On Mon, 2014-09-08 at 10:06 +0200, Nikos Mavrogiannopoulos wrote: > Unfortunately only NSS works. Both openssl and gnutls fail to connect to > popular sites because of that change. It should not be assumed that the > users of ca-certificates are only programs using nss. [1] is an interesting read. I get the impression that certificates are being removed as long as there is a compatible replacement that NSS can validate, based on NSS's custom strategies for certificate validation. Is this claim accurate? This is a very big problem for the GNOME stack, which uses gnutls. We're getting complaints about sites that Epiphany can't display because the CSS fails certificate validation, or sites that don't display at all, which all work fine in Firefox. > I guess this is verification based on the rfc5280 path validation. > Unlike that NSS ignores the provided trust chain and tries to construct > a new one internally. That's interesting and happens to work around the > issue here but it is not and must not be required for all software to > reconstruct trust chains. The TLS is very specific on that issue, the > chain is provided by the server. From my perspective as an application developer who wants the Internet to "just work," and where proper functionality is defined as "whatever Firefox and Chrome do"... any deviation from NSS's behavior is problematic. :/ I know this is unfortunate but that's the reality of the Internet. We have a partially-finished port of glib-networking from gnutls to NSS, I guess for this reason. Intermediate cert caching is another big pain point. My university ran an important site for years without a chain of trust, and kept closing my issue reports until I realized that they were using Firefox to validate their chain of trust, and the cert that had signed the only one they were sending was cached for them. This behavior is harmful not just to other browsers, but also to Firefox users who happen to not have that certificate cached yet. > I do not agree. Such changes are dangerous to be performed on a stable > release, and may introduce more issues than solve. Ca-certificates > should not assume that NSS is its only user. That is either (1) it > should include the trusted certificates that are still in wild use, or > (2) it should include the intermediates of the trusted certificates that > are in use. I think (2) is what they're trying to do in [1], but it looks like this relies on NSS-specific behavior. (And I'm aware that [1] is just one case out of many.) [1] https://bugzilla.mozilla.org/show_bug.cgi?id=986014
Attachment:
signature.asc
Description: This is a digitally signed message part
-- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct