Keystore, , ca-certificates, browser.xul.error_pages.expert_bad_cert and more basic questions

intrigeri intrigeri at debian.org
Mon Feb 24 09:52:57 UTC 2014


Hi,

Daniel Kahn Gillmor wrote (23 Feb 2014 16:25:04 GMT) :
> On 02/23/2014 11:12 AM, kwadronaut wrote:

>> * It seems like it's not relying on ca-certificates but instead using
>> it's own root keystore. Is that assumption correct? If not, how can I
>> find out?

> This has always been the case for iceweasel and icedove and anything
> else that relies on libnss.

Moreover, backport builds of Iceweasel use the in-tree NSS library,
instead of the system one.

Therefore, it's not patched to add the CACert.org root certificate,
causing additional brain damage when one maintains a HTTPS service
with HSTS enabled and a certificate issued by CACert.org, and had
previously relied on Debian's default web browser to ship the needed
root CA.

Cheers,
-- 
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc



More information about the pkg-mozilla-maintainers mailing list