[Bug 1648616] [NEW] Firefox uses its own version of NSS, incompatible with system version

[dwmw2]

Public bug reported:

Because of bug 1647285 I need to install corporate SSL CAs into the
database of each NSS-using application individually. Unfortunately it
doesn't seem to work for Firefox. Not only does Firefox ship with its
*own* version of NSS instead using the system's version, but it even
seems to be configured very differently.

Firefox appears to use the legacy Berkeley DB database for its softokn,
in key3.db/cert8.db. However, the system's certutil won't work with that
legacy format:

$ certutil -d ~/.mozilla/firefox/default.default/ -L
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.

I can force it to use the SQL database in key4.db/cert9.db by running
with NSS_DEFAULT_DB_TYPE=sql, and then I *can* install trusted CAs with
certutil. But actually, it's much simpler to just make a symlink from
firefox's own special copy of the SSL trust roots in libnssckbi.so, to
the system's p11-kit-trust.so — thus making Firefox honour the system
trust configuration.

** Affects: firefox (Ubuntu)
     Importance: Undecided
         Status: New

-- 
You received this bug notification because you are a member of Mozilla
Bugs, which is subscribed to firefox in Ubuntu.
https://bugs.launchpad.net/bugs/1648616

Title:
  Firefox uses its own version of NSS, incompatible with system version

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/1648616/+subscriptions