Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: sssd (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL
Also adding SSSD here, would be easy enough to make its default PAM CA
ring to point to /etc/ssl/certs/ca-certificates.crt by default (and
change-able in settings) but not sure if we want to go this route as it
may make SSSD documentation confusing (as it everywhere mentions
Unfortunately, the ! character at the beginning the the line in ca-
certificates.conf is just for blacklisting ca certificates from being
imported into the system store, it's not really a backlist that can be
used by a crypto library.
--
You received this bug notification because you are a
So for the avoidance of doubt, every independent distro has its own
custom ca-certificates package with no shared history. I know Debian,
Fedora, and openSUSE all have their own completely separate upstreams.
Looking at what Fedora does is probably a good idea indeed, just keep in
mind it has no
Looks like Fedora substantially modified the scripts used by ca-
certificates to extract untrusted and blacklisted certs. We should
probably start by investigating how their package is handling this, what
files they are generating, and if they are being properly handled by p11
-kit-trust.
--
You
so what does it require to fix ca-certificates?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
To manage notifications about this bug go to:
On Thu, 2020-03-19 at 09:44 +, Olivier Tilloy wrote:
> It looks like symlinking firefox and thunderbird's own copies of
> libnssckbi.so to the system-wide p11-kit-trust.so is the proper way to
> fix this bug, as far as Mozilla's products are concerned.
>
> Before I proceed to doing this, I'd
Before we switch any software to using p11-kit-trust.so, we need to fix
our ca-certificates package to properly handle untrusted or blacklisted
certificates. At the moment, I believe they are simply skipped when
generating the contents of /usr/share/ca-certificates.
--
You received this bug
It looks like symlinking firefox and thunderbird's own copies of
libnssckbi.so to the system-wide p11-kit-trust.so is the proper way to
fix this bug, as far as Mozilla's products are concerned.
Before I proceed to doing this, I'd welcome comments from the security
team on this approach though, as
according to #4 nss should still symlink libnssckbi.so to p11-kit-
trust.so
** Changed in: nss (Ubuntu)
Status: Fix Released => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
p11-kit too
** Changed in: p11-kit (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
To manage notifications
nss should have everything on focal
** Also affects: firefox (Ubuntu)
Importance: Undecided
Status: New
** Changed in: nss (Ubuntu)
Status: Confirmed => Fix Released
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
Like others, I'm manually symlinking .so files on all of my interactive
hosts and hoping updates don't break it. IMO this is not a valid
workaround.
@ahasenack - I understand this is a roadmap item that would ideally
resolve for multiple packages, but it seems that the Mozilla products
are the
@dwmw2,
I figured out the issue. Long story short, freeipa (which is our CA),
when we enroll a PC into the realm, it adds the freeIPA cert to
/etc/ssl/certs/ca-certificates.crt like it should, however it also adds
other information that it shouldn't.
This results in p11-kit-trust.so blowing
@kvasko yes, it works here. Are you sure that's the version of
libnssckbi.so that is being used? There are lots; I've replaced them
all...
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
should this be marked as something to fix in focal for the next LTS?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
To manage notifications about this bug
@dwmw2
Were you able to make this work by doing this for firefox?
sudo mv /usr/lib/firefox/libnssckbi.so /usr/lib/firefox/libnssckbi.so.bak
sudo ln -s /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
/usr/lib/firefox/libnssckbi.so
This isn't "just" a bug, it's a roadmap item in my view, as many
products are affected. It needs a spec, like in the fedora case. I agree
that it would be awesome to have this.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
This isn't "just" a bug, it's a roadmap item in my view, as many
products are affected. It needs a spec, like in the fedora case. I agree
that it would be awesome to have this.
--
You received this bug notification because you are a member of Ubuntu
Server, which is subscribed to the bug report.
I'm trying to make use of this in Ubuntu 14.04 with p11-kit
0.23.2-5~ubuntu16.04.1, but get the following error:
# trust list
p11-kit: ca-certificates.crt: BEGIN ...: pem block before p11-kit section header
p11-kit: ca-certificates.crt: BEGIN ...: pem block before p11-kit section header
Is
No progress on this yet, afaik it is just not high up on anyone's
personal task list :-/
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
To manage
Wow, unified CA management would be awesome. No more fiddling around
with (and forgetting to correctly install/remove certificates in)
various applications (most notably in Firefox, Chromium, wget).
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is
Any progress on fixing this?
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL trust not system-wide
To manage notifications about this bug go to:
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: thunderbird (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: ca-certificates (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: p11-kit (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: nss (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
SSL
cf. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=704180
https://lists.freedesktop.org/archives/p11-glue/2013-June/000331.html
** Bug watch added: Debian Bug tracker #741005
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=741005
I believe NSS wants these patches backported from 3.30:
https://bugzilla.mozilla.org/show_bug.cgi?id=1334976
Firefox has its own copy of NSS which I think as of Firefox 54 should be fine.
Thunderbird also needs fixing, I think.
** Bug watch added: Mozilla Bugzilla #1334976
I believe we need to update p11-kit to v0.23.4 to make the key pinning
work correctly in the recommended configuration, by adding the
CKA_NSS_MOZILLA_CA_POLICY attribute.
https://bugs.freedesktop.org/show_bug.cgi?id=99453
https://bugzilla.mozilla.org/show_bug.cgi?id=1324096
** Bug watch added:
** Changed in: ca-certificates (Ubuntu)
Status: Incomplete => New
** Changed in: nss (Ubuntu)
Status: Incomplete => New
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/1647285
Title:
The Mozilla bugs you link are a bit of a red herring. They refer to an
abortive attempt by Mozilla/NSS to have a 'shared system database' in
sql:/etc/pki/nssdb. The idea is that applications specify that as their
NSS database and although it's obviously read-only, it automatically
adds the user's
Hi dwmw2,
thank you for your bug report and your help to make Ubuntu better.
I beg a pardon as I'm clearly not an expert on this particular area, but
I try to sort out the details of this bug report to understand what has
to be done.
Currently I understand this as feature request to make
@Security Team - do you happen to know about this overall topic and
could you share either whatever was the outcome of such discussions in
the past or OTOH what you assert on this as a feature request would be?
** Changed in: ca-certificates (Ubuntu)
Status: New => Incomplete
** Changed
It does seem that p11-kit-trust.so is working correctly. If I just make
a symlink from libnssckbi.so to it, corporate trust installed by update-
ca-certificates *does* work in Firefox.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
35 matches
Mail list logo
