Looking for help from anyone who knows anything about nss/ssl/certs/etc

[jonwil]

I updated the root certificate set in maemo-security-certman (and hence microb) to the latest Mozilla root certificate set and now some sites have stopped working (e.g. https://www.microsoft.com and anything using entrust certificates (including https://www.entrust.com itself). These sites work just fine with the previous maemosec-certman-common-ca version but not the new set.

Is there anyone out there who knows anything about ssl, certificate authorities, nss etc who can help me figure out why sites that work fine with the old set of root certificates somehow dont work with the new set?

[jonwil]

I tested with openssl s_client and the new set of root CAs and sites that fail in microb work in openssl so that suggests its microb-engine or nss failing somewhere.

[Feathers McGraw]

Did you run the c_rehash command to generate symlinks that match the certificate hashes? Some apps can't find the right root cert without them.

[jonwil]

c_rehash is run automatically by the postinst script for maemosec-certman-common-ca so its covered.
Microb/nss isn't using the files c_rehash creates in any case.

[Feathers McGraw]

Haven't some types of cert validation been retired recently (was it md5?). Maybe microb is missing the mechanism that replaces it - presumably that's what changed with the new certificates?

Edit: see here http://blog.cacert.org/2015/12/re-si...t-certificate/

[jonwil]

Have further verified that the CA certificates are not broken (and that NSS or Gecko is at fault) by running cmcli -T common-ca -v www.microsoft.com:443 and similar on various domains that are broken.

So now I am going to read the microb-engine source code and find where the error I get comes from and then get into microb-engine/nss via GDB and trace to see why its giving the error in question.

[Ilew]

Have you tried running nsscfg and copying the db files generated to /home/user/.mozilla/microb/*.db

The db files are:
key3.db
cert8.db
secmod.db

[jonwil]

That doesn't help since the root certificates aren't connected to those 3 .db files.

At this point I am now convinced that something in some of the new root certificates (new PKCS#11 extention, new algorithm, new flags, something removed or whatever) is not supported by the NSS/security code we have in the current microb-engine codebase. How we can update NSS (and make any necessary changes elsewhere in the microb-engine code to support new things like newer TLS versions and stuff) is something I am playing with although I haven't figured it out yet.

[Ilew]

I installed your deb packages to see the error but it seems to be working for me.

Any ideas?

Code:

Nokia-N900:~# apt-cache policy libmaemosec0
libmaemosec0:
  Installed: 0.2.4
  Candidate: 0.2.4
  Version table:
 *** 0.2.4 0
        100 /var/lib/dpkg/status
     0.2.3 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.2 0
        500 http://repository.maemo.org fremantle/free Packages
        500 http://maemo.merlin1991.at fremantle/free Packages
     0.2.1 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.0 0
        500 http://repository.maemo.org fremantle/free Packages
Nokia-N900:~# apt-cache policy maemosec-certman-common-ca
maemosec-certman-common-ca:
  Installed: 0.2.4
  Candidate: 0.2.4
  Version table:
 *** 0.2.4 0
        100 /var/lib/dpkg/status
     0.2.3 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.2 0
        500 http://repository.maemo.org fremantle/free Packages
        500 http://maemo.merlin1991.at fremantle/free Packages
     0.2.1 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.0 0
        500 http://repository.maemo.org fremantle/free Packages
Nokia-N900:~# apt-cache policy maemosec-certman-tools    
maemosec-certman-tools:
  Installed: 0.2.4
  Candidate: 0.2.4
  Version table:
 *** 0.2.4 0
        100 /var/lib/dpkg/status
     0.2.3 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.2 0
        500 http://repository.maemo.org fremantle/free Packages
        500 http://maemo.merlin1991.at fremantle/free Packages
     0.2.1 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.0 0
        500 http://repository.maemo.org fremantle/free Packages
Nokia-N900:~# apt-cache policy libmaemosec-certman0  
libmaemosec-certman0:
  Installed: 0.2.4
  Candidate: 0.2.4
  Version table:
 *** 0.2.4 0
        100 /var/lib/dpkg/status
     0.2.3 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.2 0
        500 http://repository.maemo.org fremantle/free Packages
        500 http://maemo.merlin1991.at fremantle/free Packages
     0.2.1 0
        500 http://repository.maemo.org fremantle/free Packages
     0.2.0 0
        500 http://repository.maemo.org fremantle/free Packages

[jonwil]

Ok, that is very weird that it works for you when it doesn't for me.
Can you post the contents of /etc/certs and /etc/secure on your N900 so I can compare them to what I have and make sure they are the same? (shouldn't contain anything personal or private)

Also can you share the apt-cache output for libnspr4, libnss3-certs, libnss3, microb-engine-common and microb-engine?

And are you using CSSU?