CAcert.org root certificate is not included anymore
All Iceweasel backports (including ours) now use the in-tree NSS library, that does not include the patches Debian applies to the NSS library. On the one hand, this falls under the #5870 (closed) umbrella. On the other, that’s a regression, and e.g. blocks access to our own Redmine, hence a priority higher than normal.
It’s probably not-too-hard to patch the in-tree NSS library with the relevant Debian patch(es).
Feature Branch: feature/6474-tor-browser-mozconfig