Updating system certificates requires rebuild
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Mozilla Firefox |
Won't Fix
|
Medium
|
|||
firefox (Fedora) |
Won't Fix
|
Medium
|
|||
firefox (Ubuntu) |
Triaged
|
Wishlist
|
Unassigned |
Bug Description
Binary package hint: firefox
Hi,
Updating the list of trusted root certificate authorities across all users of a system seems requires rebuilding a library. Non-root certificates may similarly be impacted.
update-
On a corporate install of firefox, currently the only options to adding an internal root certificate authority are to:
* Hack it into the user creation script to extract a pre-created profile, and update all the existing users profile directory. This bypasses the random profile directory creation.
* Re-compile the shared library (.so) containing the root certificate authorities (extra maintenance for dealing with ubuntu package updates).
* Have every user of the system go through a manual process of adding the root certificate (most users don't know how).
* Use a plugin extension for firefox (do any exist?) that is automatically used by all users (can this be done?)
* Have the root certificate signed at great expense by an external root certificate authority already included. CaCert integration would lower the cost but that seems far away, and is still an external authority. These root certificates also might be limited to a single domain (wildcard certificate?) or have other limitations ("low" expiry?, contractual restrictions...).
It seems unlikely that Mozilla will move away from having the root certificates stored in the shared library as it would take some control away from them. The shared libary method makes it harder for malicious changes to be made, but only by adding the barier of recompilation and installation of a shared library.
Thanks,
Drew Daniels
Resume: http://
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #24 |
There is a system-wide NSS db in /etc/pki/nssdb. I have added my company's internal CA certificates there.
However, firefox still doesn't trust our internal web sites. It doesn't seem to be using the system database.
In Red Hat Bugzilla #546221, Martin (martin-redhat-bugs) wrote : | #25 |
I don't believe it's a firefox bug...
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #26 |
I tried installing the nss-sysinit package and installing certs with 'certutil -d /etc/pki/nssdb'. But it doesn't seem to make any difference -- neither Evolution nor Firefox seem to know anything about these certificates.
/proc/$PID/maps seems to suggest that they don't have /usr/lib64/
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #27 |
Test procedure... First we fetch a signing cert (just an example; it doesn't matter which it is), import it into a new application-
All is well so far...
[root@macbook dwmw2]# curl -k https:/
% Total % Received % Xferd Average Speed Time Time Time Current
102 2569 102 2569 0 0 10740 0 --:--:-- --:--:-- --:--:-- 51380
[root@macbook dwmw2]# mkdir /tmp/nssdb
[root@macbook dwmw2]# certutil -d /tmp/nssdb -t TC,TC,TC -E -i cacert.crt -n cacert
[root@macbook dwmw2]# /usr/lib64/
subject DN: <email address hidden>
issuer DN: <email address hidden>,CN=CA Cert Signing Authority,OU=http://
0 cache hits; 1 cache misses, 0 cache not reusable
0 stateless resumes
^C
[root@macbook dwmw2]# certutil -d /tmp/nssdb -D -n cacert
[root@macbook dwmw2]# /usr/lib64/
tstclnt: read from socket failed: Peer's Certificate issuer is not recognized.
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #28 |
And this shows the failure... this one ought to _work_, surely?
[root@macbook dwmw2]# setup-nsssysinit.sh on
[root@macbook dwmw2]# certutil -d /etc/pki/nssdb -t TC,TC,TC -E -i cacert.crt -n cacert
[root@macbook dwmw2]# /usr/lib64/
tstclnt: read from socket failed: Peer's Certificate issuer is not recognized.
The issuer _should_ be recognised -- I just added it to the system database!
It's not just tstclnt that fails; evolution and firefox fail too.
curl does work, but I think that's because it actually uses /etc/pki/nssdb as its "application" database.
In Red Hat Bugzilla #546221, Kamil (kamil-redhat-bugs) wrote : | #29 |
The behavior looks slightly similar to bug 545779. Could you please try the patch from there (including the change from comm. #20)?
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #30 |
You mean just the patch to nsssysinit.c in comm. #18, with the extra one-liner?
I built that and installed the resulting libnsssysinit.so library. But when I run 'tstclnt' as described, the atime on the library doesn't change -- it isn't even being loaded. The atime on /etc/pki/
Are you able to reproduce the problem using the commands given above? It should be fairly simple.
