Context Navigation

source: postlfs/security/nss.xml@ 3b199d0d

Visit:

trunk

Last change on this file since 3b199d0d was c82a9ca, checked in by Bruce Dubbs <bdubbs@…>, 9 days ago
Update to nss-3.105.
Property mode set to `100644`
File size: 16.3 KB

Rev	Line
[ab4fdfc]	1	<?xml version="1.0" encoding="UTF-8"?>
[6732c094]	2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
[30f88917]	4	<!ENTITY % general-entities SYSTEM "../../general.ent">
	5	%general-entities;
	6
[09b524b]	7	<!-- for when .0 is not part of the new tarball name, but always referenced -->
[23ed085]	8	<!ENTITY nss-url "archive.mozilla.org/pub/security/nss/releases">
[299d5c54]	9
[6968e3cb]	10	<!-- micro versions-->
[fe83f5c]	11	<!--<!ENTITY nss-download-http "https://&nss-url;/NSS_3_&nss-minor-version;_&nss-micro-version;_RTM/src/nss-&nss-version;.tar.gz">-->
[02b153a]	12
[d445316]	13	<!-- no micro versions -->
[3638081]	14	<!ENTITY nss-download-http "https://&nss-url;/NSS_&nss-dir;_RTM/src/nss-&nss-version;.tar.gz">
[365c6fb]	15	<!ENTITY nss-download-ftp " ">
[c82a9ca]	16	<!ENTITY nss-md5sum "1657133aebd0f844ffe6556398ff1907">
[bc49eed]	17	<!ENTITY nss-size "73 MB">
[c82a9ca]	18	<!ENTITY nss-buildsize "305 MB (add 154 MB for tests)">
	19	<!ENTITY nss-time "0.7 SBU (with parallelism=4, add 16 SBU for tests on AMD Ryzens or at least 30 SBU on Intel machines)">
[0771e2f]	20	<!-- On my system, I got 64.2 SBU, but Bruce gets 18 SBU. -renodr -->
[b0b536c]	21	<!-- On my system, I got 63 SBU, but Xi gets ~18 SBU. -pierre (for 3.78) -->
[71e36c7]	22	<!-- On my 3400G for 3.79 I got 16 SBU -ken -->
[43fb57c]	23	<!-- Still 17 SBU for 3.81 - bdubbs -->
[65aeaa02]	24	<!-- 73 SBU but I'm on Intel. -renodr -->
[0d7f7190]	25	<!-- 3.86 amended the figures -ken
	26	3400G 14 SBU with 6.0.12, but the remeasured SBU has become very slow
	27	and maybe other people would see a ster SBU on a fresh build;
	28	i7-4790 35 SBU with 6.0.12, no failures
[e440af5]	29	Bruce's 3900X 19.3 SBU, his i7-12700K about 30 SBU, 12 failures
[7939b3d8]	30
[6848b244]	31	3.93:
	32	Passed: 69982
[7939b3d8]	33	Failed: 0
	34	Failed with core: 0
	35	ASan failures: 0
	36	Unknown status: 2
	37	TinderboxPrint:Unknown: 2
[7a6a43b]	38
	39	Test Results 3.95: (Intel i9-10900k) I got close to 70 SBU [rahul]
[8e93424]	40
[a8d72e7d]	41	Passed: 69982
	42	Failed: 0
	43	Failed with core: 0
	44	ASan failures: 0
	45	Unknown status: 2
	46	TinderboxPrint:Unknown: 2
[8e93424]	47
[7a6a43b]	48	Test Results 3.96: (AMD Ryzen 9 3900X) about 14 SBU [bdubbs]
[8e93424]	49	Passed: 70289
	50	Failed: 0
	51	Failed with core: 0
	52	ASan failures: 0
	53	Unknown status: 2
	54	TinderboxPrint:Unknown: 2
	55
[7a6a43b]	56	Test Results 3.97: (AMD Ryzen 7 1700) about 16 SBU [rahul]
[ec78b82]	57	Passed: 69809
	58	Failed: 0
	59	Failed with core: 0
	60	ASan failures: 0
	61	Unknown status: 2
	62	TinderboxPrint:Unknown: 2
	63
[7a6a43b]	64	Test results 3.98: (Intel Xeon E5-1650v3) 25 SBU [renodr]
[95cff34]	65	Tests summary:
	66	Passed: 69919
	67	Failed: 0
	68	Failed with core: 0
	69	ASan failures: 0
	70	Unknown status: 2
	71	TinderboxPrint:Unknown: 2
	72
[7a6a43b]	73	Test results 3.99: (AMD Ryzen 9 3900X) 14 SBU [bdubbs]
	74	Tests summary:
	75	Passed: 69953
	76	Failed: 0
