Debian Bug report logs - #561918
client certificate authentication broken

version graph

Package: libnss3-1d; Maintainer for libnss3-1d is Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>; Source for libnss3-1d is src:nss.

Reported by: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>

Date: Mon, 21 Dec 2009 09:36:01 UTC

Severity: grave

Tags: confirmed, moreinfo

Merged with 563650, 565620, 565987, 568631, 570525, 572366

Found in version nss/3.12.5-1

Fixed in version nss/3.12.6-1

Done: Mike Hommey <glandium@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Mon, 21 Dec 2009 09:36:04 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>:
New Bug report received and forwarded. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Mon, 21 Dec 2009 09:36:04 GMT) Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>
To: Debian BTS <submit@bugs.debian.org>
Subject: client certificate authentication broken
Date: Mon, 21 Dec 2009 10:34:09 +0100
Package: libnss3-1d
Version: 3.12.5-1
Justification: renders package unusable
Severity: grave

Hi.

With the most recent version, client certificate authentication is broken.
An error occurs even before iceweasel, epiphany, etc. ask for the  
certificate to select.
downgrading to 3.12.4-1 fixes the problem.


Cheers,
Chris.


-- System Information:
Debian Release: squeeze/sid
  APT prefers unstable
  APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libnss3-1d depends on:
ii  dpkg                          1.15.5.4   Debian package management system
ii  libc6                         2.10.2-2   GNU C Library: Shared libraries
ii  libnspr4-0d                   4.8.2-1    NetScape Portable Runtime Library
ii  libsqlite3-0                  3.6.21-2   SQLite 3 shared library

libnss3-1d recommends no packages.

libnss3-1d suggests no packages.

-- no debconf information


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Tue, 22 Dec 2009 18:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Tue, 22 Dec 2009 18:39:03 GMT) Full text and rfc822 format available.

Message #10 received at 561918@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>, 561918@bugs.debian.org
Subject: Re: Bug#561918: client certificate authentication broken
Date: Tue, 22 Dec 2009 19:37:16 +0100
On Mon, Dec 21, 2009 at 10:34:09AM +0100, Christoph Anton Mitterer wrote:
> Package: libnss3-1d
> Version: 3.12.5-1
> Justification: renders package unusable
> Severity: grave
> 
> Hi.
> 
> With the most recent version, client certificate authentication is broken.
> An error occurs even before iceweasel, epiphany, etc. ask for the
> certificate to select.
> downgrading to 3.12.4-1 fixes the problem.

Can you try after setting the NSS_SSL_ENABLE_RENEGOTIATION environment
variable to 1 ? (with nss 3.12.5-1, obviously).

Mike




Added tag(s) moreinfo. Request was from Mike Hommey <glandium@debian.org> to control@bugs.debian.org. (Tue, 22 Dec 2009 18:39:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Tue, 22 Dec 2009 22:03:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Martin Spasov <mspasov@gmail.com>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Tue, 22 Dec 2009 22:03:03 GMT) Full text and rfc822 format available.

Message #17 received at 561918@bugs.debian.org (full text, mbox):

From: Martin Spasov <mspasov@gmail.com>
To: Mike Hommey <mh@glandium.org>, 561918@bugs.debian.org
Subject: Re: Bug#561918: client certificate authentication broken
Date: Wed, 23 Dec 2009 00:01:06 +0200
Hello Mike,

On Tue, Dec 22, 2009 at 20:37, Mike Hommey <mh@glandium.org> wrote:
> On Mon, Dec 21, 2009 at 10:34:09AM +0100, Christoph Anton Mitterer wrote:
>> Package: libnss3-1d
>> Version: 3.12.5-1
>> Justification: renders package unusable
>> Severity: grave
>>
>> Hi.
>>
>> With the most recent version, client certificate authentication is broken.
>> An error occurs even before iceweasel, epiphany, etc. ask for the
>> certificate to select.
>> downgrading to 3.12.4-1 fixes the problem.
>
> Can you try after setting the NSS_SSL_ENABLE_RENEGOTIATION environment
> variable to 1 ? (with nss 3.12.5-1, obviously).
>
> Mike
>

I have tested and this variable fixes the bug (with nss 3.12.5-1).



