Control: reassign 782772 iceweasel Control: found 782772 37.0.2-1 38.0-2 Control: tags 782772 + upstream Control: forwarded 782772 https://bugzilla.mozilla.org/show_bug.cgi?id=1165911
On Mon 2015-05-18 10:07:48 -0400, Daniel Kahn Gillmor wrote: > After upgrading to 38.0-2, with iceweasel-dbg, i get the following > backtrace during the segfault: > > Program received signal SIGSEGV, Segmentation fault. > [Switching to Thread 0x7fffd94fe700 (LWP 10459)] > 0x00007ffff403bb87 in GatherEKUTelemetry (certList=...) > at > /tmp/buildd/iceweasel-38.0/security/manager/ssl/src/SSLServerCertVerification.cpp:1047 http://sources.debian.net/src/iceweasel/38.0-2/security/manager/ssl/src/SSLServerCertVerification.cpp/?hl=1024#L1047 Digging a little bit further, it looks like a bug when iceweasel's telemetry code tries to deal with an X.509v3 certificate which has no extensions. I've reported the problem uptsream at https://bugzilla.mozilla.org/show_bug.cgi?id=1165911 In the meantime, i note that the end-entity certificate offered by mentors.debian.net is provided twice in the TLS handshake (which is not advisable), and it has no X.509v3 extensions. The Debian CA (cc'ing debina-ad...@debian.org here), which issued the mentors.debian.net certificate, should probably re-issue the certificate with some v3 extensions in it, at least: * basicConstraints (CA:False) * keyUsage (digitalSignature at least, keyEncipherment if you want to support RSA key exchange on mentors.debian.net) * extendedKeyUsage (TLS www server) * subjectAltName (mentors.debian.net) These are good ideas for certificate issuance anyway, and they would also fix the iceweasel segfault. please let me know if i can help diagnose or repair this further. Regards, --dkg
Processed 156 CA certificate(s).
Resolving 'mentors.debian.net'...
Connecting to '185.22.221.46:443'...
- Certificate type: X.509
- Got a certificate list of 4 certificates.
- Certificate[0] info:
- subject `CN=mentors.debian.net', issuer
`O=Debian,CN=ca.debian.org,EMAIL=debian-ad...@debian.org', RSA key 2048 bits,
signed using RSA-SHA1, activated `2014-04-09 14:59:15 UTC', expires `2016-04-28
14:59:15 UTC', SHA-1 fingerprint `82906f583787e47bf78594160895becae554ee89'
Public Key ID:
cce07f1ed3b6cc884d372d5a1062c8915f342f03
Public key's random art:
+--[ RSA 2048]----+
| ..E.o |
| ..o ..o |
| +.o.+ . |
| . =.. + |
| . S . |
| . o . |
| . = B . |
| * @ + |
| . = + |
+-----------------+
-----BEGIN CERTIFICATE-----
