** Tags removed: server-triage-discuss
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
Status in ca-certificates package in Ubuntu:
Conf
** Tags added: server-triage-discuss
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
Status in ca-certificates package in Ubuntu:
Confir
** Changed in: thunderbird (Ubuntu)
Assignee: Olivier Tilloy (osomon) => (unassigned)
** Changed in: firefox (Ubuntu)
Assignee: Olivier Tilloy (osomon) => (unassigned)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird
Related: https://bugs.launchpad.net/ubuntu/+source/crypto-
policies/+bug/1926664
(I might create a task here for crypto-policies and close the bug above)
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: sssd (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/164
Also adding SSSD here, would be easy enough to make its default PAM CA
ring to point to /etc/ssl/certs/ca-certificates.crt by default (and
change-able in settings) but not sure if we want to go this route as it
may make SSSD documentation confusing (as it everywhere mentions
/etc/sssd/pki/sssd_auth
Unfortunately, the ! character at the beginning the the line in ca-
certificates.conf is just for blacklisting ca certificates from being
imported into the system store, it's not really a backlist that can be
used by a crypto library.
--
You received this bug notification because you are a member
So for the avoidance of doubt, every independent distro has its own
custom ca-certificates package with no shared history. I know Debian,
Fedora, and openSUSE all have their own completely separate upstreams.
Looking at what Fedora does is probably a good idea indeed, just keep in
mind it has no sh
Looks like Fedora substantially modified the scripts used by ca-
certificates to extract untrusted and blacklisted certs. We should
probably start by investigating how their package is handling this, what
files they are generating, and if they are being properly handled by p11
-kit-trust.
--
You
so what does it require to fix ca-certificates?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
Status in ca-certificates package in Ubunt
Before we switch any software to using p11-kit-trust.so, we need to fix
our ca-certificates package to properly handle untrusted or blacklisted
certificates. At the moment, I believe they are simply skipped when
generating the contents of /usr/share/ca-certificates.
--
You received this bug notif
On Thu, 2020-03-19 at 09:44 +, Olivier Tilloy wrote:
> It looks like symlinking firefox and thunderbird's own copies of
> libnssckbi.so to the system-wide p11-kit-trust.so is the proper way to
> fix this bug, as far as Mozilla's products are concerned.
>
> Before I proceed to doing this, I'd w
It looks like symlinking firefox and thunderbird's own copies of
libnssckbi.so to the system-wide p11-kit-trust.so is the proper way to
fix this bug, as far as Mozilla's products are concerned.
Before I proceed to doing this, I'd welcome comments from the security
team on this approach though, as
according to #4 nss should still symlink libnssckbi.so to p11-kit-
trust.so
** Changed in: nss (Ubuntu)
Status: Fix Released => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpa
p11-kit too
** Changed in: p11-kit (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
Stat
nss should have everything on focal
** Also affects: firefox (Ubuntu)
Importance: Undecided
Status: New
** Changed in: nss (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thund
Like others, I'm manually symlinking .so files on all of my interactive
hosts and hoping updates don't break it. IMO this is not a valid
workaround.
@ahasenack - I understand this is a roadmap item that would ideally
resolve for multiple packages, but it seems that the Mozilla products
are the wor
@dwmw2,
I figured out the issue. Long story short, freeipa (which is our CA),
when we enroll a PC into the realm, it adds the freeIPA cert to
/etc/ssl/certs/ca-certificates.crt like it should, however it also adds
other information that it shouldn't.
This results in p11-kit-trust.so blowing parsi
@kvasko yes, it works here. Are you sure that's the version of
libnssckbi.so that is being used? There are lots; I've replaced them
all...
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/b
should this be marked as something to fix in focal for the next LTS?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
Status in ca-certific
@dwmw2
Were you able to make this work by doing this for firefox?
sudo mv /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.bak
sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
/usr/lib/firefox/libnssckbi.so
https://askubuntu.com/questions/244582/add-certificate-authorit
This isn't "just" a bug, it's a roadmap item in my view, as many
products are affected. It needs a spec, like in the fedora case. I agree
that it would be awesome to have this.
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird i
I'm trying to make use of this in Ubuntu 14.04 with p11-kit
0.23.2-5~ubuntu16.04.1, but get the following error:
# trust list
p11-kit: ca-certificates.crt: BEGIN ...: pem block before p11-kit section header
p11-kit: ca-certificates.crt: BEGIN ...: pem block before p11-kit section header
Is p11-ki
No progress on this yet, afaik it is just not high up on anyone's
personal task list :-/
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
S
Wow, unified CA management would be awesome. No more fiddling around
with (and forgetting to correctly install/remove certificates in)
various applications (most notably in Firefox, Chromium, wget).
--
You received this bug notification because you are a member of Desktop
Packages, which is subsc
Any progress on fixing this?
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
Status in ca-certificates package in Ubuntu:
Confirmed
Stat
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: ca-certificates (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.n
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: thunderbird (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/b
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: p11-kit (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: nss (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Desktop
Packages, which is subscribed to thunderbird in Ubuntu.
https://bugs.launchpad.net/bugs/1647
cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180
https://lists.freedesktop.org/archives/p11-glue/2013-June/000331.html
** Bug watch added: Debian Bug tracker #741005
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005
**
I believe NSS wants these patches backported from 3.30:
https://bugzilla.mozilla.org/show_bug.cgi?id=1334976
Firefox has its own copy of NSS which I think as of Firefox 54 should be fine.
Thunderbird also needs fixing, I think.
** Bug watch added: Mozilla Bugzilla #1334976
https://bugzilla.moz
32 matches
Mail list logo