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #31 |
I've been playing with this, and reading the documentation at
https:/
Apparently, you're supposed to initialise NSS with /etc/pki/nssdb specified as the database directory (which firefox and evolution aren't doing), and then the pkcs11.txt file there is supposed to magically add your ~/.pki/nssdb directory too.
That mostly does actually seem to work, with the caveat that I have to run 'setup-
As a normal user, I have to run 'certutil -d ~/.pki/nssdb -N' before I can import any _personal_ certs to my own store. And once I've done that, 'certutil -L -d /etc/pki/nssdb' doesn't show any of the system-wide certs. But they _do_ work.
So, I think the biggest problem is that the various tools aren't using sql:/etc/pki/nssdb as their database directory as they should? They'll probably want some kind of migration tool too.
In Red Hat Bugzilla #546221, Elio (elio-redhat-bugs) wrote : | #32 |
Bob wrote this when we where testing system nss back in 3.12.4. There written by Bob and I have tried to update them for 3.12.5 and must warn you that there may be some errors. Part 2 should be what you need to trick Firefox/Thunderbird into using the the sahred database.
Part 1: Enabling system NSS (for 3.12.4 not needed for 3.12.5)
1) As root examine /etc/pki/nssb. If the databases are legacy (secmod.db, key3.db and cert8.db) but no shared db's (pkcs11.txt, key4.db and cer8.db) you the need steps 2, 3 and 4.
2) As root run certutil -K -X -d sql:/etc/pki/nssdb (this will create sql db's
from the local dbm database).
3) as yourself, in your .bashrc or .cshrc (or whatever shell you use) add:
export NSS_DEFAULT_
[ for csh/tcsh that sould be setenv 'NSS_DEFAULT_
4) as yourself (not as root!!!) execute 'certutil -N -d sql:/etc/
you supply a password, this password will eventually become your new
firefox/thunderbird master password.
Part 2: Convince Firefox, Seamonkey, Xulrunner and Thunderbird to use
system NSS. Firefox and Thunderbird still use private directories to
store their NSS databases. It's possible, however, to convince them to
open system NSS. All these steps should be performed as a user. In the
future these applications would handle these steps by themselves
automatically.
Do each of the following steps in each of the profile directories for
which you wish to use system NSS in. Firefox, thunderbird, and seamonkey
each have their own directories and can have multiple profiles (if you
don't know what a profile is, you probably only have one per
application). You can the base of the profile directories for firefox at
~/.mozilla/firefox and thunderbird at ~/.thunderbird. In that base
directory there is a file called 'profiles.ini' which lists all the
profiles that are known for that application. For each profile there's a
line called 'Path=' which points to the actual profile directory.
Usually it's a subdirectory under the current directory and has a random
'salted' name like 'quxz7me5.default'. do the following instructions
while cd'd to that directory:
1) certutil -K -X -d sql:.
(if you have a master password set, You'll have to provide it here).
This will create a new sql database from your old dbm database.
2) certutil --merge -d sql:~/.pki/nssdb --source-dir sql:.
(if you have a password set on sql:~/.pki/nssdb (from step 4 above),
You'll have to provide it here. If that password is different from the
master password for the profile, you'll also have to supply the profile
password. If ~/.pki/nssdb has to password, but the profile database
does, ~/.pki/nssdb will inherit that password (which you will then need
on future instances of this step). If you want to change that password
use 'certutil -N -d sql:~/.pki/nssdb'. Supplying an empty password will
remove any password.
2) edit pkcs11.txt
2a) in the 'NSS Internal PKCS #11 Module' stanza. change:
parameters=
..... Flags=internal,
to
parameters
Flags=internal,
NOTE: the ... ...
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #33 |
That doesn't seem to work. It adds the database specified by getUserDb(), and then it the database specified by the app (~/.mozilla/
It never actually _does_ add the db specified by getSystemDb().
If I change the get_list() function in nssysinit.c to ignore what the app is asking for and just initialise the userdb and the sysdb, then everything works as expected.
