Ubuntu
firefox package

Firefox uses its own version of NSS, incompatible with system version

Bug #1648616 reported by dwmw2
14
This bug affects 3 people
Affects Status Importance Assigned to Milestone
firefox (Ubuntu)
Invalid
Undecided
Unassigned
thunderbird (Ubuntu)
Confirmed
Undecided
Unassigned

Bug Description

Because of bug 1647285 I need to install corporate SSL CAs into the database of each NSS-using application individually. Unfortunately it doesn't seem to work for Firefox. Not only does Firefox ship with its *own* version of NSS instead using the system's version, but it even seems to be configured very differently.

Firefox appears to use the legacy Berkeley DB database for its softokn, in key3.db/cert8.db. However, the system's certutil won't work with that legacy format:

$ certutil -d ~/.mozilla/firefox/default.default/ -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

I can force it to use the SQL database in key4.db/cert9.db by running with NSS_DEFAULT_DB_TYPE=sql, and then I *can* install trusted CAs with certutil. But actually, it's much simpler to just make a symlink from firefox's own special copy of the SSL trust roots in libnssckbi.so, to the system's p11-kit-trust.so — thus making Firefox honour the system trust configuration.

Matteo Croce (teknoraver)
Changed in firefox (Ubuntu):
status: New → Confirmed
Revision history for this message
Chris Coulson (chrisccoulson) wrote :

The Firefox we ship is deliberately as close as possible to what Mozilla provides, so this isn't going to change

Changed in firefox (Ubuntu):
status: Confirmed → Invalid
Revision history for this message
dwmw2 (dwmw2) wrote :

Setting aside the wisdom of that response, and my surprise at discovering that the distribution even *permits* you to ship your own copy of certain libraries — *especially* security-critical libraries — in your own package instead of using the system's version.... doesn't that mean you should be shipping your own version of things like certutil and modutil, given that you now not only have your own copy of the libraries, but you even have a speshul different database format to the one that the system NSS uses, so you aren't even compatible with /usr/bin/certtool.

Revision history for this message
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in thunderbird (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.