Page 1 of 2 12 LastLast
Results 1 to 10 of 17

Thread: Firefox 56 does not recognise certificate (SHA1)

  1. #1
    Join Date
    Nov 2009
    Location
    Bucharest, Romania
    Posts
    77

    Default Firefox 56 does not recognise certificate (SHA1)

    Hi,
    on my Leap 42.2 (for personal reasons I did not switched to 42.3) I wanted to use Firefox latest version, and not the current line of versions ESR that official repositories are offering.
    I used the particular repository "Mozilla" (http://download.opensuse.org/reposit...SUSE_Leap_42.2)

    Unfortunatelly I was stuck on this error when trying to acces some particular site that uses SSL certifs: "Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT"
    Certificate is officially obtained from that site (paid, of course), so it's accurate/trustworthy ... it just uses old SHA1 algorithms (yeah, government owned site, what can I say...)

    I can't find a reason why I can't login now, with Firefox 56 (version 56.0.1-1.1).
    With older ESR versions from official update repo it worked very well.

    Also, version Firefox 56 on a Windows system loads well the same certificate.
    Also, again, if I download the version 56 from Mozilla site, and use it on my Leap42.2 system, it loads well the certificate ! (of course, before trying this manoeuvre, I did make a backup of ~/.mozilla folder and started this version as if it were first time ever on my computer).

    Is there any explanation why the Firefox 56 from Leap 42.2 repositories refuses to load this certificate (despite it using that old algorithm) ?
    It lacks something ?
    Or on the contrary, it has something added in the settings that I could revert in order to make it work ?

    Thanks
    Linux user #179833

  2. #2
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    27,239
    Blog Entries
    15

    Default Re: Firefox 56 does not recognise certificate (SHA1)

    Hi
    I wonder if it's some of the support stuff not switched mozilla-* as in do a zypper dup --from <your moz repo>.

    The other option is to go in and manually add the site... Preferences -> Advanced -> Certificates or at least you should see the one your after in there.
    Cheers Malcolm °¿° SUSE Knowledge Partner (Linux Counter #276890)
    SUSE SLE, openSUSE Leap/Tumbleweed (x86_64) | GNOME DE
    If you find this post helpful and are logged into the web interface,
    please show your appreciation and click on the star below... Thanks!

  3. #3
    Join Date
    Jun 2008
    Location
    West Yorkshire, UK
    Posts
    3,454

    Default Re: Firefox 56 does not recognise certificate (SHA1)

    Nor does Chrome or Edge or Safari or ... see https://en.wikipedia.org/wiki/SHA-1

  4. #4
    Join Date
    Nov 2009
    Location
    Bucharest, Romania
    Posts
    77

    Default Re: Firefox 56 does not recognise certificate (SHA1)

    As far as I can find out myself through a few testing, it definitely seems to be OpenSuse specific issue.

    I've tried these:
    - moved folder ~/.mozilla to a backup location
    - started Firefox as if first run on computer from unzip-ed folder from stock version (downloaded from Mozilla site) -- it works good with that certificate (of course, first I installed it on Firefox)
    - started OpenSuse version of Firefox 56 (from repository "Mozilla"), on the same folder .mozilla created by above stock version -- it does not work !
    - started again stock version of Firefox 56 -- it does work OK with that certificate !
    - started Opensuse 56 after removing the previous .mozilla folder and force it create a new one -- again it's not working !

    As far as I can check, specific options related to PKI in about:config look identical between version that do and do not work (either on my computer, and on other computers that do work OK (windows laptops)).

    So, it definitely seems to be some other specific setting, probably compiled inside the browser on Opensuse side (?); I can't find any other justification for this.

    There are pretty low chances for anyone else to be able to check similar conditions, other than the exact same site where my problem arise, with me sending the specific FILE.p12 certificate file to import into their browser -- and this is not quite feasible.