MIID5zCCAc+gAwIBAgIBcjANBgkqhkiG9w0BAQUFADBRMQ8wDQYDVQQKEwZEZWJp
YW4xFjAUBgNVBAMTDWNhLmRlYmlhbi5vcmcxJjAkBgkqhkiG9w0BCQEWF2RlYmlh
bi1hZG1pbkBkZWJpYW4ub3JnMB4XDTE0MDQwOTE0NTkxNVoXDTE2MDQyODE0NTkx
NVowHTEbMBkGA1UEAxMSbWVudG9ycy5kZWJpYW4ubmV0MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA0KDLpr1TgPJOfINyuzz9Gl9Goad/y3WmzfkGsrwA
6yVdPsQgXCZifESHLvAQH4FsE+EA1HH8Xn7Lj0X5o5ovrm8Z1myFo07TZ6Ib66Fy
ErZFQSZHSpZyeq4OqOLDFx3yp7kZrJgpB6uc+YFq3+6rnqGUuuujGWcYak9KV0oJ
R9yPG4ezS/b7eOXeoGwvBiaMzTlqQsm2vJBMjn3CnjB2nVK694BxdpoStU6rybtK
v8Y/m2p3HA/LVGbUE1kzarr8m4QmpyzympzH37y5nQuwUBW5PG8r2+mBSmaOqN5m
yEiuTVqCWb0me1oddqPKIJm9p3QKJby+vg6AVTmfp8SX/wIDAQABMA0GCSqGSIb3
DQEBBQUAA4ICAQAalklKXmri2Kay0m4ps2QXZbDb1fY6mxFKMHAm98CNMla2jd5V
+xYCCU2szsQSltpXZPN+PbRTI/pI7KVNOw6aopgcUIj5qYt5p9haJBmVl4aYdiNW
NTlK/lcOCsHNrrU0QTqIJ7cR/sh0FY1joGr6jCmDt1lRbRVliZw8kTe4mLezHuQz
vt5faNoiURxtAu7LagI8P+llOrNu5X3+Ww6cXwS8konZnGLslbBlcHYSo5b7MNN9
e75E1lXMITnO9ChUIA79shA1xcF8GcFdfEJUS1z5hnWWs21Rw5Y8c6NZXpth2sHT
w0qXZXP4arCMAft8O0f2YxKvUGPBX0Gbbv66RXTPw6ztCiQFKol8o3Cv61plm15j
jsfq5465ab62vOYctn8iwSUyU+LML2QuG0hnUBppOwxXwxqOtwYbO026tmsii3Ia
UbpvxAs7n0saKzkG8zY94E6J4hqG/5JQoaeWSaQTRwfs5jShvg7BpkDotyCz94vm
iuKYNJ1HghWv8LW7UUwxR6PZA7cRUclLNpJO3tX5ZxA7UtCUjuwvBuXDNr91Itq7
7JWQDrAKtMBZeC67mvZvhYOWw9Z9FlMUZ6OXu6GrEU4CVCqGj84SfolarOgrVeji
std2VPFc4HXU/YDIp7gCCM0WL1DaOF9Ba58B08mmgN7H2Qa4IvvCBKl8tw==
-----END CERTIFICATE-----
- Certificate[1] info:
- subject `CN=mentors.debian.net', issuer
`O=Debian,CN=ca.debian.org,EMAIL=debian-ad...@debian.org', RSA key 2048 bits,
signed using RSA-SHA1, activated `2014-04-09 14:59:15 UTC', expires `2016-04-28
14:59:15 UTC', SHA-1 fingerprint `82906f583787e47bf78594160895becae554ee89'
-----BEGIN CERTIFICATE-----
MIID5zCCAc+gAwIBAgIBcjANBgkqhkiG9w0BAQUFADBRMQ8wDQYDVQQKEwZEZWJp
YW4xFjAUBgNVBAMTDWNhLmRlYmlhbi5vcmcxJjAkBgkqhkiG9w0BCQEWF2RlYmlh
bi1hZG1pbkBkZWJpYW4ub3JnMB4XDTE0MDQwOTE0NTkxNVoXDTE2MDQyODE0NTkx
NVowHTEbMBkGA1UEAxMSbWVudG9ycy5kZWJpYW4ubmV0MIIBIjANBgkqhkiG9w0B
AQEFAAOCAQ8AMIIBCgKCAQEA0KDLpr1TgPJOfINyuzz9Gl9Goad/y3WmzfkGsrwA
6yVdPsQgXCZifESHLvAQH4FsE+EA1HH8Xn7Lj0X5o5ovrm8Z1myFo07TZ6Ib66Fy
ErZFQSZHSpZyeq4OqOLDFx3yp7kZrJgpB6uc+YFq3+6rnqGUuuujGWcYak9KV0oJ
R9yPG4ezS/b7eOXeoGwvBiaMzTlqQsm2vJBMjn3CnjB2nVK694BxdpoStU6rybtK
v8Y/m2p3HA/LVGbUE1kzarr8m4QmpyzympzH37y5nQuwUBW5PG8r2+mBSmaOqN5m
yEiuTVqCWb0me1oddqPKIJm9p3QKJby+vg6AVTmfp8SX/wIDAQABMA0GCSqGSIb3
DQEBBQUAA4ICAQAalklKXmri2Kay0m4ps2QXZbDb1fY6mxFKMHAm98CNMla2jd5V
+xYCCU2szsQSltpXZPN+PbRTI/pI7KVNOw6aopgcUIj5qYt5p9haJBmVl4aYdiNW