-- 
Regards:   Martin Spasov




Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Tue, 22 Dec 2009 23:00:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Tue, 22 Dec 2009 23:00:06 GMT) Full text and rfc822 format available.

Message #22 received at 561918@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>
Cc: 561918@bugs.debian.org
Subject: Re: Bug#561918: client certificate authentication broken
Date: Tue, 22 Dec 2009 23:59:27 +0100
On Tue, Dec 22, 2009 at 11:42:02PM +0100, Christoph Anton Mitterer wrote:
> Hi Mike.
> 
> On Tue, 2009-12-22 at 19:37 +0100, Mike Hommey wrote:
> > Can you try after setting the NSS_SSL_ENABLE_RENEGOTIATION environment
> > variable to 1 ? (with nss 3.12.5-1, obviously).
> Yes this "fixes" the problem.

This just confirms the diagnostic, which is that nss 3.12.5 disabled
renegotiation because of CVE-2009-3555. Now, we need to decide how to
allow client authentication without putting users too much at risk.

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Tue, 22 Dec 2009 23:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Tue, 22 Dec 2009 23:03:07 GMT) Full text and rfc822 format available.

Message #27 received at 561918@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>
To: Mike Hommey <mh@glandium.org>
Cc: 561918@bugs.debian.org
Subject: Re: Bug#561918: client certificate authentication broken
Date: Tue, 22 Dec 2009 23:42:02 +0100
[Message part 1 (text/plain, inline)]
Hi Mike.

On Tue, 2009-12-22 at 19:37 +0100, Mike Hommey wrote:
> Can you try after setting the NSS_SSL_ENABLE_RENEGOTIATION environment
> variable to 1 ? (with nss 3.12.5-1, obviously).
Yes this "fixes" the problem.

Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Tue, 22 Dec 2009 23:21:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Tue, 22 Dec 2009 23:21:06 GMT) Full text and rfc822 format available.

Message #32 received at 561918@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>
To: Mike Hommey <mh@glandium.org>
Cc: 561918@bugs.debian.org
Subject: Re: Bug#561918: client certificate authentication broken
Date: Wed, 23 Dec 2009 00:18:03 +0100
[Message part 1 (text/plain, inline)]
On Tue, 2009-12-22 at 23:59 +0100, Mike Hommey wrote:
> This just confirms the diagnostic, which is that nss 3.12.5 disabled
> renegotiation because of CVE-2009-3555. Now, we need to decide how to
> allow client authentication without putting users too much at risk.
ok,.. I've already suspected this after your hint ;)
However, I thought that disabling this wouldn't break login to sites.

Cheers,
Chris.
[smime.p7s (application/x-pkcs7-signature, attachment)]

Removed tag(s) moreinfo. Request was from Mike Hommey <glandium@debian.org> to control@bugs.debian.org. (Tue, 29 Dec 2009 17:51:04 GMT) Full text and rfc822 format available.

Added tag(s) confirmed. Request was from Mike Hommey <glandium@debian.org> to control@bugs.debian.org. (Tue, 29 Dec 2009 17:51:05 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Tue, 29 Dec 2009 22:48:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Kurtz <kurtz.alex@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Tue, 29 Dec 2009 22:48:06 GMT) Full text and rfc822 format available.

Message #41 received at 561918@bugs.debian.org (full text, mbox):

From: Alexander Kurtz <kurtz.alex@googlemail.com>
To: 561918@bugs.debian.org
Cc: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>, Mike Hommey <mh@glandium.org>, Martin Spasov <mspasov@gmail.com>
Subject: Re: Bug#561918: client certificate authentication broken
Date: Tue, 29 Dec 2009 23:45:48 +0100
[Message part 1 (text/plain, inline)]
Hi,

Since I didn't find a copy of libnss3-1d 3.12.4-1, I wanted to mention
that the lenny version[1] of libnss3-1d works without problems with
squeeze (and probably sid too) so using this version until this bug is
fixed is easily possible.

