in 33 and 31.2, both of which are in Debian already. Are you saying the versions in Debian are still affected? Mike
