From 42e25d855fa959b7832fbdbc0a384294460d9258 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Tue, 8 Jun 2021 20:29:28 +0200 Subject: [PATCH 1/2] firefox: use nss without p11-kit Quickfix to allow firefox to recognize certificates as trusted by Mozilla. Related: #126065 --- pkgs/applications/networking/browsers/firefox/common.nix | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/pkgs/applications/networking/browsers/firefox/common.nix b/pkgs/applications/networking/browsers/firefox/common.nix index e35fd6ca701b..a44fb2032f48 100644 --- a/pkgs/applications/networking/browsers/firefox/common.nix +++ b/pkgs/applications/networking/browsers/firefox/common.nix @@ -116,7 +116,9 @@ let then overrideCC stdenv llvmPackages.clangUseLLVM else stdenv; - nss_pkg = if lib.versionOlder ffversion "83" then nss_3_53 else nss; + # Disable p11-kit support in nss until our cacert packages has caught up exposing CKA_NSS_MOZILLA_CA_POLICY + # https://github.com/NixOS/nixpkgs/issues/126065 + nss_pkg = if lib.versionOlder ffversion "83" then nss_3_53 else nss.override { useP11kit = false; }; # --enable-release adds -ffunction-sections & LTO that require a big amount of # RAM and the 32-bit memory space cannot handle that linking From 2d4ed9bae6f9c80d75cf5ef18ccdac85cf889ff3 Mon Sep 17 00:00:00 2001 From: Martin Weinelt Date: Wed, 9 Jun 2021 00:32:53 +0200 Subject: [PATCH 2/2] nixos/tests/custom-ca: disable firefox test integration Firefox has been decoupled from the system certificate store since the nss p11-kit integration in combination with our cacert package does not expose CKA_NSS_MOZILLA_CA_POLICY, which among other things is required for addon updates. --- nixos/tests/custom-ca.nix | 20 +++++++++++++++++--- 1 file changed, 17 insertions(+), 3 deletions(-) diff --git a/nixos/tests/custom-ca.nix b/nixos/tests/custom-ca.nix index 7ce1101911db..26f29a3e68fe 100644 --- a/nixos/tests/custom-ca.nix +++ b/nixos/tests/custom-ca.nix @@ -107,8 +107,15 @@ in ''; }; - environment.systemPackages = with pkgs; - [ xdotool firefox chromium falkon midori ]; + environment.systemPackages = with pkgs; [ + xdotool + # Firefox was disabled here, because we needed to disable p11-kit support in nss, + # which is why it will not use the system certificate store for the time being. + # firefox + chromium + falkon + midori + ]; }; testScript = '' @@ -145,7 +152,14 @@ in with subtest("Unknown CA is untrusted in curl"): machine.fail("curl -fv https://bad.example.com") - browsers = ["firefox", "chromium", "falkon", "midori"] + browsers = [ + # Firefox was disabled here, because we needed to disable p11-kit support in nss, + # which is why it will not use the system certificate store for the time being. + # "firefox", + "chromium", + "falkon", + "midori" + ] errors = ["Security Risk", "not private", "Certificate Error", "Security"] machine.wait_for_x()