[Touch-packages] [Bug 1647285] Re: SSL trust not system-wide

Mon, 12 Dec 2016 00:36:51 -0800 

@Security Team - do you happen to know about this overall topic and
could you share either whatever was the outcome of such discussions in
the past or OTOH what you assert on this as a feature request would be?

** Changed in: ca-certificates (Ubuntu)
       Status: New => Incomplete

** Changed in: ca-certificates (Ubuntu)
   Importance: Undecided => Wishlist

** Changed in: nss (Ubuntu)
       Status: New => Incomplete

** Changed in: nss (Ubuntu)
   Importance: Undecided => Wishlist

-- 
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/1647285

Title:
  SSL trust not system-wide

Status in ca-certificates package in Ubuntu:
  Incomplete
Status in nss package in Ubuntu:
  Incomplete

Bug description:
  When I install a corporate CA trust root with update-ca-certificates,
  it doesn't seem to work everywhere. Various things like Firefox,
  Evolution, Chrome, etc. all fail to trust the newly-installed trusted
  CA.

  This ought to work, and does on other distributions. In p11-kit there
  is a module p11-kit-trust.so which can be used as a drop-in
  replacement for NSS's own libnssckbi.so trust root module, but which
  reads from the system's configured trust setup instead of the hard-
  coded version.

  This allows us to install the corporate CAs just once, and then file a
  bug against any package that *doesn't* then trust them.

  See https://fedoraproject.org/wiki/Features/SharedSystemCertificates
  for some of the historical details from when this feature was first
  implemented, but this is all now supported upstream and not at all
  distribution-specific. There shouldn't be any significant work
  required; it's mostly just a case of configuring and building it to
  make use of this functionality. (With 'alternatives' to let you
  substitute p11-kit-trust.so for the original NSS libnssckbi.so, etc.)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ca-certificates/+bug/1647285/+subscriptions

-- 
Mailing list: https://launchpad.net/~touch-packages
Post to     : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help   : https://help.launchpad.net/ListHelp

Reply via email to