On Thu, 2020-03-19 at 09:44 +0000, Olivier Tilloy wrote: > It looks like symlinking firefox and thunderbird's own copies of > libnssckbi.so to the system-wide p11-kit-trust.so is the proper way to > fix this bug, as far as Mozilla's products are concerned. > > Before I proceed to doing this, I'd welcome comments from the security > team on this approach though, as I suspect I don't understand all the > implications. > > (an alternative would be building firefox/thunderbird against the > system-wide nss, but firefox currently requires 3.50, which isn't yet in > focal, and I suspect that requirement is being bumped often, so that > wouldn't really work with our distribution model)
Right, don't bother trying to replace NSS just for this (although really, having a single version of NSS on the system *would* be nice). The interface to libnssckbi.so is a standard PKCS#11 library, and it's perfectly reasonable to replace that in each of firefox/thunderbird/chromium individually. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1647285 Title: SSL trust not system-wide Status in ca-certificates package in Ubuntu: Confirmed Status in firefox package in Ubuntu: Confirmed Status in nss package in Ubuntu: Confirmed Status in p11-kit package in Ubuntu: Fix Released Status in thunderbird package in Ubuntu: Confirmed Bug description: When I install a corporate CA trust root with update-ca-certificates, it doesn't seem to work everywhere. Various things like Firefox, Evolution, Chrome, etc. all fail to trust the newly-installed trusted CA. This ought to work, and does on other distributions. In p11-kit there is a module p11-kit-trust.so which can be used as a drop-in replacement for NSS's own libnssckbi.so trust root module, but which reads from the system's configured trust setup instead of the hard- coded version. This allows us to install the corporate CAs just once, and then file a bug against any package that *doesn't* then trust them. See https://fedoraproject.org/wiki/Features/SharedSystemCertificates for some of the historical details from when this feature was first implemented, but this is all now supported upstream and not at all distribution-specific. There shouldn't be any significant work required; it's mostly just a case of configuring and building it to make use of this functionality. (With 'alternatives' to let you substitute p11-kit-trust.so for the original NSS libnssckbi.so, etc.) To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
