CAcert.org root certificate is not included anymore
All Iceweasel backports (including ours) now use the in-tree NSS library, that does not include the patches Debian applies to the NSS library. On the one hand, this falls under the #5870 umbrella. On the other, that's a regression, and e.g. blocks access to our own Redmine, hence a priority higher than normal.
It's probably not-too-hard to patch the in-tree NSS library with the relevant Debian patch(es).
#2 Updated by intrigeri over 4 years ago
Brain dump wrt. doing this without patching the in-tree NSS library, but instead by pointing the browser to a NSS database into which we have already imported the needed CA at build or boot time:
- ideally, we would use the NSS Shared DB so that all NSS-using applications benefit from the imported certificate: https://wiki.mozilla.org/NSS_Shared_DB_Howto
- some basics about using certutil to do that are documented on the ArchWiki, the Chromium wiki, and a good blog post
- the certutil version we ship in Tails 0.22.1 only supports the old
cert8.db; these are still used in our current browser, but at some point we'll have to handle the migration to the new format
- the certutil version we ship in Tails 0.22.1 does not support the
--empty-passwordoption yet, and does not take the password from stdin, so we would have to write an expect or similar script to automate creating the NSS shared DB
pkcs11.txtfile in the shared NSS database contains the absolute path to the configuration directory, which may complicate things a bit (e.g. if we put the shared DB into
/etc/skel, then we need to mangle this file after creating the
- care must be taken not to interfere with future work (#5976)
Temporary conclusion: patching Iceweasel's in-tree NSS library seems easier. We should look into it.