This is my pkcs11.txt file from my firefox config directory:
[dwmw2@macbook b8v9tyu0.default]$ cat pkcs11.txt
library=
name=NSS Internal PKCS #11 Module
parameters=
NSS=Flags=
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #34 |
Created attachment 378063
patch
Working patch (including the patch from bug #545799). Note:
if (filename && 0 /* This doesn't actually work. If we register
both this and the sysdb (in either order)
then only one of them actually shows up */) {
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #35 |
Created attachment 378124
firefox patch
We need a patch along these lines in firefox to make it use sql:/etc/pki/nssdb rather than initialising its own database. The instructions on the wiki are all very well for testing, but this ought to be the default behaviour (if nss-sysinit is installed). Untested, and maybe it ought to fall back to the profile directory if /etc/pki/nssdb fails.
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #36 |
Created attachment 378127
evolution patch
And something like this should do it for evolution-
In Red Hat Bugzilla #546221, Bob (bob-redhat-bugs) wrote : | #37 |
Comment on attachment 378063
patch
r+
I need to look into why the additional directory is not getting initialized (there should be no limit to adding more directories here.
In Red Hat Bugzilla #546221, Bob (bob-redhat-bugs) wrote : | #38 |
RE the firefox and evolution patches...
These patches just move to the sql light DB's without moving the contents of the old DB's. This can be done with certutil by hand using the --merge or the --update-merge flag, or it can be done in the application itself. There's an NSS init command which will automatically check to see if an old database has been merged, and if not initiate the steps to merge that database. If the old database has already been merged, or does not exist, the init call functions just like any other NSS init call.
Instructions for how do do this is available here: https:/
Thanks you very much for creating both this bug and these patches David!
bob
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #39 |
(In reply to comment #14)
> Instructions for how do do this is available here:
> https:/
I filed https:/
Just to confirm: If the applications are fixed to do the right thing, then my patch in comment #10 is superfluous, right?
I'll open a separate NSS bug for the fact that root can't add certs to sql:/etc/pki/nssdb with certutil (because the new certs end up in /root/.pki/nssdb instead). And reassign this bug to firefox where I believe it belongs.
(should we dupe for xulrunner/
In Red Hat Bugzilla #546221, Fedora (fedora-redhat-bugs) wrote : | #40 |
nss-3.12.5-2.fc12 has been submitted as an update for Fedora 12.
http://
In Red Hat Bugzilla #546221, Elio (elio-redhat-bugs) wrote : | #41 |
(In reply to comment #16) Mistakenly included this bug in nss-3.12.5-2.fc12 bugs fixed list. The r+'ed patch was duly included for its short term benefit. I realize that this bug's request is for Firefox itself to use the system wide system database.
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #42 |
We should drop my patch in comment #10 -- it's a dirty hack so that we can trick legacy apps into using the system database, and it's unlikely to be acceptable upstream. We should just fix our apps so that they use the system database properly.
Things are confusing and broken enough already, without adding to it.
In Red Hat Bugzilla #546221, Kai (kai-redhat-bugs) wrote : | #43 |
I'm not clear on the earlier comments in this bug.
If I understand correctly, this bug requests that Firefox should use the root CAs that are installed in the global system location /etc/pki/nssdb
However, a Firefox profile clearly shouldn't use that global database for all certificate that NSS needs to manage, in other words, Firefox still needs a database that is private to the user, whether it's a user-global database (using shared db) or a profile-local database (which is still the default of Firefox).
So, I believe this bug requests some dynamic merge. It probably requests that Firefox should continue to use an NSS database from /home, and merge it with the root CA list stored in /etc
I believe we don't have such a feature yet.
If we want this to happen, it must be implemented upstream, in the Mozilla platform core code.
We'd have to define how the merge shall happen. Both the global /etc and the /home database can contain information regarding to roots. For example, a user can disable trust from builtin roots.
It will require to define the order of preference for conficting trust settings for a single CA.
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #44 |
(In reply to comment #19)
> So, I believe this bug requests some dynamic merge. It probably requests that
> Firefox should continue to use an NSS database from /home, and merge it with
> the root CA list stored in /etc
>
> I believe we don't have such a feature yet.
> If we want this to happen, it must be implemented upstream, in the Mozilla
> platform core code.
It _has_ been implemented in upstream NSS already. That's the whole point in the 'shared db' stuff.
