Re: firefox palemoon waterfox baselisk problem, not on chromium

To: debian-user@lists.debian.org
Subject: Re: firefox palemoon waterfox baselisk problem, not on chromium
From: Reco <recoverym4n@enotuniq.net>
Date: Sat, 1 Dec 2018 10:34:59 +0300
Message-id: <[🔎] E1gSznn-0006m2-UM@enotuniq.net>
In-reply-to: <20181130230519.3b78c6a1@ryzen>
References: <20181020021657.305c6788@ryzen> <20181020062200.gtjqtgdbq3ecqp74@p5k.home> <08530714a7eda5e146b7b3dbc51b6610@gmail.com> <20181020072719.qen7amjoefadtl7i@p5k.home> <20181130230519.3b78c6a1@ryzen>

	Hi.

On Fri, Nov 30, 2018 at 11:05:19PM +0100, arne wrote:
> On Sat, 20 Oct 2018 10:27:19 +0300
> Reco <recoverym4n@enotuniq.net> wrote:
> 
> > > > > Any ideas what can be the solution?  
> > > > 
> > > > A better question would be - what's the actual problem.
> > > > 'Secure Connection Failed' can refer to many things, such as
> > > > certificate/domain mismatch, certificate expiration, wrong TLS
> > > > protocol version etc.
> > > > Any Modern Browser™ hides these details from you, so Firefox (for
> > > > instance) itself is hardly suited for the troubleshooting.
> > > > 
> > > > So I propose this for starters:
> > > > 
> > > > openssl s_client -connect www.google.com:443
> > > 
> > > Is this something about google enforcing https everywhere ?  
> > 
> > That's a part of the problem, of course. Plain HTTP does not have
> > these kind of problems (but there are another ones and HTTPS was
> > invented to solve these).
> > But I don't have any useful information (yet) to even start
> > suspecting something.
> 
> # openssl s_client -connect www.youtube.com:443
> 
...
>  0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
>    i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
...
> New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305

Long story short, it should work.
A certificate is valid, an expiration date is not met, hostname matches
'X509v3 Subject Alternative Name' section, etc.

> ++++++++++++++++++++++++++++++++++
> palemoon gives:
> 
> Secure Connection Failed

But since it does not, there are the following possibilities:

1) palemoon's embedded libnss cannot cope with chacha20 encryption
algorithm.
There's nothing you can do here. Upgrading palemoon (and therefore
upgrading its libnss) can help. Or not.

2) palemoon's embedded trusted certificate store does not contain this
certificate: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2.
Highly unlikely, but possible.
Importing certificate may help.

To clarify things further, a traffic dump is needed.
I.e.:

1) Run as root:

tcpdump -w /tmp/pale.pcap -s0 -ni any tcp port 443 or udp port 53

2) Run as user:

palemoon https://www.google.com

3) Terminate palemoon. Terminate tcpdump.

Reco

Reply to:

Prev by Date: Re: [OT?] home partition vs. home directory
Next by Date: Re: [OT?] home partition vs. home directory
Previous by thread: Re: [OT?] home partition vs. home directory
Next by thread: Re: lpic certification courses
Index(es):
- Date
- Thread