On Tue, May 01, 2012 at 02:59:12AM +0200, Vincent Lefevre wrote: > On 2012-04-30 11:49:11 +0200, Mike Hommey wrote: > > On Mon, Apr 30, 2012 at 11:38:02AM +0200, Vincent Lefevre wrote: > > > On 2012-04-30 11:27:42 +0200, Mike Hommey wrote: > > > > On Mon, Apr 30, 2012 at 10:58:50AM +0200, Vincent Lefevre wrote: > > > > > I've done some tests, and the problem still occurs with my usual > > > > > profile. And it occurs with a new profile if I copy the old cert8.db > > > > > file. > > > > > > > > That would seem to indicate something weird in your cert8.db... > > > > > > Not necessarily weird. No such problems with the previous libnss3-1d > > > version. Could libnss3-1d log messages about this cert8.db file? > > > > Your best bet might be to check some of the tools in libnss3-tools (like > > certutil) and check what's peculiar to your cert8.db (checking against a > > fresh one) > > The problem seems to be that the new libnss3-1d is confused by > intermediate certificates from cert8.db that are in the chain. > > For instance, if I remove the UTN-USERFirst-Hardware certificate > with > > certutil -D -d .mozilla/firefox/xwsukxd4.test6/ -n UTN-USERFirst-Hardware > > the problem disappears on <https://www.zeroforfait.fr/>. > > As an example, I've attached the two certificates. Perhaps the > old libnss3-1d was ignoring certificates of cert8.db below the > root certificate? (There isn't much in the changelog).
I can't reproduce the problem with either certificates, except if I explicitely distrust them. But in that case, it happens on 3.13.4 as well as 3.13.3. Mike -- To UNSUBSCRIBE, email to debian-bugs-rc-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