    So I can't do any other thing but revert my Firefox to official line of ESR versions (currently 52.4) (and getting back the .mozilla folder from backup, in order to have back previous addons etc.) .
    Linux user #179833

  5. #5
    Join Date
    Nov 2009
    Location
    Bucharest, Romania
    Posts
    77

    Default Re: Firefox 56 does not recognise certificate (SHA1)

    Quote Originally Posted by malcolmlewis View Post
    Hi
    I wonder if it's some of the support stuff not switched mozilla-* as in do a zypper dup --from <your moz repo>.

    The other option is to go in and manually add the site... Preferences -> Advanced -> Certificates or at least you should see the one your after in there.
    Ah, sorry, perhaps I lacked in mentioning some essential thing: the certificate DO install OK in Firefox. I can verify it's serial no, time of validity, emitter etc. So from this point of view, it looks good.
    Only it's not recognized on that site when trying to login !
    Error given looks exactly as if it's not installed at all.

    Anyway, as I already wrote in parallel, in another post, I decided to give up on this for now, and revert and keep using the official ESR version from normal repositories.
    Maybe some future will solve this (I even can hope the people from that government site will finally decide to upgrade their crypto algorithms and upgrade to newer ones and it'll work for me too).
    Linux user #179833

  6. #6

    Default Re: Firefox 56 does not recognise certificate (SHA1)

    Hi:
    Same certificates issue with FF57 (from opensuse repository) on Leap 42.3. However, if FF57 is downloaded from Mozilla site all certificates work excellent as they should. By all means, the openSuse is to be blamed.
    Strange however, that no description or questions related to similar problems can be found on the net. Even more strange, not a single word from openSuse to explain the issue or suggest a workaround

    Regards,
    Bojan

  7. #7
    Join Date
    Sep 2008
    Posts
    2,997

    Default Re: Firefox 56 does not recognise certificate (SHA1)

    Quote Originally Posted by krpan View Post
    Hi:
    Same certificates issue with FF57 (from opensuse repository) on Leap 42.3. However, if FF57 is downloaded from Mozilla site all certificates work excellent as they should. By all means, the openSuse is to be blamed.
    Strange however, that no description or questions related to similar problems can be found on the net. Even more strange, not a single word from openSuse to explain the issue or suggest a workaround

    Regards,
    Bojan
    as far as I can tell you're mixing Firefox packages if you're going to use Firefox 57 from the Mozilla repo you need to do a full vendor change to that repo as it would seam you have mozilla-nss 3.28.6 for esr from the update repo and you should be using mozilla-nss 3.34.1 from the mozilla repo
    if you're using thunderbird a full vendor change will replace the one from the update repo with the one from mozilla and unlike firefox they're both at version 52.5.2
    the pro's and con's of using extra repo's aside the offical supported version of Firefox for LEAP is 52.5.3 ESR from the update repo not 57.0.4 from the mozilla repo
    you could always get a static tar ball from mozilla
    https://ftp.mozilla.org/pub/firefox/releases/
    in which case you won't need to upgrade the mozilla-nss package

  8. #8

    Default Re: Firefox 56 does not recognise certificate (SHA1)

    Quote Originally Posted by I_A View Post
    as far as I can tell you're mixing Firefox packages if you're going to use Firefox 57 from the Mozilla repo you need to do a full vendor change to that repo as it would seam you have mozilla-nss 3.28.6 for esr from the update repo and you should be using mozilla-nss 3.34.1 from the mozilla repo
    if you're using thunderbird a full vendor change will replace the one from the update repo with the one from mozilla and unlike firefox they're both at version 52.5.2
    the pro's and con's of using extra repo's aside the offical supported version of Firefox for LEAP is 52.5.3 ESR from the update repo not 57.0.4 from the mozilla repo
    you could always get a static tar ball from mozilla
    https://ftp.mozilla.org/pub/firefox/releases/
    in which case you won't need to upgrade the mozilla-nss package
    Well, here is the output on my notebook regarding nss:
    :~> rpm -q mozilla-nss
    mozilla-nss-3.34.1-1.1.x86_64
    :~> rpm -q MozillaFirefox
    MozillaFirefox-57.0.4-1.1.x86_64
    :~> rpm -q MozillaThunderbird
    MozillaThunderbird-52.5.2-53.1.x86_64

    So where is the problem.

