Bug 1350952

Summary: Firefox is unable to verify some certificates using TLS 1.2
Product: Red Hat Enterprise Linux 7 Reporter: Nicolas Mitsis <mitsis>
Component: firefoxAssignee: Martin Stransky <stransky>
Status: CLOSED DUPLICATE QA Contact: Desktop QE <desktop-qa-list>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 7.2CC: kengert
Target Milestone: rc   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-29 12:13:37 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
screenshot of error
none
ssltap with tls 1.1
none
ssltap with tls 1.2 none

Description Nicolas Mitsis 2016-06-28 19:56:25 UTC 
Created attachment 1173543 [details]
screenshot of error

Description of problem:

I've run in a weird issue with Firefox from rhel7.2 repositories (tested versions 38.7.0 to 45.2.0) where FF is unable to verify some certificates. Specifically https://code.jquery.com/ certificate (verified by GlobalSign nv-sa), see attached image.

The same site is verified by same versions of vanilla Firefox packages (running on rhel7.2) and openssl s_client.

How reproducible:

Go to https://code.jquery.com with Firefox 45.2.0-1 on RHEL7.2

Actual results:

Page does not open / no message is displayed in Firefox. Only message is seen by developer tools -> network tab which displays "The connection used to fetch this resource is insecure."

Additional info:

Using TLS 1.1 (setting security.tls.version.max to 2 in Firefox config) the page opens correctly. I've also attached to files produced by ssltap with TLS versions 1.1 & 1.2. 

The bug seems similar to bug #1234693 ( https://bugzilla.redhat.com/show_bug.cgi?id=1234693 ) which was resolved by RHSA-2015:1185-1 but I'm encountering this problem with firefox-45.2.0-1.el7_2.x86_64 and nss-3.21.0-9.el7_2.x86_64 today.
Comment 1 Nicolas Mitsis 2016-06-28 19:58:02 UTC 
Created attachment 1173544 [details]
ssltap with tls 1.1
Comment 2 Nicolas Mitsis 2016-06-28 19:59:09 UTC 
Created attachment 1173545 [details]
ssltap with tls 1.2
Comment 4 Martin Stransky 2016-06-29 11:50:32 UTC 
Kai, any idea here? Thanks.
Comment 5 Kai Engert (:kaie) (inactive account) 2016-06-29 12:13:37 UTC 
(In reply to Martin Stransky from comment #4)
> Kai, any idea here? Thanks.

This is apparently a duplicate of bug 1343202, both bugs talk about the same website.

*** This bug has been marked as a duplicate of bug 1343202 ***