IceCat 60 certificate validation fails when using system NSS

  • Done
  • quality assurance status badge
Details
3 participants
  • Maxim Cournoyer
  • Mark H Weaver
  • Mike Gerwitz
Owner
unassigned
Submitted by
Mike Gerwitz
Severity
normal
M
M
Mike Gerwitz wrote on 25 Sep 2018 06:22
IceCat 60 showing sites as "insecure" despite using HTTPS
(address . bug-guix@gnu.org)
87k1nadx4v.fsf@gnu.org
I don't know if this is a problem specific to Guix or upstream; I can
give IceCat a try in a Debian VM tomorrow. But I want to make others
aware of the problem in the meantime:

Even if sites are using HTTPS, IceCat is still saying "This connection
is insecure" if you click on the "i" icon in the URL bar. This seems to
be a problem with every HTTPS site I visit.

On the "Security" tab of the "Page Info" dialog, under "Technical
Details", no certificate information is listed; it simply says
"Connection Not Encrypted". That's clearly not true, otherwise the page
would fail to load. I've tried with sites that use HSTS and don't even
support plaintext connections (e.g. my own)---the pages load just fine.

I haven't played around with sites with expired certificates or anything
yet. But if IceCat is not reporting security status correctly, then
users may be at risk, so be careful in the meantime!

--
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B 2388 FEF6 3574 5E6F 6D05
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJbqbgAAAoJEIyRe39dxRuiUCAQAK7X0IkzrupMHKTepe8Hk6kk
oCQVWJPNaMcwEknghYFISg7LZJmP7AtlujzkTv85A4dvzeQKbMuOklQcJ3wbVmju
PdxNThdSHJ/jGsDHM/P3spberUP+rC8XtFqGFefGHLdF0//PaLXwncEK8ePvUpai
Y0EpyAiEl18B54sTNPijFA4jEXvNsaxnH87AdjcRLdb08M6DkShG6ND0VcAbdq8O
5HBkmr2USH/bJx7aatR3ItT9uMR4vaaCJ9j+6iMEltZAmWPVum8Jcj/AmKeNgBKf
t+tBQftuzW6N7kV5TGcY6J2ROaMp5TI32PQCYpmAyYY8vaDEb26PDZDaIZ4aDDtj
9Ay1aSjyrLQBLo002gKEvIkcnOQpoafHSc+BJAGbb3qZRn2QQ0oh99wOZWh9pRWv
jRI4Ts5DXBGMM/KPk2uNQvoworaZW11h3w2t8xAS3UqA0Z7xBt5idXBXK8M/NhUg
Qs2G8FTR6PyqF6LMhGlFjfHe21gsJ/aUf20RFw8lUdJWSG+Etpxqj4ayPpcmHfZh
1i/KZlfktAu4FLp/lqlqfdcVxJfVf1fL5M9WZ4zYlRCAh+SmZb7n/L7dbTPAzmOO
vQpaetoNjxpgzpP3cqHpibk9X9c1BYGDlvcWWRIO3YhZ1M4NiGe13//GMTaDFbgs
oxu8drjYbE/EltEfw4CA
=Iw+E
-----END PGP SIGNATURE-----

M
M
Mark H Weaver wrote on 26 Sep 2018 00:01
(name . Mike Gerwitz)(address . mtg@gnu.org)(address . 32833@debbugs.gnu.org)
87o9clck40.fsf@netris.org
severity 32833 critical
thanks

Hi Mike,

Mike Gerwitz <mtg@gnu.org> writes:
Toggle quote (14 lines)
> Even if sites are using HTTPS, IceCat is still saying "This connection
> is insecure" if you click on the "i" icon in the URL bar. This seems to
> be a problem with every HTTPS site I visit.
>
> On the "Security" tab of the "Page Info" dialog, under "Technical
> Details", no certificate information is listed; it simply says
> "Connection Not Encrypted". That's clearly not true, otherwise the page
> would fail to load. I've tried with sites that use HSTS and don't even
> support plaintext connections (e.g. my own)---the pages load just fine.
>
> I haven't played around with sites with expired certificates or anything
> yet. But if IceCat is not reporting security status correctly, then
> users may be at risk, so be careful in the meantime!

Thanks for reporting this. I see the same problem, which is a surprise.
I would have expected some notification that something went wrong, but I
don't remember any.

Given the severity of this issue, we should prioritize deploying a
working fix ASAP, even if it's an ugly hack or workaround.

