Opened 3 months ago

Closed 3 months ago

#32156 closed defect (wontfix)

NSS Internal PKCS#11 Module out of date in TOR 8.5.5 causing invalid certificate RSS failures

Reported by: cypherpunks Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: PKCS RSS
Cc: Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

TOR 8.5.5 is based on Mozilla Firefox 60.9.0esr (32-bit)
The latest version of NON-TOR (64 bit windows) Firefox is Ver 69.0.3

The PKCS#11 Module included with the TOR version of firefox is now out of date.
The version of PKCS #11 used by the latest version of Firefox is 3.45
The version reported by TOR is 3.36

This newer version of PKCS #11 includes the many Cert issuers in it's list of trusted authorities that the current Tor version of Firefox DOES NOT.

This leads to users experiencing security errors when trying to access properly configured sites with valid certs under TOR that work properly for them outside the TOR system:

====<error message>====
Your connection is not secure

The owner of "sitename.com" has configured their website improperly. To protect your information from being stolen, Tor Browser has not connected to this website.
=======================

Child Tickets

Change History (2)

comment:1 Changed 3 months ago by arma

Component: - Select a componentApplications/Tor Browser
Owner: set to tbb-team
Version: Tor: unspecified

Can you test the alpha Tor Browser and see if this issue remains there?

Assuming it's fixed in the alpha tor browser (which is based on a newer firefox esr), my guess is that the tor browser devs will want to close this one as wontfix, since the alpha is going to become the new stable in the next week or so.

Thanks!

comment:2 Changed 3 months ago by gk

Resolution: wontfix
Status: newclosed

We follow the Firefox ESR release cycle and that means we have the latest NSS code designed for that series included. Yes, that means websites relying on newer root certificates may show the security error you are seeing. There is not much we can do here apart from moving to the regular Firefox release train which is planned for the near future.

Note: See TracTickets for help on using tickets.