Re: firefox palemoon waterfox baselisk problem, not on chromium
- To: email@example.com
- Subject: Re: firefox palemoon waterfox baselisk problem, not on chromium
- From: Reco <firstname.lastname@example.org>
- Date: Sat, 1 Dec 2018 10:34:59 +0300
- Message-id: <[🔎] E1gSznn-0006m2-UM@enotuniq.net>
- In-reply-to: <20181130230519.3b78c6a1@ryzen>
- References: <20181020021657.305c6788@ryzen> <email@example.com> <firstname.lastname@example.org> <email@example.com> <20181130230519.3b78c6a1@ryzen>
On Fri, Nov 30, 2018 at 11:05:19PM +0100, arne wrote:
> On Sat, 20 Oct 2018 10:27:19 +0300
> Reco <firstname.lastname@example.org> wrote:
> > > > > Any ideas what can be the solution?
> > > >
> > > > A better question would be - what's the actual problem.
> > > > 'Secure Connection Failed' can refer to many things, such as
> > > > certificate/domain mismatch, certificate expiration, wrong TLS
> > > > protocol version etc.
> > > > Any Modern Browser™ hides these details from you, so Firefox (for
> > > > instance) itself is hardly suited for the troubleshooting.
> > > >
> > > > So I propose this for starters:
> > > >
> > > > openssl s_client -connect www.google.com:443
> > >
> > > Is this something about google enforcing https everywhere ?
> > That's a part of the problem, of course. Plain HTTP does not have
> > these kind of problems (but there are another ones and HTTPS was
> > invented to solve these).
> > But I don't have any useful information (yet) to even start
> > suspecting something.
> # openssl s_client -connect www.youtube.com:443
> 0 s:/C=US/ST=California/L=Mountain View/O=Google LLC/CN=*.google.com
> i:/C=US/O=Google Trust Services/CN=Google Internet Authority G3
> New, TLSv1.2, Cipher is ECDHE-RSA-CHACHA20-POLY1305
Long story short, it should work.
A certificate is valid, an expiration date is not met, hostname matches
'X509v3 Subject Alternative Name' section, etc.
> palemoon gives:
> Secure Connection Failed
But since it does not, there are the following possibilities:
1) palemoon's embedded libnss cannot cope with chacha20 encryption
There's nothing you can do here. Upgrading palemoon (and therefore
upgrading its libnss) can help. Or not.
2) palemoon's embedded trusted certificate store does not contain this
certificate: CN=GlobalSign,O=GlobalSign,OU=GlobalSign Root CA - R2.
Highly unlikely, but possible.
Importing certificate may help.
To clarify things further, a traffic dump is needed.
1) Run as root:
tcpdump -w /tmp/pale.pcap -s0 -ni any tcp port 443 or udp port 53
2) Run as user:
3) Terminate palemoon. Terminate tcpdump.