Cheers

Alexander Kurtz

[1] http://packages.debian.org/lenny/libnss3-1d
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Wed, 30 Dec 2009 07:39:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Wed, 30 Dec 2009 07:39:03 GMT) Full text and rfc822 format available.

Message #46 received at 561918@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: Alexander Kurtz <kurtz.alex@googlemail.com>
Cc: 561918@bugs.debian.org, Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>, Martin Spasov <mspasov@gmail.com>
Subject: Re: Bug#561918: client certificate authentication broken
Date: Wed, 30 Dec 2009 08:36:11 +0100
On Tue, Dec 29, 2009 at 11:45:48PM +0100, Alexander Kurtz wrote:
> Hi,
> 
> Since I didn't find a copy of libnss3-1d 3.12.4-1, I wanted to mention
> that the lenny version[1] of libnss3-1d works without problems with
> squeeze (and probably sid too) so using this version until this bug is
> fixed is easily possible.

You can also add "NSS_SSL_ENABLE_RENEGOTIATION=1" in
/etc/iceweasel/iceweaselrc.

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Fri, 01 Jan 2010 16:03:06 GMT) Full text and rfc822 format available.

Acknowledgement sent to Alexander Kurtz <kurtz.alex@googlemail.com>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Fri, 01 Jan 2010 16:03:06 GMT) Full text and rfc822 format available.

Message #51 received at 561918@bugs.debian.org (full text, mbox):

From: Alexander Kurtz <kurtz.alex@googlemail.com>
To: Sam Morris <sam@robots.org.uk>
Cc: 561918@bugs.debian.org, 563253@bugs.debian.org, control@bugs.debian.org
Subject: Re: libnss3-1d: Fails to verify the certificate of my company email server
Date: Fri, 01 Jan 2010 16:58:00 +0100
[Message part 1 (text/plain, inline)]
merge 561918 563253
thanks

Hi,

I've got exactly the same problem here with Evolution 2.28 and my
Googlemail-Account. It is caused by bug #561918 [1]. You should check
my message there.

Cheers

Alexander Kurtz

[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561918

Am Freitag, den 01.01.2010, 13:28 +0000 schrieb Sam Morris:
> Package: libnss3-1d
> Version: 3.12.5-1
> Severity: grave
> Justification: renders package unusable
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Since upgrading libnss3-1d to 3.12.5, I have been unable to connect to my
> company's email server. Evolution gives me this dialog:
> 
> SSL Certificate check for imap.example.com:
> 
> Issuer:            serialNumber=88888888,CN=Go Daddy Secure Certification
> Authority,OU=http://certificates.godaddy.com/repository,O="GoDaddy.com,
> Inc.",L=Scottsdale,ST=Arizona,C=US
> Subject:           CN=*.example.com,OU=Domain Control Validated,O=*.example.com
> Fingerprint:       ec:cf:43:7f:87:84:f0:63:ec:b4:5d:60:e5:7e:6b:23
> Signature:         BAD
> 
> No problem with iceweasel, thunderbird, etc. but they don't appear to use the
> split-out package of NSS.
> 
> I reported the same bug against gnutls, #563127. The maintainer found that
> gnutls refused to accept the certificate because it was issues by a "V1 CA".
> Sadly I'm no X.509 expert so I don't know what that really means. The
> certificate in question was issued in April 2009, so it's not exactly ancient.
> 
> Please tell me if you'd like the server address to debug this further yourself,
> or whether there are any command line utilities for NSS that I can use as the
> equivalent of gnutls-bin/'openssl s_client' to debug further. 
> 
> Because this coincides with the upgrade from 3.12.4 to 3.12.5 I am assuming
> that NSS made a similar policy change to GnuTLS, to stop trusting V1 CAs. If
> this is the kind of thing that a user of NSS can override, please let me know
> and I'll forward that information to the (evolution) upstream bug at
> <https://bugzilla.gnome.org/show_bug.cgi?id=605773>.
> 
> - -- System Information:
> Debian Release: squeeze/sid
>   APT prefers testing
>   APT policy: (430, 'testing'), (420, 'unstable'), (410, 'experimental')
> Architecture: amd64 (x86_64)
> 
> Kernel: Linux 2.6.32-trunk-amd64 (SMP w/4 CPU cores)
> Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
> Shell: /bin/sh linked to /bin/dash
> 
> Versions of packages libnss3-1d depends on:
> ii  dpkg                   1.15.5.4          Debian package management system
> ii  libc6                  2.10.2-2          GNU C Library: Shared libraries
> ii  libnspr4-0d            4.8.2-1           NetScape Portable Runtime Library
> ii  libsqlite3-0           3.6.21-2          SQLite 3 shared library
> ii  zlib1g                 1:1.2.3.3.dfsg-15 compression library - runtime
> 
> libnss3-1d recommends no packages.
> 
> libnss3-1d suggests no packages.
> 
> - -- no debconf information
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> 
> iEYEARECAAYFAks9+IoACgkQshl/216gEHgbmgCg4/dEMui2RE3t+GgVJ9je7ouJ
> AB0AmgOjth0/Cy2emJ/RkhIl56IzQ0Ec
> =kMHW
> -----END PGP SIGNATURE-----
> 
> 
> 