NTlK/lcOCsHNrrU0QTqIJ7cR/sh0FY1joGr6jCmDt1lRbRVliZw8kTe4mLezHuQz
vt5faNoiURxtAu7LagI8P+llOrNu5X3+Ww6cXwS8konZnGLslbBlcHYSo5b7MNN9
e75E1lXMITnO9ChUIA79shA1xcF8GcFdfEJUS1z5hnWWs21Rw5Y8c6NZXpth2sHT
w0qXZXP4arCMAft8O0f2YxKvUGPBX0Gbbv66RXTPw6ztCiQFKol8o3Cv61plm15j
jsfq5465ab62vOYctn8iwSUyU+LML2QuG0hnUBppOwxXwxqOtwYbO026tmsii3Ia
UbpvxAs7n0saKzkG8zY94E6J4hqG/5JQoaeWSaQTRwfs5jShvg7BpkDotyCz94vm
iuKYNJ1HghWv8LW7UUwxR6PZA7cRUclLNpJO3tX5ZxA7UtCUjuwvBuXDNr91Itq7
7JWQDrAKtMBZeC67mvZvhYOWw9Z9FlMUZ6OXu6GrEU4CVCqGj84SfolarOgrVeji
std2VPFc4HXU/YDIp7gCCM0WL1DaOF9Ba58B08mmgN7H2Qa4IvvCBKl8tw==
-----END CERTIFICATE-----
- Certificate[2] info:
- subject `O=Debian,CN=ca.debian.org,EMAIL=debian-ad...@debian.org', issuer
`C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmas...@spi-inc.org',
RSA key 4096 bits, signed using RSA-SHA1, activated `2008-05-13 09:13:20 UTC',
expires `2018-05-10 09:13:20 UTC', SHA-1 fingerprint
`d726c9c7a22a52af1212e99342b76283aa40994c'
-----BEGIN CERTIFICATE-----
MIIG4DCCBMigAwIBAgIBAzANBgkqhkiG9w0BAQUFADCBvDELMAkGA1UEBhMCVVMx
EDAOBgNVBAgTB0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UE
ChMfU29mdHdhcmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDETMBEGA1UECxMKaG9z
dG1hc3RlcjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYJKoZI
hvcNAQkBFhZob3N0bWFzdGVyQHNwaS1pbmMub3JnMB4XDTA4MDUxMzA5MTMyMFoX
DTE4MDUxMDA5MTMyMFowUTEPMA0GA1UEChMGRGViaWFuMRYwFAYDVQQDEw1jYS5k
ZWJpYW4ub3JnMSYwJAYJKoZIhvcNAQkBFhdkZWJpYW4tYWRtaW5AZGViaWFuLm9y
ZzCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAKo7PqWfRxraX7AYsBFi
O4TWASKLTTH711sRliHV16oRiKIpttSwq/GMQIYagtM4ccYyJYomPSSS2/2VjZIf
h/wAhxRSTmmA5eA8kIb+ZD013PjpKSVkxAhQPr44g2UGpOYwnAalCBhzHBpi48a+
FyAL6zjPBFOVJTVEnrLxZKan0ZNqscS99Sisk+D8cS/1twLBykAnTNo8gSwjjlg8
Fdzln14TggTMXBlTJU52vHSeSl0mt4XjDE9g+hG3Oxz9qMunz9wmDX0IoepsdNuO
GxDKaomYItuguoABraaVyNu77J4BzSOBmtNgKE3NOdgEssqJcIfp8AGOLchzdaVb
W1xinZqX3zoHpOcguJysdzkrCpv3CCmAGb/CON1nw/iQMWh29uF7SzsH4dySd/4H
/dDM+0wn6q7vU8WUaqrmUA9xqrpI3IOSxLyzlksNJeSbHsKi55IpGlGVYOPewgMB
LyAsXbXeHyW46Ja2ECSW+MOEU3li3gVtIQHbCEbk88fDNEwueH++HTZ8sX2O0rHJ
axkwg4P//o0CKTWkYnVJGbU2zkBPE4Yh+SgPITx4F+OvEA2JJ1JtrJPLX8PsbX3d
0a/dT2iUyoItVw52VOwQCaqY9BStEi0t8FWncBOVh/4kHB0Sb3TCW2HeABWZBQPI
bmaqVIN0G0n85lYVejrtMonxAgMBAAGjggFVMIIBUTAMBgNVHRMEBTADAQH/MB0G
A1UdDgQWBBSnz0v6XxLGI3QunqOVkHWMzCZ2ljCB8QYDVR0jBIHpMIHmgBQ0cdE4
1xU2g0dr1zdkQjuOjVKdq6GBwqSBvzCBvDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
B0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UEChMfU29mdHdh
cmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDETMBEGA1UECxMKaG9zdG1hc3RlcjEe
MBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYJKoZIhvcNAQkBFhZo
b3N0bWFzdGVyQHNwaS1pbmMub3JnggkA6I62yfgqFCgwLgYJYIZIAYb4QgEEBCEW
H2h0dHA6Ly9jYS5kZWJpYW4ub3JnL2NhLWNybC5wZW0wDQYJKoZIhvcNAQEFBQAD
ggIBACysOecmX8iU2UI1bY1+1qGQkOu/+3XyIVaQADXyAGToHn8yVRUDmj7Ro3A2
ina7PPAZc6GEzuSsFddk6+ttgz36Oo/i1zvC7ANwDmbgJ9+IEnyOi42faWz6PIao
hSSsrl9oxoR6NUxnhY/dsAJzTtakXLOyz6HkQV10A7MlI7JGaBWuq3BD+2YI5f2G
TWkCfTqmbuKqm50nrhvTnwHBRNUO2/3vIAGIUQaJAMThFlryyC1Ouy2o/4UlTaS9
p0e92tzYaQ/Rh83HC3rgS0hXjyCEi8Ng7sQFb3s06MsRSiPGuoBki0kBJfFqBDl4
5b2Oe2mTW5ECB73bDorsIgeiHUupHfrDFv6BE9SytS/rOmjQWgLhvtbo3908rOOa
+HB/jONtYdNwoKdb4KPxjc0I+aBRdIGep+wlexgsAoxlU/p1X92NWBFO/2sIzxml
6ynNOe96aqLGI+uscdPI7fK2pd4OFJD6dOHs5g1wvIYRgMq/w2cvyZ04PNBMJElR
pUmOHYU4wvbKD7n3FfgEu5AR6fD/N7sLD7nm9qYxbu3C8Sy7Kx7my0oxXZbLTLLX
1AstvrI9n4aFTljdybSrzPVUwgI4Ac90qXE/k+jKxHfQbOIYZSy4YOyoa+iK6Ctt
QB7Nn/SKrSiD0TViBTkB2+yQsNv9vHLBphHDsOINDj/KcwRC
-----END CERTIFICATE-----
- Certificate[3] info:
- subject `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmas...@spi-inc.org',
issuer `C=US,ST=Indiana,L=Indianapolis,O=Software in the Public
Interest,OU=hostmaster,CN=Certificate Authority,EMAIL=hostmas...@spi-inc.org',
RSA key 4096 bits, signed using RSA-SHA1, activated `2008-05-13 08:07:56 UTC',
expires `2018-05-11 08:07:56 UTC', SHA-1 fingerprint
`af70884383820215cd61c6bcecfd3724a990431c'
-----BEGIN CERTIFICATE-----
MIIIDjCCBfagAwIBAgIJAOiOtsn4KhQoMA0GCSqGSIb3DQEBBQUAMIG8MQswCQYD
VQQGEwJVUzEQMA4GA1UECBMHSW5kaWFuYTEVMBMGA1UEBxMMSW5kaWFuYXBvbGlz
MSgwJgYDVQQKEx9Tb2Z0d2FyZSBpbiB0aGUgUHVibGljIEludGVyZXN0MRMwEQYD
VQQLEwpob3N0bWFzdGVyMR4wHAYDVQQDExVDZXJ0aWZpY2F0ZSBBdXRob3JpdHkx
JTAjBgkqhkiG9w0BCQEWFmhvc3RtYXN0ZXJAc3BpLWluYy5vcmcwHhcNMDgwNTEz
MDgwNzU2WhcNMTgwNTExMDgwNzU2WjCBvDELMAkGA1UEBhMCVVMxEDAOBgNVBAgT
B0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UEChMfU29mdHdh
cmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDETMBEGA1UECxMKaG9zdG1hc3RlcjEe
MBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYJKoZIhvcNAQkBFhZo
b3N0bWFzdGVyQHNwaS1pbmMub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEA3DbmR0LCxFF1KYdAw9iOIQbSGE7r7yC9kDyFEBOMKVuUY/b0LfEGQpG5
GcRCaQi/izZF6igFM0lIoCdDkzWKQdh4s/Dvs24t3dHLfer0dSbTPpA67tfnLAS1
fOH1fMVO73e9XKKTM5LOfYFIz2u1IiwIg/3T1c87Lf21SZBb9q1NE8re06adU1Fx
Y0b4ShZcmO4tbZoWoXaQ4mBDmdaJ1mwuepiyCwMs43pPx93jzONKao15Uvr0wa8u