	77	Failed with core: 0
	78	ASan failures: 0
	79	Unknown status: 2
	80	TinderboxPrint:Unknown: 2
[910936c]	81
[4071cee]	82	Test results 3.100 (Intel(R) Xeon(R) CPU E3-1245 v6, VBoxVM)
[910936c]	83	Tests summary:
	84	Passed: 71813
	85	Failed: 1
	86	Failed with core: 0
	87	ASan failures: 0
	88	Unknown status: 2
	89	TinderboxPrint:Unknown: 2
[4071cee]	90
	91	Test Results 3.103: (AMD Ryzen 7 1700 QEMU host-model) about 30 SBU [rahul]
	92	Tests summary:
	93	Passed: 73415
	94	Failed: 0
	95	Failed with core: 0
	96	ASan failures: 0
	97	Unknown status: 2
	98	TinderboxPrint:Unknown: 2
[b48b457d]	99
	100	Test Results 3.104: (Intel i9-10900k) 30 SBU [rahul]
	101	Tests summary:
	102	Passed: 73415
	103	Failed: 0
	104	Failed with core: 0
	105	ASan failures: 0
	106	Unknown status: 2
	107	TinderboxPrint:Unknown: 2
	108
[c82a9ca]	109	Test Results 3.105: (Intel i7-14700K) 16 SBU [bdubbs]
	110	Tests summary:
	111	Passed: 75943
	112	Failed: 0
	113	Failed with core: 0
	114	ASan failures: 0
	115	Unknown status: 2
	116	TinderboxPrint:Unknown: 2
[7a6a43b]	117	-->
[30f88917]	118	]>
	119
[b4ca8bb]	120	<sect1 id="nss" xreflabel="nss-&nss-version;">
[30f88917]	121	<?dbhtml filename="nss.html"?>
	122
	123	<title>NSS-&nss-version;</title>
	124
	125	<indexterm zone="nss">
	126	<primary sortas="a-NSS">NSS</primary>
	127	</indexterm>
	128
	129	<sect2 role="package">
	130	<title>Introduction to NSS</title>
	131
[9333a525]	132	<para>
	133	The Network Security Services (<application>NSS</application>) package is
	134	a set of libraries designed to support cross-platform development of
	135	security-enabled client and server applications. Applications built with
	136	NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
	137	S/MIME, X.509 v3 certificates, and other security standards. This is
	138	useful for implementing SSL and S/MIME or other Internet security
	139	standards into an application.
	140	</para>
[30f88917]	141
[e320358]	142	&lfs122_checked;
[e3060aa]	143
[30f88917]	144	<bridgehead renderas="sect3">Package Information</bridgehead>
	145	<itemizedlist spacing="compact">
	146	<listitem>
[9333a525]	147	<para>
	148	Download (HTTP): <ulink url="&nss-download-http;"/>
	149	</para>
[30f88917]	150	</listitem>
	151	<listitem>
[9333a525]	152	<para>
	153	Download (FTP): <ulink url="&nss-download-ftp;"/>
	154	</para>
[30f88917]	155	</listitem>
	156	<listitem>
[9333a525]	157	<para>
[0f62b2b]	158	Download MD5 sum: &nss-md5sum;
	159	</para>
[30f88917]	160	</listitem>
	161	<listitem>
[9333a525]	162	<para>
	163	Download size: &nss-size;
	164	</para>
[30f88917]	165	</listitem>
	166	<listitem>
[9333a525]	167	<para>
	168	Estimated disk space required: &nss-buildsize;
	169	</para>
[30f88917]	170	</listitem>
	171	<listitem>
[9333a525]	172	<para>
	173	Estimated build time: &nss-time;
	174	</para>
[30f88917]	175	</listitem>
	176	</itemizedlist>
	177
[299d5c54]	178	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
	179	<itemizedlist spacing="compact">
	180	<listitem>
	181	<para>
	182	Required patch:
[2a4a3e4]	183	<ulink url="&patch-root;/nss-standalone-1.patch"/>
[299d5c54]	184	</para>
	185	</listitem>
[907a269]	186	<!--
[2980344]	187	<listitem>
	188	<para>
	189	Required patch for processors lacking the <quote>adx</quote>
