Bug #6704

CAcert.org root certificate is not included anymore

Added by intrigeri 2014-02-17 15:55:59 . Updated 2014-03-19 07:23:43 .

Target version:
Start date:
Due date:
% Done:


Feature Branch:
Type of work:

Affected tool:
Deliverable for:


All Iceweasel backports (including ours) now use the in-tree NSS library, that does not include the patches Debian applies to the NSS library. On the one hand, this falls under the Feature #5870 umbrella. On the other, that’s a regression, and e.g. blocks access to our own Redmine, hence a priority higher than normal.

It’s probably not-too-hard to patch the in-tree NSS library with the relevant Debian patch(es).


Related issues

Related to Tails - Feature #5870: Better support of non-commercial ISPs Rejected
Related to Tails - Feature #5976: Persistence preset: Tor Browser client certificates Confirmed


#1 Updated by intrigeri 2014-02-27 18:55:09

labs.riseup.net now has a certificate bought to the CA cartel again, which mitigates this problem somehow.

#2 Updated by intrigeri 2014-02-28 10:42:55

Brain dump wrt. doing this without patching the in-tree NSS library, but instead by pointing the browser to a NSS database into which we have already imported the needed CA at build or boot time:

  • ideally, we would use the NSS Shared DB so that all NSS-using applications benefit from the imported certificate: https://wiki.mozilla.org/NSS_Shared_DB_Howto
  • some basics about using certutil to do that are documented on the ArchWiki, the Chromium wiki, and a good blog post
  • the certutil version we ship in Tails 0.22.1 only supports the old key3.db and cert8.db; these are still used in our current browser, but at some point we’ll have to handle the migration to the new format
  • the certutil version we ship in Tails 0.22.1 does not support the --empty-password option yet, and does not take the password from stdin, so we would have to write an expect or similar script to automate creating the NSS shared DB
  • the pkcs11.txt file in the shared NSS database contains the absolute path to the configuration directory, which may complicate things a bit (e.g. if we put the shared DB into /etc/skel, then we need to mangle this file after creating the amnesia and clearnet users)
  • care must be taken not to interfere with future work (Feature #5976)

Temporary conclusion: patching Iceweasel’s in-tree NSS library seems easier. We should look into it.

#3 Updated by intrigeri 2014-03-04 12:52:36

  • Target version set to Tails_0.23

This will actually be fixed once we import the updated Debian patches from 24.3.0esr-1.

#4 Updated by intrigeri 2014-03-04 18:38:04

  • Status changed from Confirmed to In Progress
  • Assignee set to intrigeri
  • % Done changed from 0 to 10

#5 Updated by intrigeri 2014-03-06 00:09:38

  • Feature Branch set to feature/6474-tor-browser-mozconfig

#6 Updated by intrigeri 2014-03-06 00:10:32

Actually, iceweasel 24.3.0esr-1 patches the in-tree NSS library the same way as the nss source package, so that’s trivial.

#7 Updated by intrigeri 2014-03-06 15:45:10

  • Status changed from In Progress to Fix committed
  • Assignee deleted (intrigeri)
  • % Done changed from 10 to 100

#8 Updated by anonym 2014-03-19 07:23:43

  • Status changed from Fix committed to Resolved