In Red Hat Bugzilla #546221, Elio (elio-redhat-bugs) wrote : | #45 |
The request is for Firefox to open the system-wide certificate store as well as its own. That is, take advantage of the nss-sysinit module when available in the the OS - only Fedora at the moment. It would first have to become shared db aware which it isn't yet AFAIK. I guess a review of the nss-sysinit design document at https:/
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #46 |
Now fixed in Evolution 2.30 branch and HEAD
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #47 |
(In reply to comment #22)
> Now fixed in Evolution 2.30 branch and HEAD
... but see bug 603313.
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #48 |
Created attachment 424256
xulrunner patch to make firefox use system nssdb
With the NSS patch I recently added to bug 603313, and this xulrunner patch, I now have firefox properly using the system NSS database (importing the contents of the old DBM database in the profile directory).
If the system database isn't enabled, it should just continue to use the old DBM database.
In Mozilla Bugzilla #449498, dwmw2 (dwmw2) wrote : | #6 |
Created attachment 451345
xulrunner patch to make firefox use system nssdb
It shouldn't be an additional database; the application should open sql:/etc/pki/nssdb _instead_ of its old database. The libnsssysinit.so module automatically handles opening the user's own database in ~/.pki/nssdb as an 'overlay'.
With the NSS bugs fixed as described in https:/
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #49 |
This is all basically working now. We should be able to do a Fedora 14 feature for using the system database, and then we can fix bug 466626 (as part of the feature)
In Mozilla Bugzilla #449498, dwmw2 (dwmw2) wrote : | #7 |
Created attachment 451412
revised patch to try system db only on unix
In Mozilla Bugzilla #449498, Kai Engert (kaie) wrote : | #8 |
This bug was initially filed against the NSS component with the expectation to
In Mozilla Bugzilla #449498, Nelson-bolyard (nelson-bolyard) wrote : | #9 |
David, Are you requesting that this patch be reviewed and considered for
inclusion? Or is this merely a "work in progress"?
If you believe this patch is ready for submission, please request that it
be reviewed by <email address hidden>
In Mozilla Bugzilla #449498, dwmw2 (dwmw2) wrote : | #10 |
Comment on attachment 451412
revised patch to try system db only on unix
I think it's ready for inclusion. There are NSS bugs which need to be fixed -- but this part only triggers if the system NSS DB is enabled anyway; if it's not enabled you get the old behaviour.
In Mozilla Bugzilla #449498, Wan-Teh Chang (wtc-google) wrote : | #11 |
Comment on attachment 451412
revised patch to try system db only on unix
Bob Relyea is the best person to review this patch.
Bob, it'd be bad if an application had to read pkcs11.txt
directly and look for "library=
This should be done by the NSS initialization functions.
If we have a good error code that NSS initialization functions
can return to indicate a missing pkcs11.txt unambiguously,
an application can simply try initializing NSS with
"sql:/etc/
directory if it gets that error code.
In Mozilla Bugzilla #449498, dwmw2 (dwmw2) wrote : | #12 |
(In reply to comment #6)
> Bob, it'd be bad if an application had to read pkcs11.txt
> directly and look for "library=
Yeah, it sucks that we have to do this.
cf. https:/
I'd rather have NSS just do the right thing rather than returning an error when we attempt to open sql:/etc/pki/nssdb r/w though.
In Red Hat Bugzilla #546221, Ken (ken-redhat-bugs) wrote : | #50 |
Can someone add Mozilla bug 449498 under "External Bugs". I don't have permissions.
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #51 |
See also the discussion in https:/
In Mozilla Bugzilla #449498, Rrelyea (rrelyea) wrote : | #13 |
Comment on attachment 451412
revised patch to try system db only on unix
Way behind on my reviews. I'm OK with this patch with the following caveats.
1) this is PSM code so Kai should have the final say since he'll have to support what goes in.
2) explicity checking for libnssysinit.so may fail in the future is we support some admin tool that replaces libnsssysinit with something that gets the nss configuration from some admin repository.
#1 is the more critical issue.
bob
In Mozilla Bugzilla #449498, dwmw2 (dwmw2) wrote : | #14 |
Having talked to people about GNOME keyring plans at GUADEC this week, I'm a little bothered by your #2 too. I can envisage a situation where we point at a GNOME-keyring PKCS#11 module directly from /etc/pki/nssdb, instead of using libnsssysinit. (Although maybe we'd be more likely to put that in the user's pkcs11.txt instead.)
