Consolation Prize
I spent some time banging my head against SSL certificate stuff this weekend in the hopes of implementing a Really Awesome Solution to this awful Firefox security theater thing everyone was complaining about, but I didn't get anywhere. However, I noticed something interesting: Mozilla does not trust the CAcert root certificate. A number of useful sites, like Freedesktop.org's bug tracker, use a CAcert-signed certificate rather than a self-signed one.
I really know nothing about this organization, but they seem to have their stuff together, and if you run a largish free software project, you could potentially save a lot of people the trouble of checking yet another self-signing CA. Around the lab, or in one of my tiny projects, I don't think I'd bother, but it is free.
Anyway, we ship their root CA thing in Debian, and OpenSSL stuff picks it up fine. Mozilla's process is somewhat more mysterious. There's an apparently hardcoded list of the usual thugs from the Verisign/Thawte/etc protection racket, and then there's a database in each user profile for whack-a-mole stuff. There is not, shockingly enough, somewhere for an operating system to set system certificate policy. (I guess there is not much room for an operating system in the Mozilla world-view at all). So you have to shove it in there once for every user times every single profile.
Here is the command to do it.
- apt-get install libnss3-tools
- certutil -d $HOME/.mozilla/firefox/$HLAGHLLAGHGAAHLGALHHGHLAGH.default -A -n 'CA Cert Signing Authority - Root CA' -t CT,C,C -i /etc/ssl/certs/root.pem
It's only slight pain relief, but it's something. You can also not install certutil, and click through ten million dialog boxes to import it, but screw that.
UPDATE: A commenter points me to StartSSL, another service that may deserve a look here, and is on Mozilla's good side. It appears to be an unholy mix of things that sound awesome (client-side certs for OpenID, web-of-trust identification) and things that seriously skeeve me out (trademark symbols everywhere, Aladdin dongles). They, uh, also have a Linux distribution. No, really.
UPDATE 2: James Andrewartha points out that we should eventually see Mozilla move this stuff out of libnssckbi.so and into SQLite, which sounds like a big win for us. Hopefully before that time I will figure out how to get sqlite(1) to work on my cookies.