Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bug#561918: client certificate authentication broken

0 views
Skip to first unread message

Christoph Anton Mitterer

unread,
Dec 21, 2009, 4:50:01 AM12/21/09
to
Package: libnss3-1d
Version: 3.12.5-1
Justification: renders package unusable
Severity: grave

Hi.

With the most recent version, client certificate authentication is broken.
An error occurs even before iceweasel, epiphany, etc. ask for the
certificate to select.
downgrading to 3.12.4-1 fixes the problem.


Cheers,
Chris.


-- System Information:
Debian Release: squeeze/sid
APT prefers unstable
APT policy: (500, 'unstable'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 2.6.31-heisenberg (SMP w/2 CPU cores; PREEMPT)
Locale: LANG=en_DE.UTF-8, LC_CTYPE=en_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libnss3-1d depends on:
ii dpkg 1.15.5.4 Debian package management system
ii libc6 2.10.2-2 GNU C Library: Shared libraries
ii libnspr4-0d 4.8.2-1 NetScape Portable Runtime Library
ii libsqlite3-0 3.6.21-2 SQLite 3 shared library

libnss3-1d recommends no packages.

libnss3-1d suggests no packages.

-- no debconf information


----------------------------------------------------------------
This message was sent using IMP, the Internet Messaging Program.


--
To UNSUBSCRIBE, email to debian-bugs...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listm...@lists.debian.org

Mike Hommey

unread,
Dec 22, 2009, 1:50:02 PM12/22/09
to
On Mon, Dec 21, 2009 at 10:34:09AM +0100, Christoph Anton Mitterer wrote:
> Package: libnss3-1d
> Version: 3.12.5-1
> Justification: renders package unusable
> Severity: grave
>
> Hi.
>
> With the most recent version, client certificate authentication is broken.
> An error occurs even before iceweasel, epiphany, etc. ask for the
> certificate to select.
> downgrading to 3.12.4-1 fixes the problem.

Can you try after setting the NSS_SSL_ENABLE_RENEGOTIATION environment
variable to 1 ? (with nss 3.12.5-1, obviously).

Mike

Christoph Anton Mitterer

unread,
Dec 22, 2009, 6:10:02 PM12/22/09
to
Hi Mike.

On Tue, 2009-12-22 at 19:37 +0100, Mike Hommey wrote:
> Can you try after setting the NSS_SSL_ENABLE_RENEGOTIATION environment
> variable to 1 ? (with nss 3.12.5-1, obviously).

Yes this "fixes" the problem.

Cheers,
Chris.

Mike Hommey

unread,
Dec 22, 2009, 6:10:02 PM12/22/09
to

This just confirms the diagnostic, which is that nss 3.12.5 disabled
renegotiation because of CVE-2009-3555. Now, we need to decide how to
allow client authentication without putting users too much at risk.

Debian Bug Tracking System

unread,
Mar 17, 2010, 6:40:02 PM3/17/10
to
Your message dated Wed, 17 Mar 2010 22:26:02 +0000
with message-id <E1Ns1gg-...@ries.debian.org>
and subject line Bug#561918: fixed in nss 3.12.6-1
has caused the Debian Bug report #561918,
regarding client certificate authentication broken
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


--
561918: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=561918
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

0 new messages