[Bug 1647285] Re: SSL trust not system-wide
Marc Deslauriers
marc.deslauriers at canonical.com
Tue Mar 24 15:46:01 UTC 2020
Looks like Fedora substantially modified the scripts used by ca-
certificates to extract untrusted and blacklisted certs. We should
probably start by investigating how their package is handling this, what
files they are generating, and if they are being properly handled by p11
-kit-trust.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to p11-kit in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
Status in ca-certificates package in Ubuntu:
Confirmed
Status in firefox package in Ubuntu:
Confirmed
Status in nss package in Ubuntu:
Confirmed
Status in p11-kit package in Ubuntu:
Fix Released
Status in thunderbird package in Ubuntu:
Confirmed
Bug description:
When I install a corporate CA trust root with update-ca-certificates,
it doesn't seem to work everywhere. Various things like Firefox,
Evolution, Chrome, etc. all fail to trust the newly-installed trusted
CA.
This ought to work, and does on other distributions. In p11-kit there
is a module p11-kit-trust.so which can be used as a drop-in
replacement for NSS's own libnssckbi.so trust root module, but which
reads from the system's configured trust setup instead of the hard-
coded version.
This allows us to install the corporate CAs just once, and then file a
bug against any package that *doesn't* then trust them.
See https://fedoraproject.org/wiki/Features/SharedSystemCertificates
for some of the historical details from when this feature was first
implemented, but this is all now supported upstream and not at all
distribution-specific. There shouldn't be any significant work
required; it's mostly just a case of configuring and building it to
make use of this functionality. (With 'alternatives' to let you
substitute p11-kit-trust.so for the original NSS libnssckbi.so, etc.)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions
More information about the foundations-bugs
mailing list