[Bug 1647285] Re: SSL trust not system-wide
Timo Aaltonen
tjaalton at ubuntu.com
Thu Mar 19 09:28:58 UTC 2020
according to #4 nss should still symlink libnssckbi.so to p11-kit-
trust.so
** Changed in: nss (Ubuntu)
Status: Fix Released => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to p11-kit in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
Status in ca-certificates package in Ubuntu:
Confirmed
Status in firefox package in Ubuntu:
New
Status in nss package in Ubuntu:
Confirmed
Status in p11-kit package in Ubuntu:
Fix Released
Status in thunderbird package in Ubuntu:
Confirmed
Bug description:
When I install a corporate CA trust root with update-ca-certificates,
it doesn't seem to work everywhere. Various things like Firefox,
Evolution, Chrome, etc. all fail to trust the newly-installed trusted
CA.
This ought to work, and does on other distributions. In p11-kit there
is a module p11-kit-trust.so which can be used as a drop-in
replacement for NSS's own libnssckbi.so trust root module, but which
reads from the system's configured trust setup instead of the hard-
coded version.
This allows us to install the corporate CAs just once, and then file a
bug against any package that *doesn't* then trust them.
See https://fedoraproject.org/wiki/Features/SharedSystemCertificates
for some of the historical details from when this feature was first
implemented, but this is all now supported upstream and not at all
distribution-specific. There shouldn't be any significant work
required; it's mostly just a case of configuring and building it to
make use of this functionality. (With 'alternatives' to let you
substitute p11-kit-trust.so for the original NSS libnssckbi.so, etc.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions
More information about the foundations-bugs
mailing list