Launchpad has imported 2 comments from the remote bug at https://bugzilla.mozilla.org/show_bug.cgi?id=1820348.
If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. ------------------------------------------------------------------------ On 2023-03-04T16:42:51+00:00 Bartłomiej Żogała wrote: Steps to reproduce: I've faced an issue with all browsers relying in libnss refusing ever X.509 certificate. I've hard time to debug it through months due to not enough information returned from libnss. It was in detail described here: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1960736 Actual results: Root issue is that libnss returned [23391:23426:0213/133531.202486:ERROR:nss_util.cc(286)] After loading Root Certs, loaded==false: NSS error code: -8018 In my case the root cause was poor quality code written by local government agency known for infringing LGPG licence. The configuration change was deployed when installing their PKCS#11 related software and lack of proper debug from Libnss cause I was not able to connect cause and the effect. Expected results: Instead of displaying code which couldn't be googled NSS should return full human readable error name ' SEC_ERROR_UNKNOWN_PKCS11_ERROR' - in way it does for other errors of same kind. Reply at: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1960736/comments/8 ------------------------------------------------------------------------ On 2023-03-07T20:01:34+00:00 Dkeeler wrote: This is a bug in Chromium, not NSS. You can file a bug here: https://bugs.chromium.org/p/chromium/issues/list Reply at: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/1960736/comments/10 ** Changed in: nss Status: Unknown => Invalid -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/1960736 Title: Libnss3 doesn't log SEC_ERROR_UNKNOWN_PKCS11_ERROR properly ( NSS error code: -8018 ) Status in NSS: Invalid Status in nss package in Ubuntu: New Bug description: I've got the issue with Google Chrome not recognizing any of SSL/TSL certificates as trusted. When I look into certificate checksums it's renders all bytes of it as NULL bytes. I'm aware Google Chrome is proprietary but it depends on ubuntu provided libnss3-package. And libnss provides very nigmatic error code -8018: `/opt/google/chrome$ google-chrome [23391:23426:0213/133531.202486:ERROR:nss_util.cc(286)] After loading Root Certs, loaded==false: NSS error code: -8018 [23434:23434:0213/133531.266711:ERROR:sandbox_linux.cc(377)] InitializeSandbox() called with multiple threads in process gpu-process. [23391:23427:0213/133531.313065:ERROR:cert_verify_proc_builtin.cc(681)] CertVerifyProcBuiltin for accounts.google.com failed: ----- Certificate i=3 (CN=GlobalSign Root CA,OU=Root CA,O=GlobalSign nv-sa,C=BE) ----- ERROR: No matching issuer found ' When trying to enter this particular error code into search engine nothing is found. So my suggestion with this bug is to make it more transparent by providing information to what happened - it seems other bug codes has better error messages. To get SEC_ERROR_UNKNOWN_PKCS11_ERROR string I was force to download source code and manually calculate offsets. Another issue is if failing to initialize PKCS11 token should make whole SSL/TLS crypto invalid ? I'm not sure if this is libnss or Google Chrome issue but it behaves differently in Chromium browser with same libnss so I assume either of two is doing better - it's worth to review this from security perspective. ProblemType: Bug DistroRelease: Ubuntu 18.04 Package: libnss3 2:3.35-2ubuntu2.13 Uname: Linux 5.10.0-051000rc6-generic x86_64 ApportVersion: 2.20.9-0ubuntu7.27 Architecture: amd64 CurrentDesktop: ubuntu:GNOME Date: Sun Feb 13 13:33:51 2022 Dependencies: gcc-8-base 8.4.0-1ubuntu1~18.04 libc6 2.27-3ubuntu1.5 [origin: LP-PPA-ubuntu-security-proposed] libgcc1 1:8.4.0-1ubuntu1~18.04 libnspr4 2:4.18-1ubuntu1 libsqlite3-0 3.22.0-1ubuntu0.4 InstallationDate: Installed on 2015-05-08 (2473 days ago) InstallationMedia: Ubuntu 15.04 "Vivid Vervet" - Release amd64 (20150422) ProcEnviron: TERM=xterm-256color PATH=(custom, no user) XDG_RUNTIME_DIR=<set> LANG=pl_PL.UTF-8 SHELL=/bin/bash SourcePackage: nss UpgradeStatus: Upgraded to bionic on 2018-08-26 (1266 days ago) To manage notifications about this bug go to: https://bugs.launchpad.net/nss/+bug/1960736/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
