Bug #6704
CAcert.org root certificate is not included anymore
100%
Description
All Iceweasel backports (including ours) now use the in-tree NSS library, that does not include the patches Debian applies to the NSS library. On the one hand, this falls under the Feature #5870 umbrella. On the other, that’s a regression, and e.g. blocks access to our own Redmine, hence a priority higher than normal.
It’s probably not-too-hard to patch the in-tree NSS library with the relevant Debian patch(es).
Subtasks
Related issues
Related to Tails - |
Rejected | ||
Related to Tails - Feature #5976: Persistence preset: Tor Browser client certificates | Confirmed |
History
#1 Updated by intrigeri 2014-02-27 18:55:09
labs.riseup.net now has a certificate bought to the CA cartel again, which mitigates this problem somehow.
#2 Updated by intrigeri 2014-02-28 10:42:55
Brain dump wrt. doing this without patching the in-tree NSS library, but instead by pointing the browser to a NSS database into which we have already imported the needed CA at build or boot time:
- ideally, we would use the NSS Shared DB so that all NSS-using applications benefit from the imported certificate: https://wiki.mozilla.org/NSS_Shared_DB_Howto
- some basics about using certutil to do that are documented on the ArchWiki, the Chromium wiki, and a good blog post
- the certutil version we ship in Tails 0.22.1 only supports the old
key3.db
andcert8.db
; these are still used in our current browser, but at some point we’ll have to handle the migration to the new format - the certutil version we ship in Tails 0.22.1 does not support the
--empty-password
option yet, and does not take the password from stdin, so we would have to write an expect or similar script to automate creating the NSS shared DB - the
pkcs11.txt
file in the shared NSS database contains the absolute path to the configuration directory, which may complicate things a bit (e.g. if we put the shared DB into/etc/skel
, then we need to mangle this file after creating theamnesia
andclearnet
users) - care must be taken not to interfere with future work (Feature #5976)
Temporary conclusion: patching Iceweasel’s in-tree NSS library seems easier. We should look into it.
#3 Updated by intrigeri 2014-03-04 12:52:36
- Target version set to Tails_0.23
This will actually be fixed once we import the updated Debian patches from 24.3.0esr-1.
#4 Updated by intrigeri 2014-03-04 18:38:04
- Status changed from Confirmed to In Progress
- Assignee set to intrigeri
- % Done changed from 0 to 10
#5 Updated by intrigeri 2014-03-06 00:09:38
- Feature Branch set to feature/6474-tor-browser-mozconfig
#6 Updated by intrigeri 2014-03-06 00:10:32
Actually, iceweasel 24.3.0esr-1 patches the in-tree NSS library the same way as the nss source package, so that’s trivial.
#7 Updated by intrigeri 2014-03-06 15:45:10
- Status changed from In Progress to Fix committed
- Assignee deleted (
intrigeri) - % Done changed from 10 to 100
#8 Updated by anonym 2014-03-19 07:23:43
- Status changed from Fix committed to Resolved