	190	instruction set:
	191	<ulink url="&patch-root;/nss-&nss-version;-illegal_instruction-1.patch"/>
	192	</para>
	193	</listitem>
[907a269]	194	-->
[299d5c54]	195	</itemizedlist>
	196
[dd44df7e]	197	<bridgehead renderas="sect3">NSS Dependencies</bridgehead>
	198
	199	<bridgehead renderas="sect4">Required</bridgehead>
[9333a525]	200	<para role="required">
	201	<xref linkend="nspr"/>
	202	</para>
[dd44df7e]	203
	204	<bridgehead renderas="sect4">Recommended</bridgehead>
[9333a525]	205	<para role="recommended">
[96e9478]	206	<xref linkend="sqlite"/> and
	207	<xref role="runtime" linkend="p11-kit"/> (runtime)
[9333a525]	208	</para>
[dd44df7e]	209
[9333a525]	210	<para condition="html" role="usernotes">
[42ddc30]	211	Editor Notes: <ulink url="&blfs-wiki;/nss"/>
[9333a525]	212	</para>
[30f88917]	213	</sect2>
	214
	215	<sect2 role="installation">
	216	<title>Installation of NSS</title>
	217
[907a269]	218	<!--
[2c3969a]	219	<note>
	220	<para>
[2980344]	221	Some old generations processors lack an assembler instruction that
	222	is generated unconditionally by NSS-3.90. It leads to an
	223	"illegal instruction" fault when running firefox. The availability
	224	of this instruction is asserted by the <quote>adx</quote> flag
	225	in <filename>/proc/cpuinfo</filename>. If this flag is not set,
	226	apply the following patch:
[2c3969a]	227	</para>
[cd29bc9]	228	</note>
[2980344]	229
	230	<screen><userinput>grep -q adx /proc/cpuinfo \|\| \
	231	patch -Np1 -i ../nss-&nss-version;-illegal_instruction-1.patch</userinput></screen>
[2c3969a]	232
[907a269]	233	-->
[9333a525]	234	<para>
	235	Install <application>NSS</application> by running the following commands:
	236	</para>
	237
[2a4a3e4]	238	<screen><userinput>patch -Np1 -i ../nss-standalone-1.patch &&
[b6d3d395]	239
[299d5c54]	240	cd nss &&
[2beaab8]	241
[1b9bf3e]	242	make BUILD_OPT=1 \
[731d374]	243	NSPR_INCLUDE_DIR=/usr/include/nspr \
	244	USE_SYSTEM_ZLIB=1 \
	245	ZLIB_LIBS=-lz \
[af9fba4]	246	NSS_ENABLE_WERROR=0 \
[a45062d]	247	$([ $(uname -m) = x86_64 ] && echo USE_64=1) \
[2beaab8]	248	$([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1)</userinput></screen>
[9333a525]	249
	250	<para>
[4158a9b]	251	<!-- the unittest files get compiled automatically since nss-3.31.0 -->
[9e1670e1]	252	To run the tests, execute the following commands<!--(1 test is known to fail)-->:
[9333a525]	253	</para>
[30f88917]	254
[b68a004]	255	<screen remap="test"><userinput>cd tests &&
[c7768882]	256	HOST=localhost DOMSUF=localdomain ./all.sh
[b68a004]	257	cd ../</userinput></screen>
[8558044]	258
	259	<note>
[73c6f44e]	260	<para>Some information about the tests:</para>
	261	<itemizedlist spacing="compact">
	262	<listitem>
	263	<para>
[6968e3cb]	264	HOST=localhost and DOMSUF=localdomain are required.
[73c6f44e]	265	Without these variables, a FQDN is
[fef4473]	266	required to be specified and this generic way should work for
[b0b536c]	267	everyone, provided <systemitem>localhost.localdomain</systemitem>
[334db6e5]	268	is defined
	269	<phrase revision='sysv'>
	270	in <filename>/etc/hosts</filename>, as done in
	271	<ulink url="&lfs-root;/chapter09/network.html#ch-config-hosts">
	272	the LFS book</ulink>.
