Bug#703587: libnss3 update disables some (self signed) certs (with Icedove)

[Erik C.J. Laan]

Package: libnss3
Version: 2:3.14.3-1
Severity: important

Dear Maintainer,

   * What led up to the situation?
I upgraded libnss* from 2:3.13.6-2 (previously in wheezy) to 2:3.14.3-1 (new in 
wheezy).
Suddenly Icedove cannot connect to my IMAP-mail server anymore. That 
mail-server has
a self-signed certificate.
Thunderbird on other PCs (Win7) does not have the problem. 
Mail-clients on other devices do nave the problem.
So it seems related to wheezy specifically.
   * What exactly did you do (or not do) that was effective (or
     ineffective)?
Restart Icedove. 
   * What was the outcome of this action?
   * What outcome did you expect instead?
Downgraded libnss* to 2:3.13.6-2 to verify that libnss is the culprit. This 
solves the issue.
Upgrading to 2:3.14.3-1 again makes the issue appear again.
I also read some bug-reports. One of them talked about cert8.db being the 
problem.
So I moved ~/.icedove/<profile>/cert8.db to cert8.db.bak and stopped/started 
Icedove to 
re-created cert8.db. This does not solve the issue, so the issue is not related 
to cert8.db and
thus not to #670882 and/or Mozilla bug 634074 .

If you need any more information please specify.

 have added a dump of the certificate generated with
        openssl s_client -connect imap.intranet:993 -showcerts
for you and attached it to this report.

To resolve this issue I have to downgrade to 2:3.13.6-2 and am thus stuck with 
a vulnerable
version. If using a different (non self-signed) certificate solves the issue, 
please specify.
The imap.intranet server certificate is going to expire in a few months anyway. 
I can generate
a certificate using a local PKI I've setup for OpenVPN after generating this 
certiticate in 2005.


-- System Information:
Debian Release: 7.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: i386 (i686)

Kernel: Linux 3.2.0-4-686-pae (SMP w/1 CPU core)
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages libnss3 depends on:
ii  libc6              2.13-38
ii  libnspr4           2:4.9.2-1
ii  libnspr4-0d        2:4.9.2-1
ii  libsqlite3-0       3.7.13-1
ii  multiarch-support  2.13-38
ii  zlib1g             1:1.2.7.dfsg-13

libnss3 recommends no packages.

libnss3 suggests no packages.