Should we make it trigger if *any* module would be loaded by the /etc/pki/
In Red Hat Bugzilla #546221, Elio (elio-redhat-bugs) wrote : | #52 |
This reflects portability-
have it as an NSS patch whic is desirable. It's sleeping in a samples bug where
it doesn't belong and gets ignored. I could submit it as an NSS bug fix.
The other option would be for the xulrunner-only fix in which case we could
make similar portability modifications to your patch here in attachment 424256.
There is something to be said to having in NSS proper for all applications to benefit. Some might argue for the more conservative road of just patching here for
xulrunner, at least initially. Any preferences?
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #53 |
Other applications (chrome, evolution, etc.) are already doing the check for themselves, and opening the system database or the user's database accordingly. I think we might as well do the same in xulrunner.
It'll be nice when NSS makes it easier, but I don't think we want to require a new version of NSS before this finally starts to work.
In Red Hat Bugzilla #546221, Fedora (fedora-redhat-bugs) wrote : | #54 |
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.
In Red Hat Bugzilla #546221, Kaj (kaj-redhat-bugs) wrote : | #55 |
I stumbled on the same for RHEL6 beta 2. It would be very nice to have all users use the system wide certificate store instead of their own for verifying private enterprise CA certificates.
In Red Hat Bugzilla #546221, Elio (elio-redhat-bugs) wrote : | #56 |
I agree, the nss part is done so I have changed the component to xulrunner where it now properly belongs.
In Red Hat Bugzilla #546221, Elio (elio-redhat-bugs) wrote : | #57 |
The patch as it is works in fedora but one should consider portability as eventually it needs to be submitted upstream to mozilla. To start I would suggest using the NSPR types and NSPR functions.
Adding
+#include "prio.h" to pickup the NSPR functions
using PRBool instead of int for the boolean variable, and replacing the use of ::fopen, ::fgets, ::strcomp, and ::flose with PR_Open, PR_Read, PORT_Strcmp, and PR_Close
It would look like this:
+#define NSS_SYSTEM_DB "/etc/pki/nssdb"
+ SECStatus init_rv = SECFailure;
+ const char *nssdb = profileStr.get();
+
+ FILE *f = PR_Open(
+ if (f) {
+ PRBool found = PR_FALSE;
+ char buf[80];
+ /* Check whether the system NSS db is actually enabled */
+ while (PR_Read(f, buf, 80) && !found) {
+ if (!PORT_Strcmp(buf, "library=
+ found = PR_TRUE;
+ }
+ PR_Close(f);
+ if (found) {
+ nssdb = "sql:"NSS_
+ init_rv = ::NSS_InitWithM
+ "", "", SECMOD_DB,
+ profileStr.get(), "", "",
+ profileStr.get(), profileStr.get(), 0);
+ }
+ }
+ /* If no sysdb found, or opening it failed, try opening the
+ old db from the profile directory. If that fails, subsequent
+ (readonly, nodb) attempts will be on the system db */
+ if (init_rv == SECFailure)
+ init_rv = ::NSS_InitReadW
The NSS_DEFAULT_SYSTEM is a unix/linux path so a function like find_default_
In Red Hat Bugzilla #546221, Bug (bug-redhat-bugs) wrote : | #58 |
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '12'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 12's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 12 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
http://
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #59 |
Still not fixed in F14 -- I'm still having to build my own xulrunner package to fix it.
In Red Hat Bugzilla #546221, Martin (martin-redhat-bugs) wrote : | #60 |
We need to move this patch upstream.
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #61 |
Gr, yet another Fedora xulrunner update breaks this for me; yet another local rebuild with the required patch to fix it again...
In Red Hat Bugzilla #546221, Elio (elio-redhat-bugs) wrote : | #62 |
I was hoping the patch could receive review downstream in Fedora before moving upstream. For upstream submission it would be for the Personal Security Manager, see https:/
In Red Hat Bugzilla #546221, Martin (martin-redhat-bugs) wrote : | #63 |
In Mozilla Bugzilla #449498, Kai Engert (kaie) wrote : | #15 |
This patch uses
NSS_InitWithMerge
Unless I missed something new, in my understanding, this may require multiple master password prompts. This is necessary if the old profile db uses a different password than the user's shared db in ~/.pki/nssdb
If this is true, in my understanding, we must use application assisted merging.
