1531031 – NS_ERROR_NET_INADEQUATE_SECURITY on many TLS sites

Bug 1531031 - NS_ERROR_NET_INADEQUATE_SECURITY on many TLS sites

Summary: NS_ERROR_NET_INADEQUATE_SECURITY on many TLS sites

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	firefox
Sub Component:
Version:	27
Hardware:	x86_64
OS:	Linux
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Martin Stransky
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2018-01-04 12:28 UTC by Krzysztof Jurewicz
Modified:	2018-01-17 09:04 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2018-01-17 09:04:59 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Krzysztof Jurewicz 2018-01-04 12:28:25 UTC

Description of problem:

After updating Firefox, in many cases accessing a site via HTTPS results in NS_ERROR_NET_INADEQUATE_SECURITY. This includes:

• mozilla.org;
• duckduckgo.com;
• fedoraproject.org;
• google.com.

(I presume that at least some of those sites are secure).

Version-Release number of selected component (if applicable): 57.0.1-1.fc27

Steps to Reproduce:
1. Open Firefox.
2. Go to https://google.com.

Actual results:
In Polish:
“Połączenie nie gwarantuje bezpieczeństwa

Strona próbowała wynegocjować niewystarczający poziom zabezpieczeń.

google.com używa przestarzałej i podatnej na ataki technologii bezpieczeństwa. Atakujący mógłby łatwo odszyfrować informacje, które miały być bezpieczne. Administrator strony musi naprawić serwer, zanim będzie można ją odwiedzić.

Kod błędu: NS_ERROR_NET_INADEQUATE_SECURITY”

Expected results:
Google search site should load.

Comment 1 Martin Stransky 2018-01-04 12:33:31 UTC

Kai, any idea here?

Comment 2 Kai Engert (:kaie) (inactive account) 2018-01-04 15:54:03 UTC

Does your network environment have a transparent proxy that downgrades the security of the SSL/TLS traffic?

Comment 3 Krzysztof Jurewicz 2018-01-04 16:29:28 UTC

Likely not. The solution described on https://support.mozilla.org/pl/questions/1197052 (upgrading nss) has solved the issue. I’m not closing the bug though since it suggests a problem with package dependencies.

Comment 4 Kai Engert (:kaie) (inactive account) 2018-01-04 16:44:58 UTC

Firefox didn't pull in the newest nss packages automatically?

Martin, I recommend that you increase the nss dependency every time you rebase firefox to a newer version, we always release a new nss for each new firefox.

Comment 5 Martin Stransky 2018-01-04 16:54:08 UTC

I see. Looks like we don't use the nss/nspr version autodetection due to often failures here and we forget to version up NSS in the FF package. Thanks for the tip. Adding to firefox-57.0.4-1.

Comment 6 Martin Stransky 2018-01-17 09:04:59 UTC

Should be fixed now.

Note You need to log in before you can comment on or make changes to this bug.