Bug 1531031 - NS_ERROR_NET_INADEQUATE_SECURITY on many TLS sites
Alias: None
Product: Fedora
Classification: Fedora
Component: firefox
Version: 27
Hardware: x86_64
OS: Linux
Target Milestone: ---
Assignee: Martin Stransky
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-01-04 12:28 UTC by Krzysztof Jurewicz
Modified: 2018-01-17 09:04 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2018-01-17 09:04:59 UTC
Type: Bug

Attachments (Terms of Use)

Description Krzysztof Jurewicz 2018-01-04 12:28:25 UTC
Description of problem:

After updating Firefox, in many cases accessing a site via HTTPS results in NS_ERROR_NET_INADEQUATE_SECURITY. This includes:

• mozilla.org;
• duckduckgo.com;
• fedoraproject.org;
• google.com.

(I presume that at least some of those sites are secure).

Version-Release number of selected component (if applicable): 57.0.1-1.fc27

Steps to Reproduce:
1. Open Firefox.
2. Go to https://google.com.

Actual results:
In Polish:
“Połączenie nie gwarantuje bezpieczeństwa

Strona próbowała wynegocjować niewystarczający poziom zabezpieczeń.

google.com używa przestarzałej i podatnej na ataki technologii bezpieczeństwa. Atakujący mógłby łatwo odszyfrować informacje, które miały być bezpieczne. Administrator strony musi naprawić serwer, zanim będzie można ją odwiedzić.


Expected results:
Google search site should load.

Comment 1 Martin Stransky 2018-01-04 12:33:31 UTC
Kai, any idea here?

Comment 2 Kai Engert (:kaie) (inactive account) 2018-01-04 15:54:03 UTC
Does your network environment have a transparent proxy that downgrades the security of the SSL/TLS traffic?

Comment 3 Krzysztof Jurewicz 2018-01-04 16:29:28 UTC
Likely not. The solution described on https://support.mozilla.org/pl/questions/1197052 (upgrading nss) has solved the issue. I’m not closing the bug though since it suggests a problem with package dependencies.

Comment 4 Kai Engert (:kaie) (inactive account) 2018-01-04 16:44:58 UTC
Firefox didn't pull in the newest nss packages automatically?

Martin, I recommend that you increase the nss dependency every time you rebase firefox to a newer version, we always release a new nss for each new firefox.

Comment 5 Martin Stransky 2018-01-04 16:54:08 UTC
I see. Looks like we don't use the nss/nspr version autodetection due to often failures here and we forget to version up NSS in the FF package. Thanks for the tip. Adding to firefox-57.0.4-1.

Comment 6 Martin Stransky 2018-01-17 09:04:59 UTC
Should be fixed now.

Note You need to log in before you can comment on or make changes to this bug.