[Bug 1647285] Re: SSL trust not system-wide

[Michael Catanzaro]

So for the avoidance of doubt, every independent distro has its own
custom ca-certificates package with no shared history. I know Debian,
Fedora, and openSUSE all have their own completely separate upstreams.
Looking at what Fedora does is probably a good idea indeed, just keep in
mind it has no shared history with Debian's package. I took a quick look
at openSUSE's package and it looks like it has good p11-kit integration
as well. Arch uses Fedora; not sure about other independent distros.
They all use Mozilla's certificates, but Mozilla doesn't release a
package in a way that's directly usable by distros.

Debian's ca-certificates implements certificate blacklisting by putting
a ! character at the start of a line in /etc/ca-certificates.conf (which
doesn't exist on other distros). Once a certificate is removed, it stays
removed, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339
which was never fixed.

** Bug watch added: Debian Bug tracker #743339
   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=743339

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to p11-kit in Ubuntu.
https://bugs.launchpad.net/bugs/1647285

Title:
  SSL trust not system-wide

Status in ca-certificates package in Ubuntu:
  Confirmed
Status in firefox package in Ubuntu:
  Confirmed
Status in nss package in Ubuntu:
  Confirmed
Status in p11-kit package in Ubuntu:
  Fix Released
Status in thunderbird package in Ubuntu:
  Confirmed

Bug description:
  When I install a corporate CA trust root with update-ca-certificates,
  it doesn't seem to work everywhere. Various things like Firefox,
  Evolution, Chrome, etc. all fail to trust the newly-installed trusted
  CA.

  This ought to work, and does on other distributions. In p11-kit there
  is a module p11-kit-trust.so which can be used as a drop-in
  replacement for NSS's own libnssckbi.so trust root module, but which
  reads from the system's configured trust setup instead of the hard-
  coded version.

  This allows us to install the corporate CAs just once, and then file a
  bug against any package that *doesn't* then trust them.

  See https://fedoraproject.org/wiki/Features/SharedSystemCertificates
  for some of the historical details from when this feature was first
  implemented, but this is all now supported upstream and not at all
  distribution-specific. There shouldn't be any significant work
  required; it's mostly just a case of configuring and building it to
  make use of this functionality. (With 'alternatives' to let you
  substitute p11-kit-trust.so for the original NSS libnssckbi.so, etc.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions