SSL trust not system-wide

Bug #1647285 reported by dwmw2 on 2016-12-05
82
This bug affects 13 people
Affects Status Importance Assigned to Milestone
ca-certificates (Ubuntu)
Wishlist
Unassigned
nss (Ubuntu)
Wishlist
Unassigned
p11-kit (Ubuntu)
Undecided
Unassigned
thunderbird (Ubuntu)
Undecided
Unassigned

Bug Description

When I install a corporate CA trust root with update-ca-certificates, it doesn't seem to work everywhere. Various things like Firefox, Evolution, Chrome, etc. all fail to trust the newly-installed trusted CA.

This ought to work, and does on other distributions. In p11-kit there is a module p11-kit-trust.so which can be used as a drop-in replacement for NSS's own libnssckbi.so trust root module, but which reads from the system's configured trust setup instead of the hard-coded version.

This allows us to install the corporate CAs just once, and then file a bug against any package that *doesn't* then trust them.

See https://fedoraproject.org/wiki/Features/SharedSystemCertificates for some of the historical details from when this feature was first implemented, but this is all now supported upstream and not at all distribution-specific. There shouldn't be any significant work required; it's mostly just a case of configuring and building it to make use of this functionality. (With 'alternatives' to let you substitute p11-kit-trust.so for the original NSS libnssckbi.so, etc.)

dwmw2 (dwmw2) on 2016-12-05
no longer affects: network-manager-openconnect (Ubuntu)
dwmw2 (dwmw2) wrote :

It does seem that p11-kit-trust.so is working correctly. If I just make a symlink from libnssckbi.so to it, corporate trust installed by update-ca-certificates *does* work in Firefox.

Hi dwmw2,
thank you for your bug report and your help to make Ubuntu better.

I beg a pardon as I'm clearly not an expert on this particular area, but I try to sort out the details of this bug report to understand what has to be done.

Currently I understand this as feature request to make update-ca-certificates (almost?) all certificate users in one shot.

The current default config doesn't do that

Thanks for pointing out the links and background to this.

The answer on this thread is what I think the current state is http://superuser.com/questions/437330/how-do-you-add-a-certificate-authority-ca-to-ubuntu
and I understand and agree that to get this as "one shot accept this CA" is a valid feature-request-bug.

I happened to find various similar/related on other projects like firefox for example:
https://bugzilla.mozilla.org/show_bug.cgi?id=620373
https://bugzilla.mozilla.org/show_bug.cgi?id=449498
https://bugzilla.mozilla.org/show_bug.cgi?id=454036
There might be more for others, but it seems to fix the whole thing a Distribution would need to modify all consuming packages to agree on sort of a shared path and mechanism.

Ok, so far I was just trying to wrap my head around this a bit, I guess the next step clearly is the security Teams position on this in general - so I subscribe them for a statement.
Maybe they also know on past or existing approaches to this.

@Security Team - do you happen to know about this overall topic and could you share either whatever was the outcome of such discussions in the past or OTOH what you assert on this as a feature request would be?

Changed in ca-certificates (Ubuntu):
status: New → Incomplete
importance: Undecided → Wishlist
Changed in nss (Ubuntu):
status: New → Incomplete
importance: Undecided → Wishlist
dwmw2 (dwmw2) wrote :

The Mozilla bugs you link are a bit of a red herring. They refer to an abortive attempt by Mozilla/NSS to have a 'shared system database' in sql:/etc/pki/nssdb. The idea is that applications specify that as their NSS database and although it's obviously read-only, it automatically adds the user's database from ~/.pki/nssdb as a writeable token. This gets a step towards consistency for all NSS-using applications — but as those bugs note, not even Mozilla's own products are actually using it. You should support that anyway, but it isn't the focus of this bug.

The fix here (which has been working in Fedora for years, since you ask for existing approaches) is to replace NSS's built-in trust root module libnssckbi.so with a symlink to p11-kit-trust.so. Then you get the system's configured trust roots, instead of whatever's hard-coded into that particular instance of libnssckbi.so (and you're shipping multiple potentially different ones of those!)

Robie Basak (racb) on 2016-12-15
Changed in ca-certificates (Ubuntu):
status: Incomplete → New
Changed in nss (Ubuntu):
status: Incomplete → New
dwmw2 (dwmw2) wrote :

I believe we need to update p11-kit to v0.23.4 to make the key pinning work correctly in the recommended configuration, by adding the CKA_NSS_MOZILLA_CA_POLICY attribute.

https://bugs.freedesktop.org/show_bug.cgi?id=99453
https://bugzilla.mozilla.org/show_bug.cgi?id=1324096

dwmw2 (dwmw2) wrote :

I believe NSS wants these patches backported from 3.30:
https://bugzilla.mozilla.org/show_bug.cgi?id=1334976

Firefox has its own copy of NSS which I think as of Firefox 54 should be fine.
Thunderbird also needs fixing, I think.

Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in ca-certificates (Ubuntu):
status: New → Confirmed
Changed in nss (Ubuntu):
status: New → Confirmed
Changed in p11-kit (Ubuntu):
status: New → Confirmed
Changed in thunderbird (Ubuntu):
status: New → Confirmed
dwmw2 (dwmw2) wrote :

Any progress on fixing this?

Tomas Pospisek (tpo-deb) wrote :

Wow, unified CA management would be awesome. No more fiddling around with (and forgetting to correctly install/remove certificates in) various applications (most notably in Firefox, Chromium, wget).

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.