[signature.asc (application/pgp-signature, inline)]

Merged 561918 563253. Request was from Alexander Kurtz <kurtz.alex@googlemail.com> to control@bugs.debian.org. (Fri, 01 Jan 2010 16:03:09 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Fri, 01 Jan 2010 21:18:08 GMT) Full text and rfc822 format available.

Acknowledgement sent to Sam Morris <sam@robots.org.uk>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Fri, 01 Jan 2010 21:18:08 GMT) Full text and rfc822 format available.

Message #58 received at 561918@bugs.debian.org (full text, mbox):

From: Sam Morris <sam@robots.org.uk>
To: Alexander Kurtz <kurtz.alex@googlemail.com>
Cc: 561918@bugs.debian.org, 563253@bugs.debian.org
Subject: Re: libnss3-1d: Fails to verify the certificate of my company email server
Date: Fri, 01 Jan 2010 21:17:04 +0000
[Message part 1 (text/plain, inline)]
unmerge 563253
thanks

On Fri, 2010-01-01 at 16:58 +0100, Alexander Kurtz wrote:
> I've got exactly the same problem here with Evolution 2.28 and my
> Googlemail-Account. It is caused by bug #561918 [1]. You should check
> my message there.

Hi Alexander, that does not appear to be the case for me. Setting
NSS_SSL_ENABLE_RENEGOTIATION=1 in the environment does not prevent the
verification failure.

I was careful to force shutdown evolution, then launch it afresh in case
the child e-d-s processes also required it to be set.

Regards,

-- 
Sam Morris
https://robots.org.uk/

PGP key id 1024D/5EA01078
3412 EA18 1277 354B 991B  C869 B219 7FDB 5EA0 1078
[signature.asc (application/pgp-signature, inline)]

Disconnected #563253 from all other report(s). Request was from Sam Morris <sam@robots.org.uk> to control@bugs.debian.org. (Fri, 01 Jan 2010 21:18:14 GMT) Full text and rfc822 format available.

Added indication that 561918 affects iceape and iceweasel Request was from Mike Hommey <glandium@debian.org> to control@bugs.debian.org. (Mon, 04 Jan 2010 11:21:17 GMT) Full text and rfc822 format available.

Forcibly Merged 561918 563650. Request was from Mike Hommey <glandium@debian.org> to control@bugs.debian.org. (Mon, 04 Jan 2010 11:36:10 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Wed, 06 Jan 2010 12:30:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Olivier Berger <olivier.berger@it-sudparis.eu>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Wed, 06 Jan 2010 12:30:03 GMT) Full text and rfc822 format available.