-- no debconf information

CONNECTED(00000003)
---
Certificate chain
 0 s:/C=NL/ST=Zuid-Holland/L=Den 
Haag/O=intranet/OU=sysadmin/CN=imap.intranet/emailAddress=none
   i:/C=NL/ST=Zuid-Holland/L=Den 
Haag/O=intranet/OU=sysadmin/CN=imap.intranet/emailAddress=none
-----BEGIN CERTIFICATE-----
MIIGjDCCBHSgAwIBAgIJAOXpf4Sm+5IaMA0GCSqGSIb3DQEBBAUAMIGKMQswCQYD
VQQGEwJOTDEVMBMGA1UECBMMWnVpZC1Ib2xsYW5kMREwDwYDVQQHEwhEZW4gSGFh
ZzERMA8GA1UEChMIaW50cmFuZXQxETAPBgNVBAsTCHN5c2FkbWluMRYwFAYDVQQD
Ew1pbWFwLmludHJhbmV0MRMwEQYJKoZIhvcNAQkBFgRub25lMB4XDTA1MDYyNzIw
NTA0MloXDTEzMDkxMzIwNTA0MlowgYoxCzAJBgNVBAYTAk5MMRUwEwYDVQQIEwxa
dWlkLUhvbGxhbmQxETAPBgNVBAcTCERlbiBIYWFnMREwDwYDVQQKEwhpbnRyYW5l
dDERMA8GA1UECxMIc3lzYWRtaW4xFjAUBgNVBAMTDWltYXAuaW50cmFuZXQxEzAR
BgkqhkiG9w0BCQEWBG5vbmUwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoIC
AQC6Kozv3DzzWc2qv1Q2wiXQSCVIX8LtU0OCk9GvunJ1wk4g0G5PWqHKiJwbtYyH
91QE2FaLJCKvHIyVMDlHkUBVReWlxk3ELvWG9nv/doNQ1lF7pK2gdbmHbkV0ogRj
eKq6kzPWb/ydqNk3JSb2fX3Z6Ll0P2vHExw0eYzAmPaPX1PTFtp7dvoYeRFo0SJV
ITwkcC5grEkKSUz9XJZBAH0JqWPzz1zoKBdFBZzqyNhguvQgndpr4ORUjaHsxBAH
ytSuQZuHec1nMtVbUvLimDPPyYKtdWvqmbK/1jL2XLDeiDpRT54a9rZ+xyc6EEbT
N05pTTTm+nEmUWUKFzif6qWCRDOASF715krFma2rUSsAwdViB6T3Z87qMCvMl6dS
uQWnO1O5jbmVjl0hBL7ZM+AQElyjTS0ZSerktRDEhZiElEDNl7TOu+DxJCcc0lGB
YlR74rmicQoUTdVU0LgDcJ6oHSSSCtU9HNfPZ+vVAiTZuJB36UVGAFiUU88SHyCm
UNjdAm4mtryWp/AhPJRiPDTCvZiPosVkt0PMXkvQF0geS9vwRib2RzNPd7lf9iO+
Fp/b1smtxl8CQmBNm9tpl3+ikR1B6tMbxo+dL3odiSGrdHmh9K6KFkc/gw1mH3ia
tCWnA37xQI5cufcwooysSwwhkED8OJNjQpabQyKhjQ+FOwIDAQABo4HyMIHvMB0G
A1UdDgQWBBSQGcZJ+5b5fXV4JytzEBFmFlyE3zCBvwYDVR0jBIG3MIG0gBSQGcZJ
+5b5fXV4JytzEBFmFlyE36GBkKSBjTCBijELMAkGA1UEBhMCTkwxFTATBgNVBAgT
DFp1aWQtSG9sbGFuZDERMA8GA1UEBxMIRGVuIEhhYWcxETAPBgNVBAoTCGludHJh
bmV0MREwDwYDVQQLEwhzeXNhZG1pbjEWMBQGA1UEAxMNaW1hcC5pbnRyYW5ldDET
MBEGCSqGSIb3DQEJARYEbm9uZYIJAOXpf4Sm+5IaMAwGA1UdEwQFMAMBAf8wDQYJ
KoZIhvcNAQEEBQADggIBAIylxgMcnZt9k8feCA1mqAJJeBPrnpNx2EhTvKRKj+im
r53IXFQxv0PjpcXq4Gq/qpRN8uRglBI9U1KGBHUbmBJsqw4cvctGBpFdJ5W5xEFL
ilSTTGFoynM8k2czcMZCOa2osY1eA5f4OOYzHF83GwDa9oXbLc4QaSTkLHnv4qWC
jstfmiISEmb+jsxWHW5k846JByw0JrU02Y9MKWtXDkIw+7NJ5c/pciooRM1GxEFE
2sE0MY6sQauKYw5auWRoX657nC8cHFzWeG5cGnIUpUJ72ggrafW9g0jE1GpHkwwK
OBbNw1hq09/WtsJFUU/NpRN874tvQvosfkBlYjAnaio/jNIvLplc6Y5fvW+D1WK9
jXyIi+B+AFntMK6A+s1sC/hxyU4CxTG7tok2qwlW1WpWdMZ8G8WvoZ58L6tvcx4Y
WWmLXXBhpbJs+s0z9I0Ux7wAsqnUXVMggayjxQF2+20IF5qwOqdOYMezbfAtVMnp
Igxwv6FJZH5cC+OhnW+z2w+022m9QIdD+/auh6nu64maSB2tZkwpBiDmVXvExVkv
8XSLSSSCbe7i1V5Za1kFfq+dT05EhCOqVrAJ77hI1OLYeyVV9W4wzgdS5RdXOegm
w77QUeBTHr56YZDf4OA1Y3ZIvS8FUnJiEQQaQVKC3ZBol/qfrXiOsrB3jtnEoi1t
-----END CERTIFICATE-----
---
Server certificate
subject=/C=NL/ST=Zuid-Holland/L=Den 
Haag/O=intranet/OU=sysadmin/CN=imap.intranet/emailAddress=none
issuer=/C=NL/ST=Zuid-Holland/L=Den 
Haag/O=intranet/OU=sysadmin/CN=imap.intranet/emailAddress=none
---
No client certificate CA names sent
---
SSL handshake has read 1996 bytes and written 902 bytes
---
New, TLSv1/SSLv3, Cipher is AES256-SHA
Server public key is 4096 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1
    Cipher    : AES256-SHA
    Session-ID: 23F21A652686850DA0C3B7F742F08A1131460A4F059BF4C84CBDFB78B60A916B
    Session-ID-ctx: 
    Master-Key: 
23DF35222A6026A18C5F192C5CAD92D9F051124F2D13B9D32F64FD1F4BB74702F18DF52731F69199C141F601D120D797
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket:
    0000 - 0e 30 1d 12 55 2e 80 e4-df 76 30 1e 29 3f 4c 2d   .0..U....v0.)?L-
    0010 - f7 f8 d3 52 c0 16 1c fc-d3 9f b9 43 f5 18 31 c3   ...R.......C..1.
    0020 - 0f 86 9a 79 e6 31 7b 57-70 db 31 eb b5 da c3 09   ...y.1{Wp.1.....
    0030 - ff 43 46 36 2d de 0e c8-d5 a9 7b cc c1 17 57 48   .CF6-.....{...WH
    0040 - 1d 90 94 9c 04 00 51 f0-e1 6e eb ac bd e7 a7 9a   ......Q..n......
    0050 - 5a de b2 2e d6 52 4b 8a-59 a2 1a 14 cb 2c 48 16   Z....RK.Y....,H.
    0060 - e7 db 96 9e c5 bb b6 34-7c c5 3e 56 4e 34 9d 53   .......4|.>VN4.S
    0070 - e4 ea 9d ab 48 de 5c d8-1a f4 9d 76 29 e0 3d 6e   ....H.\....v).=n
    0080 - 46 12 87 87 24 a0 a4 20-2e 6a 5a 16 6a 54 1a fb   F...$.. .jZ.jT..
    0090 - fa af ab a9 a6 29 43 dd-9a 14 75 92 04 82 16 48   .....)C...u....H

    Compression: 1 (zlib compression)
    Start Time: 1363819210
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
* OK [CAPABILITY IMAP4rev1 UIDPLUS CHILDREN NAMESPACE THREAD=ORDEREDSUBJECT 
THREAD=REFERENCES SORT QUOTA IDLE AUTH=PLAIN ACL ACL2=UNION] Courier-IMAP 
ready. Copyright 1998-2010 Double Precision, Inc.  See COPYING for distribution 
information.