Welcome to the Linux Foundation Forum!

Firefox and NSS incompatability

Hello All,

I'm having a problem I hope someone can help me with.

I'm running Linux 5 64 bit on a VM. I have Mozilla Firefox 38.3.0 installed and it is running great with 2048 bit certs. When I upgrade my NSS from nss-3.18.0-6.el5_11 to nss-3.19.1-1.el5_11, Firefox throws an error when going to an Oracle EM page.

Specifically, my browser reports,

Secure Connection Failed

An error occurred during a connection to . The server certificate included a public key that was too weak. (Error code: ssl_error_weak_server_cert_key)

I can find little on the web about this error, and what I do find points a finger at Mozilla. A lot of people are just downgrading Mozilla to solve the issue, but local customer requires the better security in v38.

Has anybody else run into this? Seen this issue before?

Dave

Comments

  • saqman2060
    saqman2060 Posts: 777
    djblock wrote:
    Hello All,

    I'm having a problem I hope someone can help me with.

    I'm running Linux 5 64 bit on a VM. I have Mozilla Firefox 38.3.0 installed and it is running great with 2048 bit certs. When I upgrade my NSS from nss-3.18.0-6.el5_11 to nss-3.19.1-1.el5_11, Firefox throws an error when going to an Oracle EM page.

    Specifically, my browser reports,

    Secure Connection Failed
    An error occurred during a connection to <Hostname:port>. The server certificate included a public key that was too weak. (Error code: ssl_error_weak_server_cert_key)
    Dave

    I will take a guess and say that, the upgrade of NSS gave your system a new key that whatever host you are trying to connect to cannot verify. Not sure what NSS is but if the remote host is not using the new NSS then stick with what you had currently even if it is believed to be the better one. Also what is Linux 5, is that redhat?
  • djblock
    djblock Posts: 3
    Yes. It's redhat. I've also verified that my key is still valid. ie. it is the same key as before the upgrade. Thanks for the help!
  • saqman2060
    saqman2060 Posts: 777
    The error States,"the server certificate included a public key that was too weak". I am guessing Firefox is referring to the Oracle server, could be wrong. I am not to familiar with NSS so all I can offer are educated guesses. Does your cert work for other secure sites that require a cert?
  • djblock
    djblock Posts: 3
    No. Other secure sites return the same error. Just that we routinely use this box to run OEM.
  • saqman2060
    saqman2060 Posts: 777
    edited March 2016
    Then perhaps the issue is with the newely upgraded NSS service. It would appear NSS is requiring a more secure public key for servers you want to connect to remotely. Either the remote servers are not using NSS-19, have bad cert keys, or their cert keys are setup differently making NSS think they are weak. Are you still able to downgrade as you mention it to be an option?
  • saqman2060
    saqman2060 Posts: 777
    Another thing, are there any configuration files associated with NSS-19? If so, can you configure the level of security for acceptable public cert keys?

Categories

Upcoming Training