Message #69 received at 561918@bugs.debian.org (full text, mbox):

From: Olivier Berger <olivier.berger@it-sudparis.eu>
To: Mike Hommey <mh@glandium.org>, 561918@bugs.debian.org
Subject: Re: Bug#561918: client certificate authentication broken
Date: Wed, 6 Jan 2010 13:29:13 +0100
On Wed, Dec 30, 2009 at 08:36:11AM +0100, Mike Hommey wrote:
> On Tue, Dec 29, 2009 at 11:45:48PM +0100, Alexander Kurtz wrote:
> > Hi,
> > 
> > Since I didn't find a copy of libnss3-1d 3.12.4-1, I wanted to mention
> > that the lenny version[1] of libnss3-1d works without problems with
> > squeeze (and probably sid too) so using this version until this bug is
> > fixed is easily possible.
> 
> You can also add "NSS_SSL_ENABLE_RENEGOTIATION=1" in
> /etc/iceweasel/iceweaselrc.
> 

Are you sure ?

I've been hit by that bug, and that didn't help solving it for 3.5.6-1

I had to manually issue : NSS_SSL_ENABLE_RENEGOTIATION=1 iceweasel
on the command-line to get it to work.

Best regards,




Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Wed, 06 Jan 2010 12:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Wed, 06 Jan 2010 12:48:03 GMT) Full text and rfc822 format available.

Message #74 received at 561918@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: Olivier Berger <olivier.berger@it-sudparis.eu>
Cc: 561918@bugs.debian.org
Subject: Re: Bug#561918: client certificate authentication broken
Date: Wed, 6 Jan 2010 13:44:46 +0100
On Wed, Jan 06, 2010 at 01:29:13PM +0100, Olivier Berger wrote:
> On Wed, Dec 30, 2009 at 08:36:11AM +0100, Mike Hommey wrote:
> > On Tue, Dec 29, 2009 at 11:45:48PM +0100, Alexander Kurtz wrote:
> > > Hi,
> > > 
> > > Since I didn't find a copy of libnss3-1d 3.12.4-1, I wanted to mention
> > > that the lenny version[1] of libnss3-1d works without problems with
> > > squeeze (and probably sid too) so using this version until this bug is
> > > fixed is easily possible.
> > 
> > You can also add "NSS_SSL_ENABLE_RENEGOTIATION=1" in
> > /etc/iceweasel/iceweaselrc.
> > 
> 
> Are you sure ?
> 
> I've been hit by that bug, and that didn't help solving it for 3.5.6-1
> 
> I had to manually issue : NSS_SSL_ENABLE_RENEGOTIATION=1 iceweasel
> on the command-line to get it to work.

Ah, sorry, you need to export the variable, so that'd be
export NSS_SSL_ENABLE_RENEGOTIATION=1
in /etc/iceweasel/iceweaselrc.

Cheers,

Mike




Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Wed, 13 Jan 2010 20:51:11 GMT) Full text and rfc822 format available.

Acknowledgement sent to Oliver Fields <oliver@phnd.net>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Wed, 13 Jan 2010 20:51:11 GMT) Full text and rfc822 format available.

Message #79 received at 561918@bugs.debian.org (full text, mbox):

From: Oliver Fields <oliver@phnd.net>
To: 561918@bugs.debian.org, mh@glandium.org
Subject: Re: Bug#561918: client certificate authentication broken
Date: Wed, 13 Jan 2010 21:11:40 +0100
> Can you try after setting the NSS_SSL_ENABLE_RENEGOTIATION environment
> variable to 1 ? (with nss 3.12.5-1, obviously).

Running iceweasel from a terminal using the following solved the issue 
for me:

NSS_SSL_ENABLE_RENEGOTIATION=1 iceweasel

-- 
Oliver




Forcibly Merged 561918 563650 565620. Request was from Mike Hommey <glandium@debian.org> to control@bugs.debian.org. (Mon, 18 Jan 2010 16:36:06 GMT) Full text and rfc822 format available.

Added indication that 561918 affects iceape, evolution, and iceweasel Request was from Mike Hommey <glandium@debian.org> to control@bugs.debian.org. (Wed, 20 Jan 2010 13:09:19 GMT) Full text and rfc822 format available.

