On 26 August 2014 21:15, Jan Alexander Steffens <jan.steffens@gmail.com> wrote:
On Sun, Aug 24, 2014 at 11:47 AM, Jan Alexander Steffens <jan.steffens@gmail.com> wrote:
Hi guys,
I'm currently at FrOSCon with Pierre and an expert from CAcert.org and we're thinking of changes to our certificate setup.
The current issues are: - Mozilla NSS uses its own root store and not /etc/ssl/certs - ca-certificates ships outdated Mozilla roots - Shipping additional roots outside ca-certificates is difficult, requiring patching /etc/ca-certificates.conf
To solve these issues, we thought of making the following changes:
- Attach NSS to p11-kit so it uses our root store (easily done by replacing /usr/lib/libnssckbi.so with a symlink to p11-kit-proxy.so) - Patch the update-ca-certificates script to read /etc/ca-certificates/conf.d instead of /etc/ca-certificates.conf - Split the current Mozilla roots from the NSS package in the ca-certificates format, shipping /etc/ca-certificates/conf.d/mozilla.conf - Create a package shipping the CAcert.org roots in a similar way - Ship the update-ca-certificates script in a ca-certificates-utils package, which the certificate packages depend on - ca-certificates becomes a metapackage depending on the -mozilla and -cacert packages
Comments are welcome. Unless we get objections, we're going to start making these changes. Hopefully we can be done today and push the result to [testing].
Greetings, Jan
Firefox isn't quite happy yet with the change, see https://bugs.archlinux.org/task/41689: Addons fail to install or update.
It seems this is due to Firefox depending on NSS internals - specifically, addons must be signed by certificates validated by the built-in trusted root store, which is matched by name.
Fedora was affected as well: https://bugzilla.redhat.com/show_bug.cgi?id=966424 Upstream report, arguing for the check to be removed: https://bugzilla.mozilla.org/show_bug.cgi?id=880269
Now we can: a. Patch p11-kit to rename the store; the easy way. b. Patch Firefox and Thunderbird and SeaMonkey to not require the name to match; the hard way, and the one Fedora chose. c. Revert the change that links NSS to p11-kit; rather not, as it makes it really hard to control the root store.
Opinions?
Hi Pierre, hi Jan, So the "ca-certificates-utils" from testing (20140923-5) declares a "provides" and "conflict" on "ca-certificates-java". Unfortunately jre and jdk packages use a "init-jks-keystore" script provided by "ca-certificates-java" but not "ca-certificates-utils". This scripts only computes file /etc/ssl/certs/java/cacerts which is actually also computed by "update-ca-trust". So I could just make jre and jdk packages depend on ca-certificates-utils and then "ca-certificates-java" could be dropped: is that the whole plan?