	273	</phrase>
	274	<phrase revision='systemd'>
	275	by the <systemitem class='library'>myhostname</systemitem>
[8f45785]	276	Name Service Switch module, as specified in
[334db6e5]	277	<ulink url="&lfs-root;/chapter08/glibc.html#conf-glibc">
	278	the LFS book</ulink>.
	279	</phrase>
[73c6f44e]	280	</para>
	281	</listitem>
	282	<listitem>
	283	<para>
[7939b3d8]	284	The tests take a long time to run. If desired there is
[8558044]	285	information in the all.sh script about running subsets of the
[73c6f44e]	286	total test suite.
	287	</para>
	288	</listitem>
	289	<listitem>
	290	<para>
	291	When interrupting the tests, the test suite
[b68a004]	292	fails to spin down test servers that are run. This leads to an
	293	infinite loop in the tests where the test suite tries to kill a server
	294	that doesn't exist anymore because it pulls the wrong PID.
[73c6f44e]	295	</para>
	296	</listitem>
	297	<listitem>
	298	<para>
[8558044]	299	Test suite results (in HTML format!) can be found at
[73c6f44e]	300	../../test_results/security/localhost.1/results.html
	301	</para>
	302	</listitem>
[0d7f7190]	303	<listitem>
	304	<para>
	305	A few tests might fail on some Intel machines for unknown reasons.
	306	</para>
	307	</listitem>
[73c6f44e]	308	</itemizedlist>
	309	</note>
[b68a004]	310
[9333a525]	311	<para>
	312	Now, as the <systemitem class="username">root</systemitem> user:
	313	</para>
	314
[2beaab8]	315	<screen role="root"><userinput>cd ../dist &&
	316
	317	install -v -m755 Linux/lib/.so /usr/lib &&
	318	install -v -m644 Linux/lib/{.chk,libcrmf.a} /usr/lib &&
	319
	320	install -v -m755 -d /usr/include/nss &&
	321	cp -v -RL {public,private}/nss/* /usr/include/nss &&
	322
[299d5c54]	323	install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin &&
[2beaab8]	324
[2b64864b]	325	install -v -m644 Linux*/lib/pkgconfig/nss.pc /usr/lib/pkgconfig</userinput></screen>
[299d5c54]	326
[30f88917]	327	</sect2>
	328
	329	<sect2 role="commands">
	330	<title>Command Explanations</title>
	331
[9333a525]	332	<para>
	333	<parameter>BUILD_OPT=1</parameter>: This option is passed to
	334	<command>make</command> so that the build is performed with no debugging
	335	symbols built into the binaries and the default compiler optimizations are
	336	used.
	337	</para>
	338
	339	<para>
[0d7900a]	340	<parameter>NSPR_INCLUDE_DIR=/usr/include/nspr</parameter>: This option
[9333a525]	341	sets the location of the nspr headers.
	342	</para>
	343
	344	<para>
	345	<parameter>USE_SYSTEM_ZLIB=1</parameter>: This option is passed to
	346	<command>make</command> to ensure that the
	347	<filename class="libraryfile">libssl3.so</filename> library is linked to
	348	the system installed <application>zlib</application> instead of the
	349	in-tree version.
	350	</para>
	351
	352	<para>
	353	<parameter>ZLIB_LIBS=-lz</parameter>: This option provides the
	354	linker flags needed to link to the system <application>zlib</application>.
	355	</para>
[a45062d]	356
	357	<para>
	358	<command>$([ $(uname -m) = x86_64 ] && echo USE_64=1)</command>:
	359	The <parameter>USE_64=1</parameter> option is <emphasis>required on
	360	x86_64</emphasis>, otherwise <command>make</command> will try (and fail)
	361	to create 32-bit objects. The [ $(uname -m) = x86_64 ] test ensures it
	362	has no effect on a 32 bit system.
	363	</para>
	364
	365	<para>
	366	<command>([ -f /usr/include/sqlite3.h ] && echo
	367	NSS_USE_SYSTEM_SQLITE=1)</command>: This tests if
	368	<application>sqlite</application> is installed and if so it
	369	<command>echo</command>s the option NSS_USE_SYSTEM_SQLITE=1 to
	370	<command>make</command> so that
	371	<filename class="libraryfile">libsoftokn3.so</filename> will link against
	372	the system version of sqlite.
