Welcome to the Linux Foundation Forum!

Firefox and NSS incompatability

Options
Posts: 3
in Network Management

Hello All,

I'm having a problem I hope someone can help me with.

I'm running Linux 5 64 bit on a VM. I have Mozilla Firefox 38.3.0 installed and it is running great with 2048 bit certs. When I upgrade my NSS from nss-3.18.0-6.el5_11 to nss-3.19.1-1.el5_11, Firefox throws an error when going to an Oracle EM page.

Specifically, my browser reports,

Secure Connection Failed

An error occurred during a connection to . The server certificate included a public key that was too weak. (Error code: ssl_error_weak_server_cert_key)

I can find little on the web about this error, and what I do find points a finger at Mozilla. A lot of people are just downgrading Mozilla to solve the issue, but local customer requires the better security in v38.

Has anybody else run into this? Seen this issue before?

Dave

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Comments

  • Posts: 777
    djblock wrote:
    Hello All,

    I'm having a problem I hope someone can help me with.

    I'm running Linux 5 64 bit on a VM. I have Mozilla Firefox 38.3.0 installed and it is running great with 2048 bit certs. When I upgrade my NSS from nss-3.18.0-6.el5_11 to nss-3.19.1-1.el5_11, Firefox throws an error when going to an Oracle EM page.

    Specifically, my browser reports,

    Secure Connection Failed
    An error occurred during a connection to <Hostname:port>. The server certificate included a public key that was too weak. (Error code: ssl_error_weak_server_cert_key)
    Dave

    I will take a guess and say that, the upgrade of NSS gave your system a new key that whatever host you are trying to connect to cannot verify. Not sure what NSS is but if the remote host is not using the new NSS then stick with what you had currently even if it is believed to be the better one. Also what is Linux 5, is that redhat?
  • Posts: 3
    Yes. It's redhat. I've also verified that my key is still valid. ie. it is the same key as before the upgrade. Thanks for the help!
  • Posts: 777
    The error States,"the server certificate included a public key that was too weak". I am guessing Firefox is referring to the Oracle server, could be wrong. I am not to familiar with NSS so all I can offer are educated guesses. Does your cert work for other secure sites that require a cert?
  • Posts: 3
    No. Other secure sites return the same error. Just that we routinely use this box to run OEM.
  • Posts: 777
    edited March 2016
    Then perhaps the issue is with the newely upgraded NSS service. It would appear NSS is requiring a more secure public key for servers you want to connect to remotely. Either the remote servers are not using NSS-19, have bad cert keys, or their cert keys are setup differently making NSS think they are weak. Are you still able to downgrade as you mention it to be an option?
  • Posts: 777
    Another thing, are there any configuration files associated with NSS-19? If so, can you configure the level of security for acceptable public cert keys?

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Quick Links

Categories

Upcoming Training