Firefox 56 does not recognise certificate (SHA1)

**corneld** · 12-Oct-2017, 07:07

Hi,
on my Leap 42.2 (for personal reasons I did not switched to 42.3) I wanted to use Firefox latest version, and not the current line of versions ESR that official repositories are offering.
I used the particular repository "Mozilla" (http://download.opensuse.org/reposit...SUSE_Leap_42.2)

Unfortunatelly I was stuck on this error when trying to acces some particular site that uses SSL certifs: "Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT"
Certificate is officially obtained from that site (paid, of course), so it's accurate/trustworthy ... it just uses old SHA1 algorithms (yeah, government owned site, what can I say...)

I can't find a reason why I can't login now, with Firefox 56 (version 56.0.1-1.1).
With older ESR versions from official update repo it worked very well.

Also, version Firefox 56 on a Windows system loads well the same certificate.
Also, again, if I download the version 56 from Mozilla site, and use it on my Leap42.2 system, it loads well the certificate ! (of course, before trying this manoeuvre, I did make a backup of ~/.mozilla folder and started this version as if it were first time ever on my computer).

Is there any explanation why the Firefox 56 from Leap 42.2 repositories refuses to load this certificate (despite it using that old algorithm) ?
It lacks something ?
Or on the contrary, it has something added in the settings that I could revert in order to make it work ?

Thanks

**malcolmlewis** · 12-Oct-2017, 09:48

Hi
I wonder if it's some of the support stuff not switched mozilla-* as in do a zypper dup --from <your moz repo>.

The other option is to go in and manually add the site... Preferences -> Advanced -> Certificates or at least you should see the one your after in there.

**john_hudson** · 12-Oct-2017, 13:50

Nor does Chrome or Edge or Safari or ... see https://en.wikipedia.org/wiki/SHA-1

**corneld** · 13-Oct-2017, 03:21

As far as I can find out myself through a few testing, it definitely seems to be OpenSuse specific issue.

I've tried these:
- moved folder ~/.mozilla to a backup location
- started Firefox as if first run on computer from unzip-ed folder from stock version (downloaded from Mozilla site) -- it works good with that certificate (of course, first I installed it on Firefox)
- started OpenSuse version of Firefox 56 (from repository "Mozilla"), on the same folder .mozilla created by above stock version -- it does not work !
- started again stock version of Firefox 56 -- it does work OK with that certificate !
- started Opensuse 56 after removing the previous .mozilla folder and force it create a new one -- again it's not working !

As far as I can check, specific options related to PKI in about:config look identical between version that do and do not work (either on my computer, and on other computers that do work OK (windows laptops)).

So, it definitely seems to be some other specific setting, probably compiled inside the browser on Opensuse side (?); I can't find any other justification for this.

There are pretty low chances for anyone else to be able to check similar conditions, other than the exact same site where my problem arise, with me sending the specific FILE.p12 certificate file to import into their browser -- and this is not quite feasible.

So I can't do any other thing but revert my Firefox to official line of ESR versions (currently 52.4) (and getting back the .mozilla folder from backup, in order to have back previous addons etc.) .

**corneld** · 13-Oct-2017, 03:28

Originally Posted by malcolmlewis

Hi
I wonder if it's some of the support stuff not switched mozilla-* as in do a zypper dup --from <your moz repo>.

The other option is to go in and manually add the site... Preferences -> Advanced -> Certificates or at least you should see the one your after in there.

Ah, sorry, perhaps I lacked in mentioning some essential thing: the certificate DO install OK in Firefox. I can verify it's serial no, time of validity, emitter etc. So from this point of view, it looks good.
Only it's not recognized on that site when trying to login !
Error given looks exactly as if it's not installed at all.

Anyway, as I already wrote in parallel, in another post, I decided to give up on this for now, and revert and keep using the official ESR version from normal repositories.
Maybe some future will solve this (I even can hope the people from that government site will finally decide to upgrade their crypto algorithms and upgrade to newer ones and it'll work for me too).

**krpan** · 19-Jan-2018, 13:38

Hi:
Same certificates issue with FF57 (from opensuse repository) on Leap 42.3. However, if FF57 is downloaded from Mozilla site all certificates work excellent as they should. By all means, the openSuse is to be blamed.
Strange however, that no description or questions related to similar problems can be found on the net. Even more strange, not a single word from openSuse to explain the issue or suggest a workaround

Regards,
Bojan

**I_A** · 19-Jan-2018, 15:28

Originally Posted by krpan

Hi:
Same certificates issue with FF57 (from opensuse repository) on Leap 42.3. However, if FF57 is downloaded from Mozilla site all certificates work excellent as they should. By all means, the openSuse is to be blamed.
Strange however, that no description or questions related to similar problems can be found on the net. Even more strange, not a single word from openSuse to explain the issue or suggest a workaround

Regards,
Bojan

as far as I can tell you're mixing Firefox packages if you're going to use Firefox 57 from the Mozilla repo you need to do a full vendor change to that repo as it would seam you have mozilla-nss 3.28.6 for esr from the update repo and you should be using mozilla-nss 3.34.1 from the mozilla repo
if you're using thunderbird a full vendor change will replace the one from the update repo with the one from mozilla and unlike firefox they're both at version 52.5.2
the pro's and con's of using extra repo's aside the offical supported version of Firefox for LEAP is 52.5.3 ESR from the update repo not 57.0.4 from the mozilla repo
you could always get a static tar ball from mozilla
https://ftp.mozilla.org/pub/firefox/releases/
in which case you won't need to upgrade the mozilla-nss package

