Accepting request 451698 from home:bjoernv:branches:mozilla:Factory

Firefox could not open Google, Wikipedia etc. with HTTPS anymore after update of NSS to 3.28 Sources: - https://bugs.gentoo.org/show_bug.cgi?id=603622 - https://bugzilla.redhat.com/show_bug.cgi?id=1413303#c5 - https://bugzilla.mozilla.org/show_bug.cgi?id=1290037 OBS-URL: https://build.opensuse.org/request/show/451698 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=566
2017-01-21 08:10:15 +00:00 · 2017-01-21 08:10:15 +00:00 · f6f1953e39
commit f6f1953e39
parent 47ea133150
3 changed files with 54 additions and 1 deletions
--- a/MozillaFirefox.changes
+++ b/MozillaFirefox.changes
@ -1,3 +1,13 @@
 -------------------------------------------------------------------
 Fri Jan 20 21:38:08 UTC 2017 - bjoernv@arcor.de
 - Firefox could not open Google, Wikipedia etc. with HTTPS anymore
  after update of NSS to 3.28
  - Sources:
  - https://bugs.gentoo.org/show_bug.cgi?id=603622
  - https://bugzilla.redhat.com/show_bug.cgi?id=1413303#c5
  - https://bugzilla.mozilla.org/show_bug.cgi?id=1290037
 -------------------------------------------------------------------
 Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org
--- a/MozillaFirefox.spec
+++ b/MozillaFirefox.spec
@ -1,7 +1,7 @@
 #
 # spec file for package MozillaFirefox
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #               2006-2016 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
@ -154,6 +154,7 @@ Patch103:       firefox-branded-icons.patch
 # hotfix
 Patch150:       mozilla-flex_buffer_overrun.patch
 Patch200:       mozilla-aarch64-startup-crash.patch
 Patch250:       mozilla-ecdh-rfc7540.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Requires(post):   coreutils shared-mime-info desktop-file-utils
@ -268,6 +269,7 @@ cd $RPM_BUILD_DIR/mozilla
 %patch103 -p1
 %patch150 -p1
 %patch200 -p1
 %patch250 -p1
 %build
 # no need to add build time to binaries
--- a/mozilla-ecdh-rfc7540.patch
+++ b/mozilla-ecdh-rfc7540.patch
@ -0,0 +1,41 @@
 Patch for Gentoo Bug 603622 - nss-3.28 - Firefox refuses to load Google and other
 http2 websites ( NS_ERROR_NET_INADEQUATE_SECURITY )
 Sources:
 - https://bugs.gentoo.org/show_bug.cgi?id=603622
 - https://bugzilla.redhat.com/show_bug.cgi?id=1413303#c5
 - https://bugzilla.mozilla.org/show_bug.cgi?id=1290037
 # HG changeset patch
 # User Franziskus Kiefer <franziskuskiefer@gmail.com>
 # Date 1469717280 -7200
 #      Thu Jul 28 16:48:00 2016 +0200
 # Node ID 95aa61f1e3562e526bf88179d9d078fd90ad1bda
 # Parent  d42aacfe34af25e2f5110e2ca3d24a210eabeb33
 Update keybits in H2, r=mt
 MozReview-Commit-ID: 35oWoDMqe1Y
 diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp
 --- a/netwerk/protocol/http/Http2Session.cpp
 +++ b/netwerk/protocol/http/Http2Session.cpp
@@ -3544,18 +3544,18 @@ Http2Session::ConfirmTLSProfile()
     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
   }
   uint32_t keybits = ssl->GetKEAKeyBits();
   if (kea == ssl_kea_dh && keybits < 2048) {
     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
           this, keybits));
     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
 -  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
 -    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
 +  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
 +    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
           this, keybits));
     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
   }
   int16_t macAlgorithm = ssl->GetMACAlgorithmUsed();
   LOG3(("Http2Session::ConfirmTLSProfile %p MAC Algortihm (aead==6) %d\n",
         this, macAlgorithm));
   if (macAlgorithm != nsISSLSocketControl::SSL_MAC_AEAD) {