This document lists a proposal of how this could be done:
https:/
If you agree with me that application assisted merging is necessary, I believe this patch is r-
In Mozilla Bugzilla #449498, Kai Engert (kaie) wrote : | #16 |
*** Bug 620373 has been marked as a duplicate of this bug. ***
In Red Hat Bugzilla #546221, David (david-redhat-bugs) wrote : | #64 |
Still broken in Fedora 15.
Drew Scott Daniels (drewdaniels) wrote : | #1 |
To remove fraudulent certificates like this recent one:
https:/
a rebuild is required.
See the discussion at lwn.net at:
http://
Note the comment about how Internet Explorer doesn't have to be rebuilt and the Microsoft Advisory at:
https:/
Maybe better Certificate Revocation List (CRL) support is needed.
I haven't yet submitted a bug upstream as Ubuntu may just want to fork for better enterprise support.
Drew Daniels
http://
Drew Scott Daniels (drewdaniels) wrote : | #2 |
tags: | added: patch |
Drew Scott Daniels (drewdaniels) wrote : | #3 |
The attached patch is not a full solution. Removing the compiled in certificates would be needed, but this might be good enough for basic enterprise needs to add root certificates to FireFox.
Drew Daniels
http://
Micah Gersten (micahg) wrote : | #4 |
Thank you for reporting this to Ubuntu. While I do recognize the value in this for enterprises, we currently aren't even using the system NSS in our Firefox builds. I notice the upstream bug is about opening a second read only system NSS DB. This is why I marked this triaged instead of won't fix. We'll follow upstream if they choose to allow this. Please report any other issues you may find.
Changed in firefox (Ubuntu): | |
importance: | Undecided → Wishlist |
status: | New → Triaged |
Changed in firefox: | |
importance: | Unknown → Medium |
status: | Unknown → Confirmed |
Ubuntu Foundations Team Bug Bot (crichton) wrote : | #17 |
The attachment "F14 1.9.2 patch to allow use of system certificate store" of this bug report has been identified as being a patch. The ubuntu-reviewers team has been subscribed to the bug report so that they can review the patch. In the event that this is in fact not a patch you can resolve this situation by removing the tag 'patch' from the bug report and editing the attachment so that it is not flagged as a patch. Additionally, if you are member of the ubuntu-sponsors please also unsubscribe the team from this bug report.
[This is an automated message performed by a Launchpad user owned by Brian Murray. Please contact him regarding any issues with the action taken in this bug report.]
In Mozilla Bugzilla #449498, 5-mozilla-e (5-mozilla-e) wrote : | #18 |
Using Mozilla products in a corporate context is really inconvenient due to this issue. All our users have to individually import our CA certificate because FF and TB don't read it from the available /etc/pki/nssdb files.
In Red Hat Bugzilla #546221, Martin (martin-redhat-bugs) wrote : | #65 |
So what's up with this one? Do we want to use this patch or not? Kai, I think it's your area, right? So It may not be assigned to me. If you'd like to have this patch in Firefox/Fedora, just put it there or ping me...
In Red Hat Bugzilla #546221, Fedora (fedora-redhat-bugs) wrote : | #66 |
This message is a notice that Fedora 15 is now at end of life. Fedora
has stopped maintaining and issuing updates for Fedora 15. It is
Fedora's policy to close all bug reports from releases that are no
longer maintained. At this time, all open bugs with a Fedora 'version'
of '15' have been closed as WONTFIX.
(Please note: Our normal process is to give advanced warning of this
occurring, but we forgot to do that. A thousand apologies.)
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen
this bug and simply change the 'version' to a later Fedora version.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we were unable to fix it before Fedora 15 reached end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora, you are encouraged to click on
"Clone This Bug" (top right of this page) and open it against that
version of Fedora.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
http://
In Mozilla Bugzilla #449498, Moz-bugzilla-9 (moz-bugzilla-9) wrote : | #19 |
The derailment of this bug is caused by a requirement that has nothing to do with this bug.
This bug is supposed to be about using a read-only, system-wide NSS database, however the blocking issue has to do with the fact that somewhere along the line, the decision was to ALSO remove the separate per-user NSS databases used by, e.g. firefox and thunderbird (which are currently stored in profile directory) and instead making a single per-user read-write database stored at, e.g. ~/.pki/nssdb
And while I understand that this is also a desirable outcome, does it have anything to do with allowing site-wide use of TB without having users be forced to hand-configure their TB before accessing corporate mail servers protected with internal CA, which is the essence of THIS bug report? It doesn't seem the two are actually related...
