Firefox 56 does not recognise certificate (SHA1)

Hi,
on my Leap 42.2 (for personal reasons I did not switched to 42.3) I wanted to use Firefox latest version, and not the current line of versions ESR that official repositories are offering.
I used the particular repository “Mozilla” (http://download.opensuse.org/repositories/mozilla/openSUSE_Leap_42.2)

Unfortunatelly I was stuck on this error when trying to acces some particular site that uses SSL certifs: “Error code: SSL_ERROR_HANDSHAKE_FAILURE_ALERT”
Certificate is officially obtained from that site (paid, of course), so it’s accurate/trustworthy … it just uses old SHA1 algorithms (yeah, government owned site, what can I say…)

I can’t find a reason why I can’t login now, with Firefox 56 (version 56.0.1-1.1).
With older ESR versions from official update repo it worked very well.

Also, version Firefox 56 on a Windows system loads well the same certificate.
Also, again, if I download the version 56 from Mozilla site, and use it on my Leap42.2 system, it loads well the certificate ! (of course, before trying this manoeuvre, I did make a backup of ~/.mozilla folder and started this version as if it were first time ever on my computer).

Is there any explanation why the Firefox 56 from Leap 42.2 repositories refuses to load this certificate (despite it using that old algorithm) ?
It lacks something ?
Or on the contrary, it has something added in the settings that I could revert in order to make it work ?

Thanks

Hi
I wonder if it’s some of the support stuff not switched mozilla-* as in do a zypper dup --from <your moz repo>.

The other option is to go in and manually add the site… Preferences → Advanced → Certificates or at least you should see the one your after in there.

Nor does Chrome or Edge or Safari or … see https://en.wikipedia.org/wiki/SHA-1

As far as I can find out myself through a few testing, it definitely seems to be OpenSuse specific issue.

I’ve tried these:

  • moved folder ~/.mozilla to a backup location
  • started Firefox as if first run on computer from unzip-ed folder from stock version (downloaded from Mozilla site) – it works good with that certificate (of course, first I installed it on Firefox)
  • started OpenSuse version of Firefox 56 (from repository “Mozilla”), on the same folder .mozilla created by above stock version – it does not work !
  • started again stock version of Firefox 56 – it does work OK with that certificate !
  • started Opensuse 56 after removing the previous .mozilla folder and force it create a new one – again it’s not working !

As far as I can check, specific options related to PKI in about:config look identical between version that do and do not work (either on my computer, and on other computers that do work OK (windows laptops)).

So, it definitely seems to be some other specific setting, probably compiled inside the browser on Opensuse side (?); I can’t find any other justification for this.

There are pretty low chances for anyone else to be able to check similar conditions, other than the exact same site where my problem arise, with me sending the specific FILE.p12 certificate file to import into their browser – and this is not quite feasible.

So I can’t do any other thing but revert my Firefox to official line of ESR versions (currently 52.4) (and getting back the .mozilla folder from backup, in order to have back previous addons etc.) .

Ah, sorry, perhaps I lacked in mentioning some essential thing: the certificate DO install OK in Firefox. I can verify it’s serial no, time of validity, emitter etc. So from this point of view, it looks good.
Only it’s not recognized on that site when trying to login !
Error given looks exactly as if it’s not installed at all.

Anyway, as I already wrote in parallel, in another post, I decided to give up on this for now, and revert and keep using the official ESR version from normal repositories.
Maybe some future will solve this (I even can hope the people from that government site will finally decide to upgrade their crypto algorithms and upgrade to newer ones and it’ll work for me too).

Hi:
Same certificates issue with FF57 (from opensuse repository) on Leap 42.3. However, if FF57 is downloaded from Mozilla site all certificates work excellent as they should. By all means, the openSuse is to be blamed.
Strange however, that no description or questions related to similar problems can be found on the net. Even more strange, not a single word from openSuse to explain the issue or suggest a workaround

Regards,
Bojan

as far as I can tell you’re mixing Firefox packages if you’re going to use Firefox 57 from the Mozilla repo you need to do a full vendor change to that repo as it would seam you have mozilla-nss 3.28.6 for esr from the update repo and you should be using mozilla-nss 3.34.1 from the mozilla repo
if you’re using thunderbird a full vendor change will replace the one from the update repo with the one from mozilla and unlike firefox they’re both at version 52.5.2
the pro’s and con’s of using extra repo’s aside the offical supported version of Firefox for LEAP is 52.5.3 ESR from the update repo not 57.0.4 from the mozilla repo
you could always get a static tar ball from mozilla
https://ftp.mozilla.org/pub/firefox/releases/
in which case you won’t need to upgrade the mozilla-nss package

Well, here is the output on my notebook regarding nss:
:~> rpm -q mozilla-nss
mozilla-nss-3.34.1-1.1.x86_64
:~> rpm -q MozillaFirefox
MozillaFirefox-57.0.4-1.1.x86_64
:~> rpm -q MozillaThunderbird
MozillaThunderbird-52.5.2-53.1.x86_64

So where is the problem.

as I don’t have access to your machine I was guessing
you should do a full vendor change to the mozilla repo before troubleshooting Firefox 57, what’s your repo list

zypper lr -d

zypper lr -d produces the following output:

