fix(cert): install MITM CA into LibreWolf NSS stores#1159
Merged
therealaleph merged 2 commits intoMay 13, 2026
Merged
Conversation
|
Would you also please add support for GNU IceCat? |
Contributor
Author
Done, please test and report back. |
therealaleph
added a commit
that referenced
this pull request
May 13, 2026
…all (#251, #1145) v1.9.25 ships two bug fixes from @dazzling-no-more: - #1143 (#251): Android Full-mode `udpgw magic IP` moved from 198.18.0.1 → 192.0.2.1 to avoid clash with tun2proxy's virtual-DNS allocator range. Resolves "Google + most websites silently broken while Telegram works" on Android Full mode. Back-compat: legacy IP still recognised by tunnel-node for one deprecation cycle. - #1159 (#1145): MITM CA now installs into LibreWolf NSS stores alongside Firefox. Closes `MOZILLA_PKIX_ERROR_MITM_DETECTED` HSTS lockout on LibreWolf. Same class as already-closed #955/#959. Cargo.toml bump (1.9.24 → 1.9.25) came in via #1143. This commit amends the pre-baked v1.9.25 changelog to include #1159 and refreshes Cargo.lock. 239 lib tests + 38 tunnel-node tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Issue #1145: LibreWolf users get
MOZILLA_PKIX_ERROR_MITM_DETECTEDwhen visiting HSTS-protected sites (bing.com, youtube.com, ...) through MasterHttpRelayVPN's MITM mode. HSTS gives no "Add Exception" affordance, so the user is fully locked out of those sites despite the OS-level CA install having succeeded.Root cause:
cert_installer.rsonly scanned Firefox profile roots (~/.mozilla/firefox, the snap variant,%APPDATA%\Mozilla\Firefox\Profiles,~/Library/Application Support/Firefox/Profiles). LibreWolf is a Firefox fork with strict privacy defaults; it shares Firefox's NSS DB layout and respects the samesecurity.enterprise_roots.enabledpref, but stores its profile tree under its own app dir. Neither the per-profilecertutil -Ainstall nor theuser.jsenterprise-roots auto-trust fallback ever touched LibreWolf, so the browser never trusted our CA.Same failure mode behind already-closed #955 and #959 (Firefox-fork users reporting the identical "secure connection could not be established" symptom).
Fix
Extend Mozilla-family profile discovery to cover LibreWolf on every supported platform. No behavioural change for Firefox installs.
Changes in
src/cert_installer.rsfirefox_profile_dirs()→mozilla_family_profile_dirs(). Same flat-vec return type so all five call sites read identically; the rename is signposting only.mozilla_family_profile_roots(os, home, appdata, xdg_config_home): pure helper returning the per-OS root list. Takes env values as args so unit tests pin the layout without env mutation or filesystem touches.discover_profile_dirs(roots): pure FS-walker that filters each root's children to those containingcert9.db(NSS sql:) orcert8.db(legacy dbm:). Splitting it out lets a tempdir test cover the filter directly instead of indirectly through env-coupled callers.~/Library/Application Support/LibreWolf/Profiles%APPDATA%\LibreWolf\Profiles~/.librewolf— legacy Firefox-style layout, still present on older installs.${XDG_CONFIG_HOME:-~/.config}/librewolf/librewolf— current XDG layout (emptyXDG_CONFIG_HOMEis treated as unset per the XDG Base Directory spec).~/.var/app/io.gitlab.librewolf-community/for the Flatpak sandbox, which redirects HOME inside the container.enable_firefox_enterprise_roots→enable_mozilla_enterprise_roots(anddisable_*likewise), since the pref now gets written for LibreWolf profiles too. Three internal log strings (firefox profile {} ...) updated tomozilla profile {}so debug output reflects the broader scope.Firefox/LibreWolf/Chromeinstead ofFirefox/Chrome, so LibreWolf users see actionable guidance when something needs manual cleanup.Non-changes (deliberate)
~/.librewolfand Windows%USERPROFILE%\.librewolf— both appear in the LibreWolf docs but only aslibrewolf.overrides.cfg(the autoconfig file) locations, not as profile-data locations containingcert9.db. Including them would mean scanning paths we have no evidence are profile roots. If users report MITM_DETECTED on those layouts, a one-line addition + test covers it.Test plan
cargo test --lib— 239 passing (was 236 pre-patch + 8 new incert_installer).cargo build— clean.rustfmt --check src/cert_installer.rs— clean.XDG_CONFIG_HOMEfalls back to default; missing%APPDATA%no-ops; unknown OS yields empty).discover_profile_dirsconstructsabc.default/cert9.db,legacy.profile/cert8.db, a sibling dir without a DB, and a strayprofiles.inifile plus a non-existent root — asserts only the two real profiles come back.mhrv-rs-ui, restart LibreWolf, visit https://bing.com — expect the page to load instead ofMOZILLA_PKIX_ERROR_MITM_DETECTED. (Recommend issue reporter @persiansunny re-run the original repro from bing any popular site #1145 to confirm.)Closes #1145. Likely also addresses #955 and #959 (same root cause class), though those users would need to confirm.