Forcibly Merged 561918 563650 565620 565987. Request was from Mike Hommey <glandium@debian.org> to control@bugs.debian.org. (Wed, 20 Jan 2010 13:24:08 GMT) Full text and rfc822 format available.

Forcibly Merged 561918 563650 565620 565987 568631. Request was from Mike Hommey <glandium@debian.org> to control@bugs.debian.org. (Sun, 07 Feb 2010 10:48:11 GMT) Full text and rfc822 format available.

Forcibly Merged 561918 563650 565620 565987 568631 570525. Request was from Mike Hommey <glandium@debian.org> to control@bugs.debian.org. (Fri, 19 Feb 2010 18:03:08 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Sun, 28 Feb 2010 02:48:03 GMT) Full text and rfc822 format available.

Acknowledgement sent to Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Sun, 28 Feb 2010 02:48:03 GMT) Full text and rfc822 format available.

Message #94 received at 561918@bugs.debian.org (full text, mbox):

From: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>
To: 561918@bugs.debian.org
Subject: Re: client certificate authentication broken
Date: Sun, 28 Feb 2010 03:45:06 +0100
FYI: RFC 5746 provides the solution to the renegotiation security attack.


Cheers,
Chris.

----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.





Information forwarded to debian-bugs-dist@lists.debian.org, Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>:
Bug#561918; Package libnss3-1d. (Sun, 28 Feb 2010 07:24:02 GMT) Full text and rfc822 format available.

Acknowledgement sent to Mike Hommey <mh@glandium.org>:
Extra info received and forwarded to list. Copy sent to Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>. (Sun, 28 Feb 2010 07:24:02 GMT) Full text and rfc822 format available.

Message #99 received at 561918@bugs.debian.org (full text, mbox):

From: Mike Hommey <mh@glandium.org>
To: Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>, 561918@bugs.debian.org
Subject: Re: Bug#561918: client certificate authentication broken
Date: Sun, 28 Feb 2010 08:21:13 +0100
On Sun, Feb 28, 2010 at 03:45:06AM +0100, Christoph Anton Mitterer wrote:
> FYI: RFC 5746 provides the solution to the renegotiation security attack.

And it is planned for 3.12.6.

Mike




Forcibly Merged 561918 563650 565620 565987 568631 570525 572366. Request was from Mike Hommey <glandium@debian.org> to control@bugs.debian.org. (Thu, 04 Mar 2010 20:00:08 GMT) Full text and rfc822 format available.

Reply sent to Mike Hommey <glandium@debian.org>:
You have taken responsibility. (Wed, 17 Mar 2010 22:27:17 GMT) Full text and rfc822 format available.

Notification sent to Christoph Anton Mitterer <christoph.anton.mitterer@physik.uni-muenchen.de>:
Bug acknowledged by developer. (Wed, 17 Mar 2010 22:27:17 GMT) Full text and rfc822 format available.

Message #106 received at 561918-close@bugs.debian.org (full text, mbox):

From: Mike Hommey <glandium@debian.org>
To: 561918-close@bugs.debian.org
Subject: Bug#561918: fixed in nss 3.12.6-1
Date: Wed, 17 Mar 2010 22:26:02 +0000
Source: nss
Source-Version: 3.12.6-1

We believe that the bug you reported is fixed in the latest version of
nss, which is due to be installed in the Debian FTP archive:

libnss3-1d-dbg_3.12.6-1_amd64.deb
  to main/n/nss/libnss3-1d-dbg_3.12.6-1_amd64.deb
libnss3-1d_3.12.6-1_amd64.deb
  to main/n/nss/libnss3-1d_3.12.6-1_amd64.deb
libnss3-dev_3.12.6-1_amd64.deb
  to main/n/nss/libnss3-dev_3.12.6-1_amd64.deb
libnss3-tools_3.12.6-1_amd64.deb
  to main/n/nss/libnss3-tools_3.12.6-1_amd64.deb
nss_3.12.6-1.debian.tar.gz
  to main/n/nss/nss_3.12.6-1.debian.tar.gz
nss_3.12.6-1.dsc
  to main/n/nss/nss_3.12.6-1.dsc
nss_3.12.6.orig.tar.gz
  to main/n/nss/nss_3.12.6.orig.tar.gz