1 | Fonts | Fonts | No | ---- | ---- | 99 | rpm-md | http://download.opensuse.org/repositories/M17N:/fonts/openSUSE_Leap_42.3/ |
2 | Frameworks5_1 | Frameworks5 | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/KDE:/Frameworks5/openSUSE_Leap_42.3/ |
3 | KDE_Applications | KDE Applications | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/KDE:/Applications/KDE_Frameworks5_openSUSE_Leap_42.3/ |
4 | KDE_Extra | KDE Extra | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/KDE:/Extra/openSUSE_Leap_42.3/ |
5 | Mozilla | Mozilla | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/mozilla/openSUSE_Leap_42.3/ |
6 | Publishing | Publishing | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/Publishing/openSUSE_Leap_42.3/ |
7 | Qt_5 | Qt 5 | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/KDE:/Qt5/openSUSE_Leap_42.3/ |
8 | Science | Science | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/science/openSUSE_Leap_42.3/ |
9 | VLC | VLC | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.videolan.org/pub/vlc/SuSE/Leap_42.3/ |
10 | download.nvidia.com-leap | nVidia Graphics Drivers | Yes | (r ) Yes | Yes | 99 | rpm-md | Index of /opensuse/leap/42.3 |
11 | download.opensuse.org-non-oss | Main Repository (NON-OSS) | Yes | (r ) Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/leap/42.3/repo/non-oss/ |
12 | download.opensuse.org-non-oss_1 | Update Repository (Non-Oss) | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/42.3/non-oss/ |
13 | download.opensuse.org-oss | Main Repository (OSS) | Yes | (r ) Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/leap/42.3/repo/oss/ |
14 | download.opensuse.org-oss_1 | Main Update Repository | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/42.3/oss |
15 | http-download.opensuse.org-82ec01c9 | Application:Geo | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/Application:/Geo/openSUSE_Leap_42.3/ |
16 | http-download.opensuse.org-946e51e6 | openSUSE:Leap:42.3:Update | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/leap/42.3/oss/ |
17 | http-download.opensuse.org-a905d3e3 | graphics | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/graphics/openSUSE_Leap_42.3/ |
18 | http-download.opensuse.org-e3b1f413 | Education | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/Education/openSUSE_Leap_42.3/ |
19 | http-opensuse-guide.org-06febf05 | libdvdcss repository | Yes | (r ) Yes | Yes | 99 | rpm-md | http://opensuse-guide.org/repo/openSUSE_Leap_42.3/ |
20 | openSUSE-42.3-0 | openSUSE-42.3-0 | No | ---- | ---- | 99 | yast2 | hd:///?device=/dev/disk/by-id/usb-_Patriot_Memory_07A71501AE6B283E-0:0-part2 |
21 | packman.inode.at-suse | Packman_Repository | Yes | (r ) Yes | Yes | 99 | rpm-md | http://packman.inode.at/suse/openSUSE_Leap_42.3/ |
22 | proxsign | SETCCE proXSign® Component Suite for (openSUSE_Leap_42.3) | Yes | (r ) Yes | No | 99 | rpm-md | http://public.setcce.si/proxsign/repo/openSUSE_Leap_42.3/ |
23 | repo-debug | openSUSE-Leap-42.3-Debug | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/distribution/leap/42.3/repo/oss/ |
24 | repo-debug-non-oss | openSUSE-Leap-42.3-Debug-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/distribution/leap/42.3/repo/non-oss/ |
25 | repo-debug-update | openSUSE-Leap-42.3-Update-Debug | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/update/leap/42.3/oss/ |
26 | repo-debug-update-non-oss | openSUSE-Leap-42.3-Update-Debug-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/debug/update/leap/42.3/non-oss/ |
27 | repo-source | openSUSE-Leap-42.3-Source | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/source/distribution/leap/42.3/repo/oss/ |
28 | repo-source-non-oss | openSUSE-Leap-42.3-Source-Non-Oss | No | ---- | ---- | 99 | NONE | http://download.opensuse.org/source/distribution/leap/42.3/repo/non-oss/

do

zypper dup --from 5

you should remove the vlc repo as it’s known to conflict with packman, the vlc from the packman is build from the same source and is the same, as you have the vlc repo I’m guessing you haven’t done a full vendor change to packman either you should also do

zypper dup --from 21

you can do the above with the same command

zypper dup --from 5 --from 21

Thank you. I followed your instructions. Thunderbird has been downgraded, however, the problem with FF57 and not recognized certificates remains.

could you tell us which sites this happens with as I use Firefox 57 from the mozilla repo on 42.3 and have never had that issue
about thunderbird it has the same version the build number is not the version number
the update repo has MozillaThunderbird-52.5.2-53.1
the mozilla repo has MozillaThunderbird-52.5.2-1.2
the 53.1 and 1.2 respectfully are the build numbers it represents how many times the package has been rebuild usually because of changed dependencies

One of the sides: ZPIZ - dobrodošli

and there are several more but are in Slovenian only.

I’m currently on windows and this does not look like a firefox issue I get

401 - UnathorizedClient certificate required.


under both Firefox 58 and IE you need to have a certificate issued by them (ZAVOD ZA POKOJNINSKO IN INVALIDSKO ZAVAROVANJE SLOVENIJE) installed prior to accessing their site you should email them as there is no way to access their site without their OK

I thought the same at first. But when I DL-ed FF57 (or FF58) directly from Mozilla site everything worked fine. I cold access all sites and the certificate has been requested by FF by opening a window to select certificate. This works greta both in Windows and Leap 42.X

The problem persists when using FF57 (FF58) installed from Suse repo (http://download.opensuse.org/repositories/mozilla/openSUSE_Leap_42.3/). That is why I still feel the problem lies on Suse side; the FF57/FF58 packages are not created good enough.

I’m still on windows and here’s a screenshot of what I get when Firefox tries to access that site
https://imgur.com/a/xTNgy
I see no way to get a certificate maybe it’s an geolocation/ip thing as I’m not in Slovenia that option may not be available to me, check and see if geolocation is enabled in your firefox and try again
if it works with firefox from https://ftp.mozilla.org/pub/firefox/releases/ but not from Firefox from the mozilla opensuse repo open a bug report so it gets fixed as they both use the same profile the geolocation option should be the same for both
https://bugzilla.opensuse.org/