Comment 27 for bug 1647285
Revision history for this message
| dwmw2 (dwmw2) wrote Re: [Bug 1647285] Re: SSL trust not system-wide | #27 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
73416ba
(Get the code!)
On Thu, 2020-03-19 at 09:44 +0000, Olivier Tilloy wrote:
> It looks like symlinking firefox and thunderbird's own copies of
> libnssckbi.so to the system-wide p11-kit-trust.so is the proper way to
> fix this bug, as far as Mozilla's products are concerned.
>
> Before I proceed to doing this, I'd welcome comments from the security
> team on this approach though, as I suspect I don't understand all the
> implications.
>
> (an alternative would be building firefox/thunderbird against the
> system-wide nss, but firefox currently requires 3.50, which isn't yet in
> focal, and I suspect that requirement is being bumped often, so that
> wouldn't really work with our distribution model)
Right, don't bother trying to replace NSS just for this (although
really, having a single version of NSS on the system *would* be nice).
The interface to libnssckbi.so is a standard PKCS#11 library, and it's
perfectly reasonable to replace that in each of
firefox/