To begin, I'm currently building IceCat using the bundled NSPR and NSS,
to see if that helps. If that fails, I'll look more closely at IceCat's
customizations to the default "about:config" settings. The 'strace'
output might also have some clues.

I would welcome others to make their own efforts to find a fix for this
issue, or to share their ideas.

Toggle quote (3 lines)
> I don't know if this is a problem specific to Guix or upstream; I can
> give IceCat a try in a Debian VM tomorrow.

Please do. It would be _very_ helpful to know if this problem is
Guix-specific.

Thanks,
Mark
M
M
Mark H Weaver wrote on 26 Sep 2018 02:16
(name . Mike Gerwitz)(address . mtg@gnu.org)(address . 32833@debbugs.gnu.org)
87a7o5cdv3.fsf@netris.org
Mark H Weaver <mhw@netris.org> writes:
Toggle quote (3 lines)
> To begin, I'm currently building IceCat using the bundled NSPR and NSS,
> to see if that helps.

Using the bundled NSPR and NSS works around the problem for me. I just
pushed this change in commit 6d328879378fac95240005233331f596fb5c68ed on
'master'. See also the related, immediately preceding commits
257e3247910610fe24ae1b86f38e85552d53e48c and
94e96f7f68c3b9053fdb5dee5b0ab614163aaa08.

I'm keeping this bug report open, since it would be good to find a
better fix which avoids using the bundled libraries.

Mark
M
M
Mike Gerwitz wrote on 26 Sep 2018 02:30
(name . Mark H Weaver)(address . mhw@netris.org)(address . 32833@debbugs.gnu.org)
87tvmdcd6m.fsf@gnu.org
On Tue, Sep 25, 2018 at 20:16:16 -0400, Mark H Weaver wrote:
Toggle quote (10 lines)
> Mark H Weaver <mhw@netris.org> writes:
>> To begin, I'm currently building IceCat using the bundled NSPR and NSS,
>> to see if that helps.
>
> Using the bundled NSPR and NSS works around the problem for me. I just
> pushed this change in commit 6d328879378fac95240005233331f596fb5c68ed on
> 'master'. See also the related, immediately preceding commits
> 257e3247910610fe24ae1b86f38e85552d53e48c and
> 94e96f7f68c3b9053fdb5dee5b0ab614163aaa08.

Great!

Toggle quote (3 lines)
> I'm keeping this bug report open, since it would be good to find a
> better fix which avoids using the bundled libraries.

I wish I knew enough to suggest a better solution.

It's a little late now, but I just tested the IceCat binary on a Debian
machine and HTTPS works as expected.

Thanks again for your work on this. Maybe I'll let IceCat build
overnight so I can give it a try tomorrow (still on my X200).

--
Mike Gerwitz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJbqtNBAAoJEIyRe39dxRuiFqIQAIqBbCWEhiXsRYrh9XuQdRL3
YgkfjY73bmxdSHeb9WyX2buzdiZ0V7vZo2rR3lV+tAPmu72ZUF/KzrsgIxervJ3V
Sd6lnevtT8fZugP7BP+mgSocM0N+4mtUl0kH7wq4MOOGGc+S0TAlDq7ph2yWmQoA
hrUu/FrMkPGASSiGP8+TY6vU3ZfDCf6FeS86zLfUUy75LB5vytM90XntTDGl0P0H
jALgaZLRYHAuztcgQIAzmAGatWcIBZCAYH3s5ZBgI7A1usne20JXhOHmWugFL91X
fFJUn++pA9VV085MIfPwjTKZnehfWEK/bt5gFVJmJUiT1C76kosdvOrHBxmU17yz
YY/hLbdgX4nKNGsmleEiU3HAbsCs4HVJ0dIUYx5PAGM7S/ykv13s3xKthmh5Vc99
u25bDmWcx5lon81sMxjnOZZ5t6W5I1HzQlJw64q3B9pZAoyf55rX7wMKLtx+csHT
rE16d2BZVwWs9cGmROkdSrkHVt3w2jaJr6aDj27uOe9cZUkrP8XfClKru5r4zcLg
+16yz5C5AbkvRFzXojb/jmYllQRTVvYOJ8kz8RXWDxF5ixsjd6uAilvfWLxyuq00
AqTV+VRZ5yS1GWSsrErT0iC9CbH/BdqC9jYJMb0Gnass8Ggo41scS3iC2P7gU1Kx
iNzxT08dKcOBtrOTa/gh
=Rsuf
-----END PGP SIGNATURE-----

M
M
Mike Gerwitz wrote on 26 Sep 2018 06:55
(name . Mark H Weaver)(address . mhw@netris.org)(address . 32833@debbugs.gnu.org)
87bm8kdfis.fsf@gnu.org
On Tue, Sep 25, 2018 at 20:30:57 -0400, Mike Gerwitz wrote:
Toggle quote (3 lines)
> Thanks again for your work on this. Maybe I'll let IceCat build
> overnight so I can give it a try tomorrow (still on my X200).