Any chance that progress could be made on this?
In Mozilla Bugzilla #449498, Rrelyea (rrelyea) wrote : | #20 |
kai, can you switch this bug to PSM? Both the patch and the ultimate solution are PSM issues.
bob
In Mozilla Bugzilla #449498, V-cameron (v-cameron) wrote : | #21 |
Any progress on this yet? As was mentioned earlier, this can be a major inconvenience in an enterprise environment.
In Mozilla Bugzilla #449498, dwmw2 (dwmw2) wrote : | #22 |
FWIW the trust issue has mostly been solved. Fedora for example ships p11-kit-trust.so as a replacement for NSS's libnssckbi.so. It provides all the trust roots in the place that NSS *expects* them to come from.
dkasak (dkasak-9) wrote : | #23 |
So what is the status on this? With Fedora's p11-kit-trust.so, the pieces to solve this seem to be in place.
In Mozilla Bugzilla #449498, vamega (vamega) wrote : | #67 |
I'm not sure this bug has been completely fixed. I'm running Ubuntu 15.04 and it's not picking up certificates that the rest of the system is picking up (I checked that curl and wget were fetching the URL's correctly while verifying certificates).
In Mozilla Bugzilla #449498, dwmw2 (dwmw2) wrote : | #68 |
Are you referring to my comment 16? You do need your distribution to ship p11-kit-trust.so in place of Mozilla's libnssckbi.so, so it has a consistent set of trusted CAs with the rest of the system.
In Mozilla Bugzilla #449498, Stefan Fleiter (stefan-fleiter) wrote : | #69 |
Probably relates to bug 454036 and should be platform all
Changed in firefox (Fedora): | |
importance: | Unknown → Medium |
status: | Unknown → Won't Fix |
Changed in firefox: | |
status: | Confirmed → Unknown |
Changed in firefox: | |
status: | Unknown → Confirmed |
Changed in firefox: | |
status: | Confirmed → Won't Fix |
In Mozilla Bugzilla #449498, David Ward (dpward) wrote : | #70 |
@J.C. Jones Can you kindly undo your recent change to the status of this bug?
@David Woodhouse: p11-kit-trust.so only handles CA certificates; it does not pull in the PKCS#11 security module configuration, which is stored in the system-wide NSS database. This is required where smart cards are used (using security modules such as OpenSC, either directly or via the p11-kit-proxy security module). This was part of the issue reported with this bug.
As it stands now, the PKCS#11 module configuration still has to be manually added to every Firefox/Thunderbird profile after the application is first launched by the user and the NSS databases are created at that time. Changes to the system-wide NSS database won't propagate (for example, if the system administrator replaces the CoolKey module with OpenSC).
In Mozilla Bugzilla #449498, Rrelyea (rrelyea) wrote : | #71 |
David, I presume you are running on Linux? If your firefox/thunderbird is build with policy enabled, you can add the line to our policy file:
name=p11-kit-proxy
library=
On Fedora or RHEL 8 the policy file is in /etc/crypto-
On RHEL7 it's in /etc/pki/
For other distributions look at the build scripts for POLICY_FILE and POLICY_PATH.
In Mozilla Bugzilla #449498, Jjones-g (jjones-g) wrote : | #72 |
David,
Let me know if Bob's advice here isn't a good resolution. Otherwise, I don't see us changing NSS' behavior to load multiple SQLite databases.
Maxim (mekatum) wrote : | #73 |
What is the status of the error at the moment? In Fedora 31/32 add sefl-signed cert to system store allow Firefox to trust self-signed cert on sites.
I use Ubuntu 18.04 in my enterprise and it's big problem, that I can not add self-signed root cert in computers. Our users use different browsers, different workplace. And when user first login on computer, he must add self-signed cert to a browser.
Fedora has started to ship an NSS database in the OS global location /etc/pki/nssdb, which contains system-wide certificates or security modules that all applications should have access to.
I think the proposal is to open that additional database automatically on NSS init time.
We'd like to do this at least on Linux, and maybe we should start with #ifdef'ed code.
We could add other platforms, too, if there is interest and a standardized location for this kind of database (with the initial version or at a later time).