Dear Maintainer,

Firefox 31 introduced a new certificate validation library "mozilla::pkix".
This introduced regressions, where previously the user could override the
validation error and connect anyway ("this connection is untrusted!"), in
jessie iceweasel attempting to connect to the same sites results in a silent
hang (it appears to be loading forever with no feedback as to what is wrong).

(Subjectively, when this happens it also appears to affect the overall
stability of the browser, as it seems like other sites become slow to load or
fail to load entirely until the browser is restarted).

Based on the following discussion, it appears that this behavior is addressed
Firefox 33, and in the Enterprise Support Release (ESR) of Firefox 31:

https://bugzilla.mozilla.org/show_bug.cgi?id=1042889

Thanks

That bug is fixed in 33 and 31.2, both of which are in Debian already.
Are you saying the versions in Debian are still affected?

Mike

Thanks for the response.

This bug initially surfaced for me when iceweasel was upgraded from 30 to 31 about three months ago.  I re-tested for the behavior after upgrading the package yesterday and am getting the same result: attempting to make a TLS connection to a server that uses a self-signed certificate hangs without returning an error.  This is puzzling since the bug reports out there seem to indicate people are experiencing the bug by having the connection fail with a non-overridable error reported, which is different from having the connection not do anything at all.

This is an about:config <about:config> workaround, with this setting I am able to override the certificate error and connect to my site:

security.use_mozillapkix_verification = false

This does strongly indicate that the problem is linked to the introduction of mozilla::pkix.

I realize that I should re-test with a clean profile, it could be that there are old certificates and/or plugins in my regular browsing profile that are causing problems.  To investigate further, I will see about setting up a dummy server with the guilty certificates to see if you can reproduce.

Thanks,
Peter

I found a workaround:

1. Quit iceweasel.
2. ~$ cd ~/.mozilla/firefox/xxxxx.default
3. ~/.mozilla/firefox/xxxxx.default$ mv cert8.db cert8.db.old
4. Restart iceweasel.

A coworker of mine was affected by the same problem and was able to
solve it using the above workaround.

As far as I can tell, iceweasel is recording some information about the
SSL configuration for a specific host and port in "cert8.db" (in our
case, a development instance of a web app that uses a self-signed cert
that is frequently regenerated).  The information in "cert8.db" is
either corrupt or in conflict with the certificate actually provided
when the browser connects, but instead of landing at the
warning-and-override page, mozilla::pkix fails silently and the
connection attempt hangs.

So, I think there is a bug here, but seems like it might require some
deep digging to find the actual point of failure.

- Peter

src:iceweasel has been superseded by src:firefox-esr in version
45.0esr-1 in March 2016. Transitional packages to ease upgrades were
provided in the wheezy, jessie, stretch and buster releases. The
transitional packages have been removed finally before the bullseye
release in August 2021.
After regular security support for buster ended in August 2022 and LTS
support ended in June 2024, I'm closing the remaining bug reports now.

Andreas