A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 561918@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Mike Hommey <glandium@debian.org> (supplier of updated nss package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Format: 1.8
Date: Wed, 17 Mar 2010 20:33:32 +0100
Source: nss
Binary: libnss3-1d libnss3-tools libnss3-dev libnss3-1d-dbg
Architecture: source amd64
Version: 3.12.6-1
Distribution: unstable
Urgency: low
Maintainer: Maintainers of Mozilla-related packages <pkg-mozilla-maintainers@lists.alioth.debian.org>
Changed-By: Mike Hommey <glandium@debian.org>
Description: 
 libnss3-1d - Network Security Service libraries
 libnss3-1d-dbg - Debugging symbols for the Network Security Service libraries
 libnss3-dev - Development files for the Network Security Service libraries
 libnss3-tools - Network Security Service tools
Closes: 561918
Changes: 
 nss (3.12.6-1) unstable; urgency=low
 .
   * New upstream release.
   * debian/patches/*: Refresh patches.
   * debian/libnss3-1d.symbols, debian/rules: Update symbols file with new
     symbols and bump shlibs.
   * debian/patches/97_SSL_RENEGOTIATE_TRANSITIONAL.patch,
     debian/patches/series: Enable transitional scheme for ssl renegotiation.
     Closes: #561918.
   * debian/control:
     + Bump Standards-Version to 3.8.4.0.
     + Drop libnss3-1d dependency on dpkg. The versions it didn't really like
       were between oldstable and stable.
     + Don't allow different versions of libnss3-1d, libnss3-1d-dbg and
       libnss3-tools to be installed at the same time.
     + Add ${misc:Depends} to libnss3-1d-dbg dependencies.
   * debian/rules: Revert workaround for gcc 4.4 bug on powerpc with -Os.
   * debian/rules, debian/control, debian/compat: Simplify debian/rules by
     using dh.
Checksums-Sha1: 
 ceb78260916dbc8df585e15919899a8611f62d5d 1359 nss_3.12.6-1.dsc
 817d4b404315ea4f5af33f978f1a3304c644e537 5944319 nss_3.12.6.orig.tar.gz
 d4fa6de57270031afd6c6e9b66cc6514d6dfe41b 54743 nss_3.12.6-1.debian.tar.gz
 b06c9577ad220ca657eb1d825102480fe90a847e 1099762 libnss3-1d_3.12.6-1_amd64.deb
 27b79a64c48511944c222d5a536b0e99fd8ebbec 448752 libnss3-tools_3.12.6-1_amd64.deb
 c90fa60ec99999fe8ad6e8f97b92db2d374d1ecf 262250 libnss3-dev_3.12.6-1_amd64.deb
 f4289f3c07f7a9aa00e99e25ff7a33a098ffe701 3256100 libnss3-1d-dbg_3.12.6-1_amd64.deb
Checksums-Sha256: 
 a9999e9bb41e3158a540371520d0dcd7489e142e4899feb908ba4d36190d329a 1359 nss_3.12.6-1.dsc
 ae8ad36ead4d883a411cfd9aed49522e4079d4877f6446bbdfff4573771a9132 5944319 nss_3.12.6.orig.tar.gz
 f7da38f96296fd0652eee66e01239a061ff7da9df86d7dd960efa4f35bd084d1 54743 nss_3.12.6-1.debian.tar.gz
 fb8dbdcf9ea02d96e6decd93121b5f1f59f6196476239171eb5b671237ab1ddc 1099762 libnss3-1d_3.12.6-1_amd64.deb
 33bc8c0b2f1fdd7bc98d015f5ecc7c18a54114e689788ce996b7fe00fc54350e 448752 libnss3-tools_3.12.6-1_amd64.deb
 846ccc410a16709e2e472c186827bffff3780b72ed9a1c88e499009e55df3ac0 262250 libnss3-dev_3.12.6-1_amd64.deb
 647e0a1c197b9feaef8eaed7d7b3a2ebef79a8ad877ecddaa4e8ca3423de2d6f 3256100 libnss3-1d-dbg_3.12.6-1_amd64.deb
Files: 
 50fcc8d5c11471157b343babbfaa2b09 1359 libs optional nss_3.12.6-1.dsc
 fbba38700b460caff6acf54fc7273553 5944319 libs optional nss_3.12.6.orig.tar.gz
 62ddeca8050a2f662662778d379abe00 54743 libs optional nss_3.12.6-1.debian.tar.gz
 c07c34d82aa6d7da63c8d6713def80fb 1099762 libs optional libnss3-1d_3.12.6-1_amd64.deb
 ae1d3c0a09c52e46031dd267cf088e70 448752 admin optional libnss3-tools_3.12.6-1_amd64.deb
 c213ae690125f5b2983e952401408cf5 262250 libdevel optional libnss3-dev_3.12.6-1_amd64.deb
 92a17902ca2884ac379822bd30ceb2bc 3256100 debug extra libnss3-1d-dbg_3.12.6-1_amd64.deb

