diff --git a/MozillaFirefox.changes b/MozillaFirefox.changes index 05904f48..c07ade48 100644 --- a/MozillaFirefox.changes +++ b/MozillaFirefox.changes @@ -1,3 +1,13 @@ +------------------------------------------------------------------- +Fri Jan 20 21:38:08 UTC 2017 - bjoernv@arcor.de + +- Firefox could not open Google, Wikipedia etc. with HTTPS anymore + after update of NSS to 3.28 + - Sources: + - https://bugs.gentoo.org/show_bug.cgi?id=603622 + - https://bugzilla.redhat.com/show_bug.cgi?id=1413303#c5 + - https://bugzilla.mozilla.org/show_bug.cgi?id=1290037 + ------------------------------------------------------------------- Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org diff --git a/MozillaFirefox.spec b/MozillaFirefox.spec index 206c66a9..2f958102 100644 --- a/MozillaFirefox.spec +++ b/MozillaFirefox.spec @@ -1,7 +1,7 @@ # # spec file for package MozillaFirefox # -# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany. +# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany. # 2006-2016 Wolfgang Rosenauer # # All modifications and additions to the file contributed by third parties @@ -154,6 +154,7 @@ Patch103: firefox-branded-icons.patch # hotfix Patch150: mozilla-flex_buffer_overrun.patch Patch200: mozilla-aarch64-startup-crash.patch +Patch250: mozilla-ecdh-rfc7540.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build Requires(post): coreutils shared-mime-info desktop-file-utils @@ -268,6 +269,7 @@ cd $RPM_BUILD_DIR/mozilla %patch103 -p1 %patch150 -p1 %patch200 -p1 +%patch250 -p1 %build # no need to add build time to binaries diff --git a/mozilla-ecdh-rfc7540.patch b/mozilla-ecdh-rfc7540.patch new file mode 100644 index 00000000..fc12c7ab --- /dev/null +++ b/mozilla-ecdh-rfc7540.patch @@ -0,0 +1,41 @@ +Patch for Gentoo Bug 603622 - nss-3.28 - Firefox refuses to load Google and other +http2 websites ( NS_ERROR_NET_INADEQUATE_SECURITY ) +Sources: +- https://bugs.gentoo.org/show_bug.cgi?id=603622 +- https://bugzilla.redhat.com/show_bug.cgi?id=1413303#c5 +- https://bugzilla.mozilla.org/show_bug.cgi?id=1290037 + +# HG changeset patch +# User Franziskus Kiefer +# Date 1469717280 -7200 +# Thu Jul 28 16:48:00 2016 +0200 +# Node ID 95aa61f1e3562e526bf88179d9d078fd90ad1bda +# Parent d42aacfe34af25e2f5110e2ca3d24a210eabeb33 +Update keybits in H2, r=mt + +MozReview-Commit-ID: 35oWoDMqe1Y + +diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp +--- a/netwerk/protocol/http/Http2Session.cpp ++++ b/netwerk/protocol/http/Http2Session.cpp +@@ -3544,18 +3544,18 @@ Http2Session::ConfirmTLSProfile() + RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY); + } + + uint32_t keybits = ssl->GetKEAKeyBits(); + if (kea == ssl_kea_dh && keybits < 2048) { + LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n", + this, keybits)); + RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY); +- } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128 +- LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n", ++ } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1. ++ LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n", + this, keybits)); + RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY); + } + + int16_t macAlgorithm = ssl->GetMACAlgorithmUsed(); + LOG3(("Http2Session::ConfirmTLSProfile %p MAC Algortihm (aead==6) %d\n", + this, macAlgorithm)); + if (macAlgorithm != nsISSLSocketControl::SSL_MAC_AEAD) {