  9. #9
    Join Date
    Sep 2008
    Posts
    2,997

    Default Re: Firefox 56 does not recognise certificate (SHA1)

    as I don't have access to your machine I was guessing
    you should do a full vendor change to the mozilla repo before troubleshooting Firefox 57, what's your repo list
    Code:
    zypper lr -d

  10. #10

    Default Re: Firefox 56 does not recognise certificate (SHA1)

    Quote Originally Posted by I_A View Post
    as I don't have access to your machine I was guessing
    you should do a full vendor change to the mozilla repo before troubleshooting Firefox 57, what's your repo list
    Code:
    zypper lr -d
    zypper lr -d produces the following output:

    1 | Fonts | Fonts | No | ---- | ---- | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
    2 | Frameworks5_1 | Frameworks5 | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
    3 | KDE_Applications | KDE Applications | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
    4 | KDE_Extra | KDE Extra | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
    5 | Mozilla | Mozilla | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
    6 | Publishing | Publishing | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
    7 | Qt_5 | Qt 5 | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
    8 | Science | Science | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
    9 | VLC | VLC | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.videolan.org/pub/vlc/SuSE/Leap_42.3/ |
    10 | download.nvidia.com-leap | nVidia Graphics Drivers | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.nvidia.com/opensuse/leap/42.3 |
    11 | download.opensuse.org-non-oss | Main Repository (NON-OSS) | Yes | (r ) Yes | Yes | 99 | yast2 | http://download.opensuse.org/distrib.../repo/non-oss/ |
    12 | download.opensuse.org-non-oss_1 | Update Repository (Non-Oss) | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/42.3/non-oss/ |
    13 | download.opensuse.org-oss | Main Repository (OSS) | Yes | (r ) Yes | Yes | 99 | yast2 | http://download.opensuse.org/distrib...42.3/repo/oss/ |
    14 | download.opensuse.org-oss_1 | Main Update Repository | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/42.3/oss |
    15 | http-download.opensuse.org-82ec01c9 | Application:Geo | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
    16 | http-download.opensuse.org-946e51e6 | openSUSE:Leap:42.3:Update | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/42.3/oss/ |
    17 | http-download.opensuse.org-a905d3e3 | graphics | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
    18 | http-download.opensuse.org-e3b1f413 | Education | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
    19 | http-opensuse-guide.org-06febf05 | libdvdcss repository | Yes | (r ) Yes | Yes | 99 | rpm-md | http://opensuse-guide.org/repo/openSUSE_Leap_42.3/ |
    20 | openSUSE-42.3-0 | openSUSE-42.3-0 | No | ---- | ---- | 99 | yast2 | hd:///?device=/dev/disk/by-id/usb-_Patriot_Memory_07A71501AE6B283E-0:0-part2 |
    21 | packman.inode.at-suse | Packman_Repository | Yes | (r ) Yes | Yes | 99 | rpm-md | http://packman.inode.at/suse/openSUSE_Leap_42.3/ |
    22 | proxsign | SETCCE proXSign® Component Suite for (openSUSE_Leap_42.3) | Yes | (r ) Yes | No | 99 | rpm-md | http://public.setcce.si/proxsign/rep...USE_Leap_42.3/ |
    23 | repo-debug | openSUSE-Leap-42.3-Debug | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/d...42.3/repo/oss/ |
    24 | repo-debug-non-oss | openSUSE-Leap-42.3-Debug-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/d.../repo/non-oss/ |
    25 | repo-debug-update | openSUSE-Leap-42.3-Update-Debug | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/u...leap/42.3/oss/ |
    26 | repo-debug-update-non-oss | openSUSE-Leap-42.3-Update-Debug-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/u.../42.3/non-oss/ |
    27 | repo-source | openSUSE-Leap-42.3-Source | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/source/...42.3/repo/oss/ |
    28 | repo-source-non-oss | openSUSE-Leap-42.3-Source-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/source/.../repo/non-oss/

Page 1 of 2 12 LastLast

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •