GNU bug report logs - #32833
IceCat 60 certificate validation fails when using system NSS

Previous Next

Full log

View this message in rfc822 format

From: help-debbugs <at> gnu.org (GNU bug Tracking System)
To: Mike Gerwitz <mtg <at> gnu.org>
Subject: bug#32833: closed (Re: bug#32833: IceCat 60 certificate
 validation fails when using system NSS)
Date: Tue, 29 Aug 2023 03:41:02 +0000

[Message part 1 (text/plain, inline)]

Your bug report

#32833: IceCat 60 certificate validation fails when using system NSS

which was filed against the guix package, has been closed.

The explanation is attached below, along with your original report.
If you require more details, please reply to 32833 <at> debbugs.gnu.org.

-- 
32833: https://debbugs.gnu.org/cgi/bugreport.cgi?bug=32833
GNU Bug Tracking System
Contact help-debbugs <at> gnu.org with problems

[Message part 2 (message/rfc822, inline)]

From: Maxim Cournoyer <maxim.cournoyer <at> gmail.com>
To: Mike Gerwitz <mtg <at> gnu.org>
Cc: Mark H Weaver <mhw <at> netris.org>, 32833-done <at> debbugs.gnu.org
Subject: Re: bug#32833: IceCat 60 certificate validation fails when using
 system NSS
Date: Mon, 28 Aug 2023 23:40:23 -0400

Hello,

Mike Gerwitz <mtg <at> gnu.org> writes:

> On Tue, Sep 25, 2018 at 20:16:16 -0400, Mark H Weaver wrote:
>> Mark H Weaver <mhw <at> netris.org> writes:
>>> To begin, I'm currently building IceCat using the bundled NSPR and NSS,
>>> to see if that helps.
>>
>> Using the bundled NSPR and NSS works around the problem for me.  I just
>> pushed this change in commit 6d328879378fac95240005233331f596fb5c68ed on
>> 'master'.  See also the related, immediately preceding commits
>> 257e3247910610fe24ae1b86f38e85552d53e48c and
>> 94e96f7f68c3b9053fdb5dee5b0ab614163aaa08.
>
> Great!
>
>> I'm keeping this bug report open, since it would be good to find a
>> better fix which avoids using the bundled libraries.
>
> I wish I knew enough to suggest a better solution.
>
> It's a little late now, but I just tested the IceCat binary on a Debian
> machine and HTTPS works as expected.
>
> Thanks again for your work on this.  Maybe I'll let IceCat build
> overnight so I can give it a try tomorrow (still on my X200).

I'm closing this issue, since we're now using the Guix provided nss and
nspr packages for building IceCat since a while, and there doesn't
appear to be an issue with doing so.

-- 
Thanks,
Maxim

[Message part 3 (message/rfc822, inline)]

From: Mike Gerwitz <mtg <at> gnu.org>
To: bug-guix <at> gnu.org
Subject: IceCat 60 showing sites as "insecure" despite using HTTPS
Date: Tue, 25 Sep 2018 00:22:24 -0400

[Message part 4 (text/plain, inline)]

I don't know if this is a problem specific to Guix or upstream; I can
give IceCat a try in a Debian VM tomorrow.  But I want to make others
aware of the problem in the meantime:

Even if sites are using HTTPS, IceCat is still saying "This connection
is insecure" if you click on the "i" icon in the URL bar.  This seems to
be a problem with every HTTPS site I visit.

On the "Security" tab of the "Page Info" dialog, under "Technical
Details", no certificate information is listed; it simply says
"Connection Not Encrypted".  That's clearly not true, otherwise the page
would fail to load.  I've tried with sites that use HSTS and don't even
support plaintext connections (e.g. my own)---the pages load just fine.

I haven't played around with sites with expired certificates or anything
yet.  But if IceCat is not reporting security status correctly, then
users may be at risk, so be careful in the meantime!

-- 
Mike Gerwitz
Free Software Hacker+Activist | GNU Maintainer & Volunteer
GPG: D6E9 B930 028A 6C38 F43B  2388 FEF6 3574 5E6F 6D05
https://mikegerwitz.com

[signature.asc (application/pgp-signature, inline)]

Previous Next

GNU bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.