LGTM.

--
Mike Gerwitz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJbqxErAAoJEIyRe39dxRuiA0gQAJdJ1nmejq59J3DkKNuA9E5Z
gVrXi+GbU03JG64ZD5GFCViN9LNOTxrXX2/N+80TRysZTI01uzs8xsBLszT0gSKy
P4u1Apfrhlez0ny6YiRywXTNJo2oejh4/eUOLRpqMlf51F0Uleaygfo87Xs/dmwm
PLJRnpYTgvcb2ct+MbLjeWXsXTEJE+6pD8jtviXPpPSZgvT4+BkKL3O27h5rnMVc
4rq3oQxGGfwFd4bVNwF2nPp2nPfLPOpMQQVqcC/+ztfUmC2HR7YqCmeoOSBbQpAs
xzNnQiHiAdmtHqmNuOHKTqx9nHorrAPCFpUR/PmTEtub+M+HjHZEINptPXwWilaH
jnx/ItEuRBdEoCI0xW0F+8HsQie/h9Dprp1j9ZVbdJBld4zYaZvT5CnbjBlP4AQS
HK1HfjnkrtRU3yzOP4L8f93YJKYGN+LhoV58/MpFIcBBEX/vFHrD6vGJmDK1W0mY
KspcxZYZlKI4IT2ce+K1+duQGHrtb+QQYXaXXCtYl8gcXSNcr9GPfueGyihe47hu
zv75RMvy0O8mig4ZpEKSjQPwqlsdTEdR2FeS7BwNdZDsxCb4xbxPAqaKu98RRaOO
HJUXBv/B7d5HnC5gteDvVVZ3qA7QnQJBusrxXujv6IWVFQXD8mCN6B4mQvPxEazL
tbgLcoJvFu3u3kv1/y7+
=QsOk
-----END PGP SIGNATURE-----

M
M
Mark H Weaver wrote on 27 Sep 2018 00:49
(no subject)
(address . control@debbugs.gnu.org)
87h8ibho23.fsf@netris.org
retitle 32833 IceCat 60 certificate validation fails when using system NSS
severity 32833 normal
thanks
M
M
Maxim Cournoyer wrote on 29 Aug 2023 05:40
Re: bug#32833: IceCat 60 certificate validation fails when using system NSS
(name . Mike Gerwitz)(address . mtg@gnu.org)
874jkiect4.fsf_-_@gmail.com
Hello,

Mike Gerwitz <mtg@gnu.org> writes:

Toggle quote (24 lines)
> On Tue, Sep 25, 2018 at 20:16:16 -0400, Mark H Weaver wrote:
>> Mark H Weaver <mhw@netris.org> writes:
>>> To begin, I'm currently building IceCat using the bundled NSPR and NSS,
>>> to see if that helps.
>>
>> Using the bundled NSPR and NSS works around the problem for me. I just
>> pushed this change in commit 6d328879378fac95240005233331f596fb5c68ed on
>> 'master'. See also the related, immediately preceding commits
>> 257e3247910610fe24ae1b86f38e85552d53e48c and
>> 94e96f7f68c3b9053fdb5dee5b0ab614163aaa08.
>
> Great!
>
>> I'm keeping this bug report open, since it would be good to find a
>> better fix which avoids using the bundled libraries.
>
> I wish I knew enough to suggest a better solution.
>
> It's a little late now, but I just tested the IceCat binary on a Debian
> machine and HTTPS works as expected.
>
> Thanks again for your work on this. Maybe I'll let IceCat build
> overnight so I can give it a try tomorrow (still on my X200).

I'm closing this issue, since we're now using the Guix provided nss and
nspr packages for building IceCat since a while, and there doesn't
appear to be an issue with doing so.

--
Thanks,
Maxim
Closed
?