Merge pull request #126358 from NixOS/backport-126271-to-release-21.05

nixos/tests/custom-ca.nix

@@ -107,8 +107,15 @@ in
           '';
         };
 
-      environment.systemPackages = with pkgs;
+      environment.systemPackages = with pkgs; [
-        [ xdotool firefox chromium falkon midori ];
+        xdotool
+        # Firefox was disabled here, because we needed to disable p11-kit support in nss,
+        # which is why it will not use the system certificate store for the time being.
+        # firefox
+        chromium
+        falkon
+        midori
+      ];
     };
 
   testScript = ''
@@ -145,7 +152,14 @@ in
     with subtest("Unknown CA is untrusted in curl"):
         machine.fail("curl -fv https://bad.example.com")
 
-    browsers = ["firefox", "chromium", "falkon", "midori"]
+    browsers = [
+      # Firefox was disabled here, because we needed to disable p11-kit support in nss,
+      # which is why it will not use the system certificate store for the time being.
+      # "firefox",
+      "chromium",
+      "falkon",
+      "midori"
+    ]
     errors = ["Security Risk", "not private", "Certificate Error", "Security"]
 
     machine.wait_for_x()

pkgs/applications/networking/browsers/firefox/common.nix

@@ -122,7 +122,9 @@ let
                 then overrideCC stdenv llvmPackages.clangUseLLVM
                 else stdenv;
 
-  nss_pkg = if lib.versionOlder ffversion "83" then nss_3_53 else nss;
+  # Disable p11-kit support in nss until our cacert packages has caught up exposing CKA_NSS_MOZILLA_CA_POLICY
+  # https://github.com/NixOS/nixpkgs/issues/126065
+  nss_pkg = if lib.versionOlder ffversion "83" then nss_3_53 else nss.override { useP11kit = false; };
 
   # --enable-release adds -ffunction-sections & LTO that require a big amount of
   # RAM and the 32-bit memory space cannot handle that linking