Accepting request 451698 from home:bjoernv:branches:mozilla:Factory

Firefox could not open Google, Wikipedia etc. with HTTPS anymore after update of NSS to 3.28 Sources: - https://bugs.gentoo.org/show_bug.cgi?id=603622 - https://bugzilla.redhat.com/show_bug.cgi?id=1413303#c5 - https://bugzilla.mozilla.org/show_bug.cgi?id=1290037 OBS-URL: https://build.opensuse.org/request/show/451698 OBS-URL: https://build.opensuse.org/package/show/mozilla:Factory/MozillaFirefox?expand=0&rev=566
2017-01-21 08:10:15 +00:00 · 2017-01-21 08:10:15 +00:00 · f6f1953e39
commit f6f1953e39
parent 47ea133150
3 changed files with 54 additions and 1 deletions
--- a/MozillaFirefox.changes
+++ b/MozillaFirefox.changes
@ -1,3 +1,13 @@
+-------------------------------------------------------------------
+Fri Jan 20 21:38:08 UTC 2017 - bjoernv@arcor.de
+
+- Firefox could not open Google, Wikipedia etc. with HTTPS anymore
+  after update of NSS to 3.28
+  - Sources:
+  - https://bugs.gentoo.org/show_bug.cgi?id=603622
+  - https://bugzilla.redhat.com/show_bug.cgi?id=1413303#c5
+  - https://bugzilla.mozilla.org/show_bug.cgi?id=1290037
+
 -------------------------------------------------------------------
 Mon Dec 12 21:18:41 UTC 2016 - wr@rosenauer.org

--- a/MozillaFirefox.spec
+++ b/MozillaFirefox.spec
@ -1,7 +1,7 @@
 #
 # spec file for package MozillaFirefox
 #
-# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #               2006-2016 Wolfgang Rosenauer
 #
 # All modifications and additions to the file contributed by third parties
@ -154,6 +154,7 @@ Patch103:       firefox-branded-icons.patch
 # hotfix
 Patch150:       mozilla-flex_buffer_overrun.patch
 Patch200:       mozilla-aarch64-startup-crash.patch
+Patch250:       mozilla-ecdh-rfc7540.patch

 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Requires(post):   coreutils shared-mime-info desktop-file-utils
@ -268,6 +269,7 @@ cd $RPM_BUILD_DIR/mozilla
 %patch103 -p1
 %patch150 -p1
 %patch200 -p1
+%patch250 -p1

 %build
 # no need to add build time to binaries
--- a/mozilla-ecdh-rfc7540.patch
+++ b/mozilla-ecdh-rfc7540.patch
@ -0,0 +1,41 @@
+Patch for Gentoo Bug 603622 - nss-3.28 - Firefox refuses to load Google and other
+http2 websites ( NS_ERROR_NET_INADEQUATE_SECURITY )
+Sources:
+- https://bugs.gentoo.org/show_bug.cgi?id=603622
+- https://bugzilla.redhat.com/show_bug.cgi?id=1413303#c5
+- https://bugzilla.mozilla.org/show_bug.cgi?id=1290037
+
+# HG changeset patch
+# User Franziskus Kiefer <franziskuskiefer@gmail.com>
+# Date 1469717280 -7200
+#      Thu Jul 28 16:48:00 2016 +0200
+# Node ID 95aa61f1e3562e526bf88179d9d078fd90ad1bda
+# Parent  d42aacfe34af25e2f5110e2ca3d24a210eabeb33
+Update keybits in H2, r=mt
+
+MozReview-Commit-ID: 35oWoDMqe1Y
+
+diff --git a/netwerk/protocol/http/Http2Session.cpp b/netwerk/protocol/http/Http2Session.cpp
+--- a/netwerk/protocol/http/Http2Session.cpp
+++ b/netwerk/protocol/http/Http2Session.cpp
+@@ -3544,18 +3544,18 @@ Http2Session::ConfirmTLSProfile()
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+   }
+ 
+   uint32_t keybits = ssl->GetKEAKeyBits();
+   if (kea == ssl_kea_dh && keybits < 2048) {
+     LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to DH %d < 2048\n",
+           this, keybits));
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+-  } else if (kea == ssl_kea_ecdh && keybits < 256) { // 256 bits is "security level" of 128
+-    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 256\n",
+  } else if (kea == ssl_kea_ecdh && keybits < 224) { // see rfc7540 9.2.1.
+    LOG3(("Http2Session::ConfirmTLSProfile %p FAILED due to ECDH %d < 224\n",
+           this, keybits));
+     RETURN_SESSION_ERROR(this, INADEQUATE_SECURITY);
+   }
+ 
+   int16_t macAlgorithm = ssl->GetMACAlgorithmUsed();
+   LOG3(("Http2Session::ConfirmTLSProfile %p MAC Algortihm (aead==6) %d\n",
+         this, macAlgorithm));
+   if (macAlgorithm != nsISSLSocketControl::SSL_MAC_AEAD) {