[Bug 1647285] Re: SSL trust not system-wide
dwmw2
dwmw2 at infradead.org
Thu Mar 19 11:07:01 UTC 2020
On Thu, 2020-03-19 at 09:44 +0000, Olivier Tilloy wrote:
> It looks like symlinking firefox and thunderbird's own copies of
> libnssckbi.so to the system-wide p11-kit-trust.so is the proper way to
> fix this bug, as far as Mozilla's products are concerned.
>
> Before I proceed to doing this, I'd welcome comments from the security
> team on this approach though, as I suspect I don't understand all the
> implications.
>
> (an alternative would be building firefox/thunderbird against the
> system-wide nss, but firefox currently requires 3.50, which isn't yet in
> focal, and I suspect that requirement is being bumped often, so that
> wouldn't really work with our distribution model)
Right, don't bother trying to replace NSS just for this (although
really, having a single version of NSS on the system *would* be nice).
The interface to libnssckbi.so is a standard PKCS#11 library, and it's
perfectly reasonable to replace that in each of
firefox/thunderbird/chromium individually.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to p11-kit in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
Status in ca-certificates package in Ubuntu:
Confirmed
Status in firefox package in Ubuntu:
Confirmed
Status in nss package in Ubuntu:
Confirmed
Status in p11-kit package in Ubuntu:
Fix Released
Status in thunderbird package in Ubuntu:
Confirmed
Bug description:
When I install a corporate CA trust root with update-ca-certificates,
it doesn't seem to work everywhere. Various things like Firefox,
Evolution, Chrome, etc. all fail to trust the newly-installed trusted
CA.
This ought to work, and does on other distributions. In p11-kit there
is a module p11-kit-trust.so which can be used as a drop-in
replacement for NSS's own libnssckbi.so trust root module, but which
reads from the system's configured trust setup instead of the hard-
coded version.
This allows us to install the corporate CAs just once, and then file a
bug against any package that *doesn't* then trust them.
See https://fedoraproject.org/wiki/Features/SharedSystemCertificates
for some of the historical details from when this feature was first
implemented, but this is all now supported upstream and not at all
distribution-specific. There shouldn't be any significant work
required; it's mostly just a case of configuring and building it to
make use of this functionality. (With 'alternatives' to let you
substitute p11-kit-trust.so for the original NSS libnssckbi.so, etc.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions
More information about the foundations-bugs
mailing list