[gentoo-user] dev-libs/nss-3.29.5 security level problem?

[gentoo-user] dev-libs/nss-3.29.5 security level problem?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 732 bytes --]

Hi All,

I just discovered the last nss update broke things completely on mozilla apps 
which use nss.  Firefox now refuses to connect to any site with https.  Trying 
to load google.com brings up this error message:

=============================
Your connection is not secure

The website tried to negotiate an inadequate level of security.

www.google.com uses security technology that is outdated and vulnerable to 
attack. An attacker could easily reveal information which you thought to be 
safe. The website administrator will need to fix the server first before you 
can visit the site.

Error code: NS_ERROR_NET_INADEQUATE_SECURITY
============================================

Have you noticed the same?

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-user] Re: dev-libs/nss-3.29.5 security level problem?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1092 bytes --]

On Thursday, 10 May 2018 10:48:06 BST Mick wrote:
> Hi All,
> 
> I just discovered the last nss update broke things completely on mozilla
> apps which use nss.  Firefox now refuses to connect to any site with https.
>  Trying to load google.com brings up this error message:
> 
> =============================
> Your connection is not secure
> 
> The website tried to negotiate an inadequate level of security.
> 
> www.google.com uses security technology that is outdated and vulnerable to
> attack. An attacker could easily reveal information which you thought to be
> safe. The website administrator will need to fix the server first before you
> can visit the site.
> 
> Error code: NS_ERROR_NET_INADEQUATE_SECURITY
> ============================================
> 
> Have you noticed the same?

OK, looking further into this problem, it was not an update, but a downgrade 
which caused it.  I had previously keyworded nss-3.36 which yesterday fell off 
the tree and portage downgraded nss to 3.29.5.  I keyworded and emerge 3.37 
and all works as it should again.  :-)

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

[gentoo-user] Re: dev-libs/nss-3.29.5 security level problem?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1093 bytes --]

On Thursday, 10 May 2018 10:48:06 BST Mick wrote:
> Hi All,
> 
> I just discovered the last nss update broke things completely on mozilla
> apps which use nss.  Firefox now refuses to connect to any site with https.
>  Trying to load google.com brings up this error message:
> 
> =============================
> Your connection is not secure
> 
> The website tried to negotiate an inadequate level of security.
> 
> www.google.com uses security technology that is outdated and vulnerable to
> attack. An attacker could easily reveal information which you thought to be
> safe. The website administrator will need to fix the server first before you
> can visit the site.
> 
> Error code: NS_ERROR_NET_INADEQUATE_SECURITY
> ============================================
> 
> Have you noticed the same?


OK, looking further into this problem, it was not an update, but a downgrade 
which caused it.  I had previously keyworded nss-3.36 which yesterday fell off 
the tree and portage downgraded nss to 3.29.5.  I keyworded and emerge 3.37 
and all works as it should again.  :-)

-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: [gentoo-user] Re: dev-libs/nss-3.29.5 security level problem?

[Dale]

Mick wrote:
> On Thursday, 10 May 2018 10:48:06 BST Mick wrote:
>> Hi All,
>>
>> I just discovered the last nss update broke things completely on mozilla
>> apps which use nss.  Firefox now refuses to connect to any site with https.
>>  Trying to load google.com brings up this error message:
>>
>> =============================
>> Your connection is not secure
>>
>> The website tried to negotiate an inadequate level of security.
>>
>> www.google.com uses security technology that is outdated and vulnerable to
>> attack. An attacker could easily reveal information which you thought to be
>> safe. The website administrator will need to fix the server first before you
>> can visit the site.
>>
>> Error code: NS_ERROR_NET_INADEQUATE_SECURITY
>> ============================================
>>
>> Have you noticed the same?
>
> OK, looking further into this problem, it was not an update, but a downgrade 
> which caused it.  I had previously keyworded nss-3.36 which yesterday fell off 
> the tree and portage downgraded nss to 3.29.5.  I keyworded and emerge 3.37 
> and all works as it should again.  :-)
>


I ran into this as well.  There is a setting in about:config that you
can change that makes it work.  However, if you have a fix that is
better, your fix may be the best way.  I think it required disabling
something in about:config, which may not be good in the long run. 

I may can dig up the link I found if you need it. 

Dale

:-)  :-) 

Re: [gentoo-user] Re: dev-libs/nss-3.29.5 security level problem?

[Mick]

[-- Attachment #1: Type: text/plain, Size: 1274 bytes --]

On Thursday, 10 May 2018 11:31:45 BST Dale wrote:
> Mick wrote:
> > On Thursday, 10 May 2018 10:48:06 BST Mick wrote:
> >> Hi All,
> >> 
> >> I just discovered the last nss update broke things completely on mozilla
> >> apps which use nss.  Firefox now refuses to connect to any site with
> >> https.
[snip ...]

> >> Error code: NS_ERROR_NET_INADEQUATE_SECURITY
> >> ============================================
> >> 
> >> Have you noticed the same?
> > 
> > OK, looking further into this problem, it was not an update, but a
> > downgrade which caused it.  I had previously keyworded nss-3.36 which
> > yesterday fell off the tree and portage downgraded nss to 3.29.5.  I
> > keyworded and emerge 3.37 and all works as it should again.  :-)
> 
> I ran into this as well.  There is a setting in about:config that you
> can change that makes it work.  However, if you have a fix that is
> better, your fix may be the best way.  I think it required disabling
> something in about:config, which may not be good in the long run. 
> 
> I may can dig up the link I found if you need it. 
> 
> Dale
> 
> :-)  :-) 


Thank you Dale.  I vaguely remember a post mentioning something like this.  
Since a later nss version works, I'll run with this solution for now.
-- 
Regards,
Mick

[-- Attachment #2: This is a digitally signed message part. --]
[-- Type: application/pgp-signature, Size: 833 bytes --]