jyoIyxspgpJyQ7zOiKmqp4pRQ1WFmjcDeJPI8L20QcgHQprLNZd6ioFl3h1UCAHx
ZFy3FxpRvB7DWYd2GBaY7r/2Z4GLBjXFS21ZGcfSxki+bhQog0oQnBv1b7ypjvVp
/rLBVcznFMn5WxRTUQfqzj3kTygfPGEJ1zPSbqdu1McTCW9rXRTunYkbpWry9vjQ
co7qch8vNGopCsUK7BxAhRL3pqXTT63AhYxMfHMgzFMY8bJYTAH1v+pk1Vw5xc5s
zFNaVrpBDyXfa1C2x4qgvQLCxTtVpbJkIoRRKFauMe5e+wsWTUYFkYBE7axt8Feo
+uthSKDLG7Mfjs3FIXcDhB78rKNDCGOM7fkn77SwXWfWT+3Qiz5dW8mRvZYChD3F
TbxCP3T9PF2sXEg2XocxLxhsxGjuoYvJWdAY4wCAs1QnLpnwFVMCAwEAAaOCAg8w
ggILMB0GA1UdDgQWBBQ0cdE41xU2g0dr1zdkQjuOjVKdqzCB8QYDVR0jBIHpMIHm
gBQ0cdE41xU2g0dr1zdkQjuOjVKdq6GBwqSBvzCBvDELMAkGA1UEBhMCVVMxEDAO
BgNVBAgTB0luZGlhbmExFTATBgNVBAcTDEluZGlhbmFwb2xpczEoMCYGA1UEChMf
U29mdHdhcmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDETMBEGA1UECxMKaG9zdG1h
c3RlcjEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MSUwIwYJKoZIhvcN
AQkBFhZob3N0bWFzdGVyQHNwaS1pbmMub3JnggkA6I62yfgqFCgwDwYDVR0TAQH/
BAUwAwEB/zARBglghkgBhvhCAQEEBAMCAAcwCQYDVR0SBAIwADAuBglghkgBhvhC
AQ0EIRYfU29mdHdhcmUgaW4gdGhlIFB1YmxpYyBJbnRlcmVzdDAwBglghkgBhvhC
AQQEIxYhaHR0cHM6Ly9jYS5zcGktaW5jLm9yZy9jYS1jcmwucGVtMDIGCWCGSAGG
+EIBAwQlFiNodHRwczovL2NhLnNwaS1pbmMub3JnL2NlcnQtY3JsLnBlbTAhBgNV
HREEGjAYgRZob3N0bWFzdGVyQHNwaS1pbmMub3JnMA4GA1UdDwEB/wQEAwIBBjAN
BgkqhkiG9w0BAQUFAAOCAgEAtM294LnqsgMrfjLp3nI/yUuCXp3ir1UJogxU6M8Y
PCggHam7AwIvUjki+RfPrWeQswN/2BXja367m1YBrzXU2rnHZxeb1NUON7MgQS4M
AcRb+WU+wmHo0vBqlXDDxm/VNaSsWXLhid+hoJ0kvSl56WEq2dMeyUakCHhBknIP
qxR17QnwovBc78MKYiC3wihmrkwvLo9FYyaW8O4x5otVm6o6+YI5HYg84gd1GuEP
sTC8cTLSOv76oYnzQyzWcsR5pxVIBcDYLXIC48s9Fmq6ybgREOJJhcyWR2AFJS7v
dVkz9UcZFu/abF8HyKZQth3LZjQl/GaD68W2MEH4RkRiqMEMVObqTFoo5q7Gt/5/
O5aoLu7HaD7dAD0prypjq1/uSSotxdz70cbT0ZdWUoa2lOvUYFG3/B6bzAKb1B+P
+UqPti4oOxfMxaYF49LTtcYDyeFIQpvLP+QX4P4NAZUJurgNceQJcHdC2E3hQqlg
g9cXiUPS1N2nGLar1CQlh7XU4vwuImm9rWgs/3K1mKoGnOcqarihk3bOsPN/nOHg
T7jYhkalMwIsJWE3KpLIrIF0aGOHM3a9BX9e1dUCbb2v/ypaqknsmHlHU5H2DjRa
yaXG67Ljxay2oHA1u8hRadDytaIybrw/oDc5fHE2pgXfDBLkFqfF1stjo5VwP+YE
o2A=
-----END CERTIFICATE-----
- Status: The certificate is trusted.
- Description: (TLS1.2)-(ECDHE-RSA-SECP256R1)-(AES-256-GCM)
- Session ID:
9E:6F:FB:8F:DB:76:7F:65:BE:CE:CE:AA:37:80:D0:90:10:5C:4D:A5:61:51:88:DE:67:1A:0A:28:FB:42:04:BF
- Ephemeral EC Diffie-Hellman parameters
- Using curve: SECP256R1
- Curve size: 256 bits
- Version: TLS1.2
- Key Exchange: ECDHE-RSA
- Server Signature: RSA-SHA256
- Cipher: AES-256-GCM
- MAC: AEAD
- Compression: NULL
- Options: safe renegotiation,
- Handshake was completed
- Simple Client Mode:
signature.asc
Description: PGP signature
