On Fri, Mar 03, 2023 at 02:43:48PM +0000, Sam Morris wrote:
> FYI, the file paths in the original bug report are no longer accurate
> for Debian 12 ("bookworm").
>
> Old path: /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
> New path: /usr/lib/x86_64-linux-gnu/libnssckbi.so
>
> Commands to divert the original file and replace it with a symlink:
>
> # dpkg-divert --add --rename /usr/lib/x86_64-linux-gnu/libnssckbi.so
> # ln -sr /usr/lib/x86_64-linux-gnu/pkcs11/p11-kit-trust.so
> /usr/lib/x86_64-linux-gnu/libnssckbi.so
>
> Commands to clean up the old diversion:
>
> # dpkg-divert --rename --remove /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
> # dpkg -S /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
> ... output should show that this is no longer owned by any package
> # rm /usr/lib/x86_64-linux-gnu/nss/libnssckbi.so
A convenient way to test that the above works (instead of having to
restart your browser) is to use the following tool from the
libnss3-toosl package:
$ vfyserv server.example.com
Connecting to host server.example.com (addr 198.51.100.99) on port 443
Handshake Complete: SERVER CONFIGURED CORRECTLY
bulk cipher AES-256-GCM, 256 secret key bits, 256 key bits, status: 1
subject DN:
CN=server.example.com,O=Example private certificate authority
issuer DN:
CN=Certificate Authority,O=Example private certificate authority
0 cache hits; 0 cache misses, 0 cache not reusable
***** Connection 1 read 488 bytes total.
--
Sam Morris <https://robots.org.uk/>
PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