**krpan** · 20-Jan-2018, 03:15

Originally Posted by I_A

as far as I can tell you're mixing Firefox packages if you're going to use Firefox 57 from the Mozilla repo you need to do a full vendor change to that repo as it would seam you have mozilla-nss 3.28.6 for esr from the update repo and you should be using mozilla-nss 3.34.1 from the mozilla repo
if you're using thunderbird a full vendor change will replace the one from the update repo with the one from mozilla and unlike firefox they're both at version 52.5.2
the pro's and con's of using extra repo's aside the offical supported version of Firefox for LEAP is 52.5.3 ESR from the update repo not 57.0.4 from the mozilla repo
you could always get a static tar ball from mozilla
https://ftp.mozilla.org/pub/firefox/releases/
in which case you won't need to upgrade the mozilla-nss package

Well, here is the output on my notebook regarding nss:
:~> rpm -q mozilla-nss
mozilla-nss-3.34.1-1.1.x86_64
:~> rpm -q MozillaFirefox
MozillaFirefox-57.0.4-1.1.x86_64
:~> rpm -q MozillaThunderbird
MozillaThunderbird-52.5.2-53.1.x86_64

So where is the problem.

**I_A** · 20-Jan-2018, 12:33

as I don't have access to your machine I was guessing
you should do a full vendor change to the mozilla repo before troubleshooting Firefox 57, what's your repo list

Code:

zypper lr -d

**krpan** · 21-Jan-2018, 01:35

Originally Posted by I_A

as I don't have access to your machine I was guessing
you should do a full vendor change to the mozilla repo before troubleshooting Firefox 57, what's your repo list

Code:

zypper lr -d

zypper lr -d produces the following output:

1 | Fonts | Fonts | No | ---- | ---- | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
2 | Frameworks5_1 | Frameworks5 | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
3 | KDE_Applications | KDE Applications | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
4 | KDE_Extra | KDE Extra | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
5 | Mozilla | Mozilla | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
6 | Publishing | Publishing | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
7 | Qt_5 | Qt 5 | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
8 | Science | Science | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
9 | VLC | VLC | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.videolan.org/pub/vlc/SuSE/Leap_42.3/ |
10 | download.nvidia.com-leap | nVidia Graphics Drivers | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.nvidia.com/opensuse/leap/42.3 |
11 | download.opensuse.org-non-oss | Main Repository (NON-OSS) | Yes | (r ) Yes | Yes | 99 | yast2 | http://download.opensuse.org/distrib.../repo/non-oss/ |
12 | download.opensuse.org-non-oss_1 | Update Repository (Non-Oss) | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/42.3/non-oss/ |
13 | download.opensuse.org-oss | Main Repository (OSS) | Yes | (r ) Yes | Yes | 99 | yast2 | http://download.opensuse.org/distrib...42.3/repo/oss/ |
14 | download.opensuse.org-oss_1 | Main Update Repository | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/42.3/oss |
15 | http-download.opensuse.org-82ec01c9 | Application:Geo | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
16 | http-download.opensuse.org-946e51e6 | openSUSE:Leap:42.3:Update | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/42.3/oss/ |
17 | http-download.opensuse.org-a905d3e3 | graphics | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
18 | http-download.opensuse.org-e3b1f413 | Education | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/reposit...USE_Leap_42.3/ |
19 | http-opensuse-guide.org-06febf05 | libdvdcss repository | Yes | (r ) Yes | Yes | 99 | rpm-md | http://opensuse-guide.org/repo/openSUSE_Leap_42.3/ |
20 | openSUSE-42.3-0 | openSUSE-42.3-0 | No | ---- | ---- | 99 | yast2 | hd:///?device=/dev/disk/by-id/usb-_Patriot_Memory_07A71501AE6B283E-0:0-part2 |
21 | packman.inode.at-suse | Packman_Repository | Yes | (r ) Yes | Yes | 99 | rpm-md | http://packman.inode.at/suse/openSUSE_Leap_42.3/ |
22 | proxsign | SETCCE proXSign® Component Suite for (openSUSE_Leap_42.3) | Yes | (r ) Yes | No | 99 | rpm-md | http://public.setcce.si/proxsign/rep...USE_Leap_42.3/ |
23 | repo-debug | openSUSE-Leap-42.3-Debug | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/d...42.3/repo/oss/ |
24 | repo-debug-non-oss | openSUSE-Leap-42.3-Debug-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/d.../repo/non-oss/ |
25 | repo-debug-update | openSUSE-Leap-42.3-Update-Debug | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/u...leap/42.3/oss/ |
26 | repo-debug-update-non-oss | openSUSE-Leap-42.3-Update-Debug-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/u.../42.3/non-oss/ |
27 | repo-source | openSUSE-Leap-42.3-Source | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/source/...42.3/repo/oss/ |
28 | repo-source-non-oss | openSUSE-Leap-42.3-Source-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/source/.../repo/non-oss/