Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix certificate validation on Fedora/RHEL #146545

Merged
merged 3 commits into from
Nov 20, 2021
Merged

Fix certificate validation on Fedora/RHEL #146545

merged 3 commits into from
Nov 20, 2021

Conversation

rnhmjoj
Copy link
Contributor

@rnhmjoj rnhmjoj commented Nov 18, 2021

Motivation for this change

Fix certificate validation on Fedora and RHEL.
Also see this thread and the commit messages.

Things done
  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandbox = true set in nix.conf? (See Nix manual)
  • Tested via nixosTests.custom-ca after unlinking /etc/ssl.
  • Tested compilation of all packages that depend on this change
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 21.11 Release Notes (or backporting 21.05 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

@rnhmjoj
p11-kit: add Fedora/RHEL trust store path
cf3013b 
Fedora and RHEL use a different location for the trust store, compared
to other distros. Without this, validation of the CA root certificates
fails in all nss applications.
@rnhmjoj
gnutls: enable p11-kit by default
6f3b6a2 
GnuTLS has a single hard-coded location for the system trust store,
currently set to the path used by NixOS, Debian, Arch, Gentoo, etc.
Since not all distributions use the same path, notably Fedora and RHEL,
the certificate validation will break on some non-NixOS system.

This can be solved by enabling the p11-kit integration, so that by
default p11-kit (properly configured for all major distos) will provide
GnuTLS with the CA roots though the PKCS NixOS#11 API.
@rnhmjoj
nixos/tests/custom-ca: fix firefox test
a19b4ef 
- allocate more memory (yay!)
- fix processes not being really killed
- fix firefox process hanging
- remove the p11-kit log: it's not really useful
@rnhmjoj
Copy link
Contributor Author

rnhmjoj commented Nov 18, 2021
edited
Loading

I tested practically every browser and the validation is working everywhere.
There's only openssl/libressl left: they don't support PKCS #11 and have a single hardcoded location, so I don't think it's possible to make them work on all distributions.

@rnhmjoj rnhmjoj mentioned this pull request Nov 18, 2021
Closed
@ofborg ofborg bot requested review from fpletz and edolstra November 18, 2021 22:07
jonringer
jonringer approved these changes Nov 19, 2021
View reviewed changes
Copy link
Contributor

@jonringer jonringer left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

will need to be backported post-branch-off

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/certificate-validation-broken-in-all-electron-chromium-apps-and-browsers/15962/13

@SuperSandro2000 SuperSandro2000 merged commit 79f22e5 into NixOS:staging Nov 20, 2021
@alternateved alternateved mentioned this pull request Jun 2, 2022
Merged
13 tasks
@rnhmjoj rnhmjoj deleted the pr-p11kit-fedora-staging branch July 10, 2023 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jonringer jonringer jonringer approved these changes

@fpletz fpletz Awaiting requested review from fpletz

@edolstra edolstra Awaiting requested review from edolstra

Assignees
No one assigned
Labels
6.topic: nixos 10.rebuild-darwin: 501+ 10.rebuild-darwin: 1001-2500 10.rebuild-linux: 501+ 10.rebuild-linux: 5001+
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@rnhmjoj @nixos-discourse @jonringer @SuperSandro2000