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iD8DBQFLoTKm3kvaLFT9KlgRAhNuAJ9agA4zJ6uXIN+feb0hsJeIEeLErQCfS0HP
dTxDFiQ9tZNQX+qpqFcibQ4=
=KDkc
-----END PGP SIGNATURE-----





Reply sent to Mike Hommey <glandium@debian.org>:
You have taken responsibility. (Wed, 17 Mar 2010 22:27:18 GMT) Full text and rfc822 format available.

Notification sent to Finn-Arne Johansen <faj@bzz.no>:
Bug acknowledged by developer. (Wed, 17 Mar 2010 22:27:18 GMT) Full text and rfc822 format available.

Reply sent to Mike Hommey <glandium@debian.org>:
You have taken responsibility. (Wed, 17 Mar 2010 22:27:19 GMT) Full text and rfc822 format available.

Notification sent to Torsten Werner <twerner@debian.org>:
Bug acknowledged by developer. (Wed, 17 Mar 2010 22:27:19 GMT) Full text and rfc822 format available.

Reply sent to Mike Hommey <glandium@debian.org>:
You have taken responsibility. (Wed, 17 Mar 2010 22:27:20 GMT) Full text and rfc822 format available.

Notification sent to Giorgos Pallas <gpall@ccf.auth.gr>:
Bug acknowledged by developer. (Wed, 17 Mar 2010 22:27:20 GMT) Full text and rfc822 format available.

Reply sent to Mike Hommey <glandium@debian.org>:
You have taken responsibility. (Wed, 17 Mar 2010 22:27:21 GMT) Full text and rfc822 format available.

Notification sent to John Hughes <john@calva.com>:
Bug acknowledged by developer. (Wed, 17 Mar 2010 22:27:21 GMT) Full text and rfc822 format available.

Reply sent to Mike Hommey <glandium@debian.org>:
You have taken responsibility. (Wed, 17 Mar 2010 22:27:22 GMT) Full text and rfc822 format available.

Notification sent to Wolfgang Kasulke <wolfgang-kasulke@gmx.de>:
Bug acknowledged by developer. (Wed, 17 Mar 2010 22:27:22 GMT) Full text and rfc822 format available.

Reply sent to Mike Hommey <glandium@debian.org>:
You have taken responsibility. (Wed, 17 Mar 2010 22:27:23 GMT) Full text and rfc822 format available.

Notification sent to "Mikhail V. Zhukov" <Mikhail.V.Zhukov@gmail.com>:
Bug acknowledged by developer. (Wed, 17 Mar 2010 22:27:24 GMT) Full text and rfc822 format available.

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Thu, 06 May 2010 07:40:40 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Sat Apr 19 10:27:45 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.