Bug#887798: marked as done (firefox-esr: impossible to connect to Google domains)

[Debian Bug Tracking System]

Your message dated Mon, 22 Jan 2018 07:12:15 +0900
with message-id <20180121221213.khsjahvme2kya...@glandium.org>
and subject line Re: Bug#887798: firefox-esr: impossible to connect to Google 
domains
has caused the Debian Bug report #887798,
regarding firefox-esr: impossible to connect to Google domains
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)


-- 
887798: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=887798
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems

--- Begin Message ---

Package: firefox-esr
Version: 52.5.3esr-1
Severity: grave
Justification: renders package unusable

It is no longer possible to connect to Google domains. For instance:

------------------------------------------------------------------------
Your connection is not secure

The owner of www.google.fr has configured their website improperly. To
protect your information from being stolen, Firefox has not connected
to this website.

This site uses HTTP Strict Transport Security (HSTS) to specify that
Firefox may only connect to it securely. As a result, it is not
possible to add an exception for this certificate.
------------------------------------------------------------------------

And after clicking on "Advanced":

------------------------------------------------------------------------
www.google.fr uses an invalid security certificate.

The certificate is not trusted because the issuer certificate is unknown. The 
server might not be sending the appropriate intermediate certificates. An 
additional root certificate may need to be imported.

Error code: SEC_ERROR_UNKNOWN_ISSUER
------------------------------------------------------------------------

This occurs with various Google domains (google.com, google.fr,
goo.gl), with and without -safe-mode.

Opera, lynx, curl and wget do not have this problem.

-- Package-specific info:


-- Addons package information

-- System Information:
Debian Release: buster/sid
  APT prefers unstable-debug
  APT policy: (500, 'unstable-debug'), (500, 'stable-updates'), (500, 
'unstable'), (500, 'testing'), (500, 'stable'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 4.14.0-3-amd64 (SMP w/8 CPU cores)
Locale: LANG=POSIX, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=POSIX 
(charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages firefox-esr depends on:
ii  debianutils               4.8.4
ii  fontconfig                2.12.6-0.1
ii  libasound2                1.1.3-5
ii  libatk1.0-0               2.26.1-2
ii  libc6                     2.26-4
ii  libcairo-gobject2         1.14.10-1
ii  libcairo2                 1.14.10-1
ii  libdbus-1-3               1.12.2-1
ii  libdbus-glib-1-2          0.108-3
ii  libevent-2.1-6            2.1.8-stable-4
ii  libffi6                   3.2.1-8
ii  libfontconfig1            2.12.6-0.1
ii  libfreetype6              2.6.3-3.2
ii  libgcc1                   1:7.2.0-19
ii  libgdk-pixbuf2.0-0        2.36.11-1
ii  libglib2.0-0              2.54.3-1
ii  libgtk-3-0                3.22.26-2
ii  libgtk2.0-0               2.24.31-5
ii  libhunspell-1.6-0         1.6.2-1
ii  libjsoncpp1               1.7.4-3
ii  libnspr4                  2:4.16-1+b1
ii  libnss3                   2:3.34.1-1
ii  libpango-1.0-0            1.40.14-1
ii  libsqlite3-0              3.21.0-1
ii  libstartup-notification0  0.12-5
ii  libstdc++6                7.2.0-19
ii  libvpx4                   1.6.1-3
ii  libx11-6                  2:1.6.4-3
ii  libx11-xcb1               2:1.6.4-3
ii  libxcb-shm0               1.12-1
ii  libxcb1                   1.12-1
ii  libxcomposite1            1:0.4.4-2
ii  libxdamage1               1:1.1.4-3
ii  libxext6                  2:1.3.3-1+b2
ii  libxfixes3                1:5.0.3-1
ii  libxrender1               1:0.9.10-1
ii  libxt6                    1:1.1.5-1
ii  procps                    2:3.3.12-3
ii  zlib1g                    1:1.2.8.dfsg-5

firefox-esr recommends no packages.

Versions of packages firefox-esr suggests:
ii  fonts-lmodern          2.004.5-3
ii  fonts-stix [otf-stix]  1.1.1-4
ii  libcanberra0           0.30-6
ii  libgssapi-krb5-2       1.16-1
pn  mozplugger             <none>

-- no debconf information

-- 
Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

--- End Message ---

--- Begin Message ---

On Sun, Jan 21, 2018 at 06:33:00PM +0000, Viktor Jägersküpper wrote:
> On Sat, 20 Jan 2018 11:30:56 +0100 Vincent Lefevre <vinc...@vinc17.net>
> wrote:
> > (...)
> > As a temporary and insecure workaround, I can avoid this error by
> > setting security.OCSP.require to false, even though the error was
> > not about OCSP.
> 
> Hello Vincent,
> 
> this is not a bug in Firefox (ESR). See this thread (works in Firefox
> only with "security.OCSP.require" set to "false" at the moment):
> https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/MMO3HSYghwQ/XLRuxWtJAwAJ
> 
> The Google engineers are working on fixing this issue, so that this OCSP
> setting can be set to "true" again.

And they apparently fixed it now.

Mike

--- End Message ---