Firefox 78.0-1/Arm64 has broken http/2 support; no website can load

I'm running KDE/Plasma Arm64 for the Pinebook Pro. Package Firefox 78.0-1 which was released earlier today fails loading anything from web servers using http/2, failing with NS_ERROR_NET_INADEQUATE_SECURITY, even when the web server in question offers only high security TLS1.2 and TLS1.3 ciphersuites. It's as if the package contains a broken "cipher blacklist" or as if it refuses to downgrade to http/1.1.

It cannot open google.com. It cannot open duckduckgo.com. It cannot open anything.

The workaround for now was that I disabled http/2 by changing network.http.spdy.enabled.http2 in the config.

1 Like

Moved this to the Manjaro ARM - Tech Issues forum.

I can confirm the same on my VIM3 (stable branch). Somehow I did not get the Firefox 78 update on my PBP (testing branch).

@strit - was this pushed to the stable branch early?

We didn't change anything to the config in this build, so if something is "wrong" it's a change Mozilla made in this release. I know they changed something relating to TLS.

I always push Firefox updates to all branches at the same time, since they usually have security fixes.

Only real change to the 78.0 package compared to the 77.0.1 package, is that it's now using python3 instead of python2 to build it.

1 Like

Seems to possibly be a dependency problem with the nss package.

I upgraded the nss package to version 3.54 and Firefox 78 goes back to working fine.

Okay. I will have to push that to stable then.

Just pushed nss 3.54 to testing and stable branch. Hopefully this fixes it.

3 Likes

It does! A simple system update fixes Firefox not loading any website with the NS_ERROR_NET_INADEQUATE_SECURITY error. You guys are awesome, thank you!

Just installed the new nss (and the new Mozilla CA certs) and things are working again without my workaround. Thanks for quick help, @Strit and @yosukemat!

2 Likes

I'm on arm-stable and after updating package database the available version of nss it still nss-3.53.1-1.

Your mirror probably has not synced yet.

1 Like

Right. Got nss and certificates from different mirror. Thanks :slight_smile:

A little off topic but had the same issue on my x86 with this firefox upgrade and had to compile nss 3.54 to fix it also which resulted in 2 new packages:

nss-3.54-1-x86_64.pkg.tar.xz
ca-certificates-mozilla-3.54-1

I didn't have this issue with my update on x86. But good to know. :slight_smile:

I could go to a lot of places but could not log in to my bank.

Ah okay. Maybe I just haven't visited a site with the issue yet. Although the OP issue was also present on Google and the like.

My issue was a little different but boiled down to the same fix.

Forum kindly sponsored by