Hi,
on my Leap 42.2 (for personal reasons I did not switched to 42.3) I wanted to use Firefox latest version, and not the current line of versions ESR that official repositories are offering.
I used the particular repository “Mozilla” (http://download.opensuse.org/repositories/mozilla/openSUSE_Leap_42.2)
Unfortunatelly I was stuck on this error when trying to acces some particular site that uses SSL certifs: “Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT”
Certificate is officially obtained from that site (paid, of course), so it’s accurate/trustworthy … it just uses old SHA1 algorithms (yeah, government owned site, what can I say…)
I can’t find a reason why I can’t login now, with Firefox 56 (version 56.0.1-1.1).
With older ESR versions from official update repo it worked very well.
Also, version Firefox 56 on a Windows system loads well the same certificate.
Also, again, if I download the version 56 from Mozilla site, and use it on my Leap42.2 system, it loads well the certificate ! (of course, before trying this manoeuvre, I did make a backup of ~/.mozilla folder and started this version as if it were first time ever on my computer).
Is there any explanation why the Firefox 56 from Leap 42.2 repositories refuses to load this certificate (despite it using that old algorithm) ?
It lacks something ?
Or on the contrary, it has something added in the settings that I could revert in order to make it work ?
As far as I can find out myself through a few testing, it definitely seems to be OpenSuse specific issue.
I’ve tried these:
moved folder ~/.mozilla to a backup location
started Firefox as if first run on computer from unzip-ed folder from stock version (downloaded from Mozilla site) – it works good with that certificate (of course, first I installed it on Firefox)
started OpenSuse version of Firefox 56 (from repository “Mozilla”), on the same folder .mozilla created by above stock version – it does not work !
started again stock version of Firefox 56 – it does work OK with that certificate !
started Opensuse 56 after removing the previous .mozilla folder and force it create a new one – again it’s not working !
As far as I can check, specific options related to PKI in about:config look identical between version that do and do not work (either on my computer, and on other computers that do work OK (windows laptops)).
So, it definitely seems to be some other specific setting, probably compiled inside the browser on Opensuse side (?); I can’t find any other justification for this.
There are pretty low chances for anyone else to be able to check similar conditions, other than the exact same site where my problem arise, with me sending the specific FILE.p12 certificate file to import into their browser – and this is not quite feasible.
So I can’t do any other thing but revert my Firefox to official line of ESR versions (currently 52.4) (and getting back the .mozilla folder from backup, in order to have back previous addons etc.) .
Ah, sorry, perhaps I lacked in mentioning some essential thing: the certificate DO install OK in Firefox. I can verify it’s serial no, time of validity, emitter etc. So from this point of view, it looks good.
Only it’s not recognized on that site when trying to login !
Error given looks exactly as if it’s not installed at all.
Anyway, as I already wrote in parallel, in another post, I decided to give up on this for now, and revert and keep using the official ESR version from normal repositories.
Maybe some future will solve this (I even can hope the people from that government site will finally decide to upgrade their crypto algorithms and upgrade to newer ones and it’ll work for me too).
Hi:
Same certificates issue with FF57 (from opensuse repository) on Leap 42.3. However, if FF57 is downloaded from Mozilla site all certificates work excellent as they should. By all means, the openSuse is to be blamed.
Strange however, that no description or questions related to similar problems can be found on the net. Even more strange, not a single word from openSuse to explain the issue or suggest a workaround
as far as I can tell you’re mixing Firefox packages if you’re going to use Firefox 57 from the Mozilla repo you need to do a full vendor change to that repo as it would seam you have mozilla-nss 3.28.6 for esr from the update repo and you should be using mozilla-nss 3.34.1 from the mozilla repo
if you’re using thunderbird a full vendor change will replace the one from the update repo with the one from mozilla and unlike firefox they’re both at version 52.5.2
the pro’s and con’s of using extra repo’s aside the offical supported version of Firefox for LEAP is 52.5.3 ESR from the update repo not 57.0.4 from the mozilla repo
you could always get a static tar ball from mozilla https://ftp.mozilla.org/pub/firefox/releases/
in which case you won’t need to upgrade the mozilla-nss package
Well, here is the output on my notebook regarding nss:
:~> rpm -q mozilla-nss
mozilla-nss-3.34.1-1.1.x86_64
:~> rpm -q MozillaFirefox
MozillaFirefox-57.0.4-1.1.x86_64
:~> rpm -q MozillaThunderbird
MozillaThunderbird-52.5.2-53.1.x86_64
as I don’t have access to your machine I was guessing
you should do a full vendor change to the mozilla repo before troubleshooting Firefox 57, what’s your repo list
you should remove the vlc repo as it’s known to conflict with packman, the vlc from the packman is build from the same source and is the same, as you have the vlc repo I’m guessing you haven’t done a full vendor change to packman either you should also do
could you tell us which sites this happens with as I use Firefox 57 from the mozilla repo on 42.3 and have never had that issue
about thunderbird it has the same version the build number is not the version number
the update repo has MozillaThunderbird-52.5.2-53.1
the mozilla repo has MozillaThunderbird-52.5.2-1.2
the 53.1 and 1.2 respectfully are the build numbers it represents how many times the package has been rebuild usually because of changed dependencies
I’m currently on windows and this does not look like a firefox issue I get
401 - UnathorizedClient certificate required.
under both Firefox 58 and IE you need to have a certificate issued by them (ZAVOD ZA POKOJNINSKO IN INVALIDSKO ZAVAROVANJE SLOVENIJE) installed prior to accessing their site you should email them as there is no way to access their site without their OK
I thought the same at first. But when I DL-ed FF57 (or FF58) directly from Mozilla site everything worked fine. I cold access all sites and the certificate has been requested by FF by opening a window to select certificate. This works greta both in Windows and Leap 42.X
I’m still on windows and here’s a screenshot of what I get when Firefox tries to access that site https://imgur.com/a/xTNgy
I see no way to get a certificate maybe it’s an geolocation/ip thing as I’m not in Slovenia that option may not be available to me, check and see if geolocation is enabled in your firefox and try again
if it works with firefox from https://ftp.mozilla.org/pub/firefox/releases/ but not from Firefox from the mozilla opensuse repo open a bug report so it gets fixed as they both use the same profile the geolocation option should be the same for both https://bugzilla.opensuse.org/