[Desktop-packages] [Bug 1648616] Re: Firefox uses its own version of NSS, incompatible with system version
Status changed to 'Confirmed' because the bug affects multiple users. ** Changed in: thunderbird (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1648616 Title: Firefox uses its own version of NSS, incompatible with system version Status in firefox package in Ubuntu: Invalid Status in thunderbird package in Ubuntu: Confirmed Bug description: Because of bug 1647285 I need to install corporate SSL CAs into the database of each NSS-using application individually. Unfortunately it doesn't seem to work for Firefox. Not only does Firefox ship with its *own* version of NSS instead using the system's version, but it even seems to be configured very differently. Firefox appears to use the legacy Berkeley DB database for its softokn, in key3.db/cert8.db. However, the system's certutil won't work with that legacy format: $ certutil -d ~/.mozilla/firefox/default.default/ -L certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. I can force it to use the SQL database in key4.db/cert9.db by running with NSS_DEFAULT_DB_TYPE=sql, and then I *can* install trusted CAs with certutil. But actually, it's much simpler to just make a symlink from firefox's own special copy of the SSL trust roots in libnssckbi.so, to the system's p11-kit-trust.so — thus making Firefox honour the system trust configuration. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1648616/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1648616] Re: Firefox uses its own version of NSS, incompatible with system version
Setting aside the wisdom of that response, and my surprise at discovering that the distribution even *permits* you to ship your own copy of certain libraries — *especially* security-critical libraries — in your own package instead of using the system's version doesn't that mean you should be shipping your own version of things like certutil and modutil, given that you now not only have your own copy of the libraries, but you even have a speshul different database format to the one that the system NSS uses, so you aren't even compatible with /usr/bin/certtool. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1648616 Title: Firefox uses its own version of NSS, incompatible with system version Status in firefox package in Ubuntu: Invalid Status in thunderbird package in Ubuntu: New Bug description: Because of bug 1647285 I need to install corporate SSL CAs into the database of each NSS-using application individually. Unfortunately it doesn't seem to work for Firefox. Not only does Firefox ship with its *own* version of NSS instead using the system's version, but it even seems to be configured very differently. Firefox appears to use the legacy Berkeley DB database for its softokn, in key3.db/cert8.db. However, the system's certutil won't work with that legacy format: $ certutil -d ~/.mozilla/firefox/default.default/ -L certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. I can force it to use the SQL database in key4.db/cert9.db by running with NSS_DEFAULT_DB_TYPE=sql, and then I *can* install trusted CAs with certutil. But actually, it's much simpler to just make a symlink from firefox's own special copy of the SSL trust roots in libnssckbi.so, to the system's p11-kit-trust.so — thus making Firefox honour the system trust configuration. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1648616/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1648616] Re: Firefox uses its own version of NSS, incompatible with system version
The Firefox we ship is deliberately as close as possible to what Mozilla provides, so this isn't going to change ** Changed in: firefox (Ubuntu) Status: Confirmed => Invalid -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1648616 Title: Firefox uses its own version of NSS, incompatible with system version Status in firefox package in Ubuntu: Invalid Status in thunderbird package in Ubuntu: New Bug description: Because of bug 1647285 I need to install corporate SSL CAs into the database of each NSS-using application individually. Unfortunately it doesn't seem to work for Firefox. Not only does Firefox ship with its *own* version of NSS instead using the system's version, but it even seems to be configured very differently. Firefox appears to use the legacy Berkeley DB database for its softokn, in key3.db/cert8.db. However, the system's certutil won't work with that legacy format: $ certutil -d ~/.mozilla/firefox/default.default/ -L certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. I can force it to use the SQL database in key4.db/cert9.db by running with NSS_DEFAULT_DB_TYPE=sql, and then I *can* install trusted CAs with certutil. But actually, it's much simpler to just make a symlink from firefox's own special copy of the SSL trust roots in libnssckbi.so, to the system's p11-kit-trust.so — thus making Firefox honour the system trust configuration. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1648616/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1648616] Re: Firefox uses its own version of NSS, incompatible with system version
** Also affects: thunderbird (Ubuntu) Importance: Undecided Status: New -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to thunderbird in Ubuntu. https://bugs.launchpad.net/bugs/1648616 Title: Firefox uses its own version of NSS, incompatible with system version Status in firefox package in Ubuntu: Invalid Status in thunderbird package in Ubuntu: New Bug description: Because of bug 1647285 I need to install corporate SSL CAs into the database of each NSS-using application individually. Unfortunately it doesn't seem to work for Firefox. Not only does Firefox ship with its *own* version of NSS instead using the system's version, but it even seems to be configured very differently. Firefox appears to use the legacy Berkeley DB database for its softokn, in key3.db/cert8.db. However, the system's certutil won't work with that legacy format: $ certutil -d ~/.mozilla/firefox/default.default/ -L certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. I can force it to use the SQL database in key4.db/cert9.db by running with NSS_DEFAULT_DB_TYPE=sql, and then I *can* install trusted CAs with certutil. But actually, it's much simpler to just make a symlink from firefox's own special copy of the SSL trust roots in libnssckbi.so, to the system's p11-kit-trust.so — thus making Firefox honour the system trust configuration. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1648616/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
[Desktop-packages] [Bug 1648616] Re: Firefox uses its own version of NSS, incompatible with system version
** Changed in: firefox (Ubuntu) Status: New => Confirmed -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to firefox in Ubuntu. https://bugs.launchpad.net/bugs/1648616 Title: Firefox uses its own version of NSS, incompatible with system version Status in firefox package in Ubuntu: Confirmed Bug description: Because of bug 1647285 I need to install corporate SSL CAs into the database of each NSS-using application individually. Unfortunately it doesn't seem to work for Firefox. Not only does Firefox ship with its *own* version of NSS instead using the system's version, but it even seems to be configured very differently. Firefox appears to use the legacy Berkeley DB database for its softokn, in key3.db/cert8.db. However, the system's certutil won't work with that legacy format: $ certutil -d ~/.mozilla/firefox/default.default/ -L certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format. I can force it to use the SQL database in key4.db/cert9.db by running with NSS_DEFAULT_DB_TYPE=sql, and then I *can* install trusted CAs with certutil. But actually, it's much simpler to just make a symlink from firefox's own special copy of the SSL trust roots in libnssckbi.so, to the system's p11-kit-trust.so — thus making Firefox honour the system trust configuration. To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1648616/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
