Comment # 11 on bug 1071298 from Moritz Duge

(In reply to Wolfgang Rosenauer from comment #10)
> I'm pretty sure I've got the right packages installed to test. But I only
> was able to look at the certificate module manager. For some reason my
> cacert access is not working anyway. Firefox is telling me that the
> algorithms are disabled for security reasons.

You're getting this error?

| Your connection is not secure
| [...]
| ADVANCED
| secure.cacert.org uses an invalid security certificate. The certificate is
| not trusted because it was signed using a signature algorithm that was
| disabled because that algorithm is not secure. Error code:
| SEC_ERROR_CERT_SIGNATURE_ALGORITHM_DISABLED

That actually seems to be an misconfiguration by CaCert or maybe it's a
misunderstanding by Firefox, because the CaCert root CA isn't in Firefox by
default and uses MD5 (for a root CA itself it's still OK to use MD5, but
Firefox just doesn't know, that CaCert is a root CA).
Just click ADD_EXCEPTION and disable PERMANENTLY_STORE_THIS_EXCEPTION for the
moment.


> But if I understand you correctly:
> The TW version from mozilla works on 42.3 correctly while the 42.3 version
> on TW and 42.3 does not, right?

Yes!
Like that.


> Both are built from the same sources and spec so a guess would be some
> miscompilation.
> Have you also switched all the NSS packages or just Firefox?

For both tests (Firefox for TW on 42.3 and Firefox for 42.3 on TW) I installed
all the NSS packages from mozilla. Actually I switched every required package
to the mozilla repo, if available from that repo.

MozillaFirefox
MozillaFirefox-branding-openSUSE
kmozillahelper
libfreebl3
libnsssharedhelper0
libsoftokn3
mozilla-nspr
mozilla-nspr-devel
mozilla-nss
mozilla-nss-devel
mozilla-nss-certs


The only idea I'm currently having:
Maybe Firefox-57 (or one of the just listed packages) needs to be build against
libz1 >= 1.2.9 (TW has libz1-1.2.11)!?
Because on 42.3 I needed to update libz1 from 1.2.8 to >= 1.2.9 to make
Firefox-57 work.