firefox: use nss without p11-kit

Quickfix to allow firefox to recognize certificates as trusted by Mozilla. Related: #126065 (cherry picked from commit 42e25d855fa959b7832fbdbc0a384294460d9258)
2021-06-08 20:29:28 +02:00 · 2021-06-08 20:29:28 +02:00 · 0647103d18
parent 60cce7e5e1
commit 0647103d18
1 changed files with 3 additions and 1 deletions
--- a/pkgs/applications/networking/browsers/firefox/common.nix
+++ b/pkgs/applications/networking/browsers/firefox/common.nix
@ -122,7 +122,9 @@ let
                then overrideCC stdenv llvmPackages.clangUseLLVM
                else stdenv;

-  nss_pkg = if lib.versionOlder ffversion "83" then nss_3_53 else nss;
+  # Disable p11-kit support in nss until our cacert packages has caught up exposing CKA_NSS_MOZILLA_CA_POLICY
+  # https://github.com/NixOS/nixpkgs/issues/126065
+  nss_pkg = if lib.versionOlder ffversion "83" then nss_3_53 else nss.override { useP11kit = false; };

  # --enable-release adds -ffunction-sections & LTO that require a big amount of
  # RAM and the 32-bit memory space cannot handle that linking