Make Intermediate Cert Store Memory-Only for TorBrowser

User stored certs as well as the intermediate certificate store should be memory-only by default in TorBrowser. This should be easy for user certs. No so sure about intermediate ones. Need to review the relevant code first.

added MikePerryIteration20110515 actualpoints::5 component::applications/tor browser owner::mikeperry parent::2877 points::3 priority::medium resolution::fixed severity::normal status::closed type::defect labels

Trac:
Status: new to accepted
Owner: N/A to mikeperry
Component: - Select a component to Tor Browser

Trac:
Cc: N/A to lunar@debian.org

Looks like the intermediate cert store is in cert8.db, which appears to be opened by https://mxr.mozilla.org/mozilla2.0/source/security/nss/lib/softoken/legacydb/lginit.c#360

It looks like we may be able to control the use of the db file via a parameter in nss_init: https://mxr.mozilla.org/mozilla2.0/source/security/nss/lib/nss/nssinit.c#525

NSS_INIT_NOCERTDB seems to be the flag we want, and the NSS init appears to be called from nsNSSComponent::InitializeNSS(). It looks like we must hardcode this flag ourselves. But it also looks like a one-line patch for us (though adding an about:config option might make it a few lines).

It's not clear if this will explode everything or not. We'll need to test this and see what happens.

I imagine it is going to be a fun experience to try to build Firefox and learn to create a proper mercurial/git-formatted patch... otherwise this should be simple.

Trac:
Points: N/A to 3
Keywords: N/A deleted, MikePerryIteration20110515 added

Tested and this hack does in fact still allow NSS to cache intermediate certs in memory.

Can't seem to find a way to purge that cache yet, though.. Unlike #2950 (closed), it is not as simple as re-initializing NSS, sadly.

Ok, I banged on this for a while and can't seem to get it to work right. It is easy to make the intermediate cert store and other NSS dbs memory-only, but it does not appear easy to clear them at will.

It looks like Firefox's use of NSS is a crazy minefield of thread-safe and thread-unsafe accesses. I have some code that successfully re-initializes and clears NSS, but if any tabs are open with SSL pages in them, we get random segfaults and crashes.. I'm going to leave the code in the patch, but it is not run.

The pref needs to be set to the desired value at browser initialization, and cannot be toggled by Torbutton.

Trac:
Resolution: N/A to fixed
Status: accepted to closed
Actualpoints: N/A to 4

Trac:
nocertdb.diff

Patch against FF4.0

The pref name is 'security.nocertdb'. If set to true, no NSS data will get written to disk (including client certificates and PKCS tokens).

Note that the code that causes crashes is essentially the same codepath that Firefox itself uses during the profile switching event series. It may be the case that we actually need all SSL tabs to be closed for us to be able to shutdown and re-initialize NSS. In which case, we can remove the early return from this patch and still use it to clear cached certs in our implementation of "New Identity" (which would close all tabs as part of its mechanisms). But we'll want to test extensively that to make sure the race still isn't possible.

More notes to the future: It is possible that it is crashing in the cases where the profile change event would have been vetoed by the NSSComponent. I did not look into this as these cases are currently not logged. I actually altered the patch to avoid those codepaths entirely, because the prefchange is not vetoable like the profile change event is. If we could somehow create a blocking or cancel notification to our own new-identity observer event, this may be possible to do safely this way.

This kept bugging me so I banged on it some more to make the pref mimic an observer notification. I think I got it to stop crashing by checking to see if the component wanted to cancel shutdown, but the whole SSL system gets put into a broken state after a cancel, until such time as you try to shut it down again and then restart it. The cancel seems to be happening due to a long period of time between tab close and underlying SSL connection close.

So the user experience for a New-Identity based on this may not be good, unless we find a way to forcibly close any open SSL connections early.. But at least it seems to have stopped crashing.

Updating the patch.

Trac:
Actualpoints: 4 to 5

Trac:
nocertdb.2.diff

Updated patch against FF4.0. Implements observer for pref, but we still want a notify eventually.

See #2739 (moved) for the bug to work this into something that can be used for "New Identity"

Trac:
Cc: lunar@debian.org to lunar@debian.org, erinn

If this ticket is about certs then why patch disables all dbs intead only one cert.db ? Why need to init nss using NSS_NoDB_Init instead of NSS_Initialize with NSS_INIT_NOCERTDB flag?

If this ticket is about certs then why patch disables all dbs intead only one cert.db ? Why need to init nss using NSS_NoDB_Init instead of NSS_Initialize with NSS_INIT_NOCERTDB flag?

Trac:
Component: Firefox Patch Issues to Tor Browser
Status: closed to reopened
Severity: N/A to Normal
Sponsor: N/A to N/A
Resolution: fixed to N/A

Please, don't reopen tickets to ask a question.

Trac:
Status: reopened to closed
Resolution: N/A to fixed
Reviewer: N/A to N/A

closed

changed time estimate to 24h

added 40h of time spent

mentioned in issue #2951 (closed)

mentioned in issue #3177 (closed)

mentioned in issue #12998 (moved)

mentioned in issue #15197 (moved)

moved to tpo/applications/tor-browser#2949 (closed)

mentioned in issue tpo/applications/tor-browser#12998 (closed)

mentioned in issue tpo/applications/tor-browser#15197 (closed)