	373	</para>
[299d5c54]	374
[d65b11c]	375	<para>
[26b48ac]	376	<option>NSS_DISABLE_GTESTS=1</option>: If you don't need to run
[d65b11c]	377	NSS test suite, append this option to <command>make</command> command,
	378	to prevent the compilation of tests and save some build time.
	379	</para>
	380
[30f88917]	381	</sect2>
	382
[4a16903]	383	<sect2 role="configuration">
	384	<title>Configuring NSS</title>
	385
[47274444]	386	<para>
	387	If <xref linkend="p11-kit"/> is installed, the
	388	<application>p11-kit</application> trust module
	389	(<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
	390	drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
	391	transparently make the system CAs available to
	392	<application>NSS</application> aware applications, rather than the static
[d1c7bee]	393	library provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
[47274444]	394	<systemitem class="username">root</systemitem> user, execute the following
[01e2c90]	395	command:
[47274444]	396	</para>
[4a16903]	397
[5c69a2d]	398	<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
[4a16903]	399
[47274444]	400	<para>
	401	Additionally, for dependent applications that do not use the internal
	402	database (<filename>/usr/lib/libnssckbi.so</filename>), the
[fef4473]	403	<filename>/usr/sbin/make-ca</filename> script included on the
[47274444]	404	<xref linkend="make-ca"/> page can generate a system wide NSS DB with the
	405	<parameter>-n</parameter> switch, or by modifying the
[0771e2f]	406	<filename>/etc/make-ca/make-ca.conf</filename> file.
[47274444]	407	</para>
[4a16903]	408
	409	</sect2>
	410
[30f88917]	411	<sect2 role="content">
	412	<title>Contents</title>
	413
	414	<segmentedlist>
	415	<segtitle>Installed Programs</segtitle>
	416	<segtitle>Installed Libraries</segtitle>
	417	<segtitle>Installed Directories</segtitle>
	418
	419	<seglistitem>
[9333a525]	420	<seg>
[299d5c54]	421	certutil, nss-config, and pk12util
[61562907]	422	</seg>
	423	<seg>
[b68a004]	424	libcrmf.a, libfreebl3.so, libfreeblpriv3.so,
	425	libnss3.so, libnssckbi.so, libnssckbi-testlib.so,
[8558044]	426	libnssdbm3.so, libnsssysinit.so, libnssutil3.so,
	427	libpkcs11testmodule.so, libsmime3.so, libsoftokn3.so,
[23ed085]	428	and libssl3.so
[61562907]	429	</seg>
	430	<seg>
	431	/usr/include/nss
[9333a525]	432	</seg>
[30f88917]	433	</seglistitem>
	434	</segmentedlist>
	435
	436	<variablelist>
	437	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
	438	<?dbfo list-presentation="list"?>
	439	<?dbhtml list-presentation="table"?>
	440
[9333a525]	441	<varlistentry id="certutil">
	442	<term><command>certutil</command></term>
	443	<listitem>
	444	<para>
	445	is the Mozilla Certificate Database Tool. It is a command-line
	446	utility that can create and modify the Netscape Communicator
	447	cert8.db and key3.db database files. It can also list, generate,
	448	modify, or delete certificates within the cert8.db file and create
	449	or change the password, generate new public and private key pairs,
	450	display the contents of the key database, or delete key pairs within
[4c24eb0a]	451	the key3.db file
[9333a525]	452	</para>
	453	<indexterm zone="nss certutil">
	454	<primary sortas="b-certutil">certutil</primary>
	455	</indexterm>
	456	</listitem>
	457	</varlistentry>
	458
[299d5c54]	459	<varlistentry id="nss-config">
	460	<term><command>nss-config</command></term>
	461	<listitem>
	462	<para>
	463	is used to determine the NSS library settings of the installed NSS
[4c24eb0a]	464	libraries
[299d5c54]	465	</para>
	466	<indexterm zone="nss nss-config">
	467	<primary sortas="b-nss-config">nss-config</primary>
	468	</indexterm>
	469	</listitem>
	470	</varlistentry>
	471
[9333a525]	472	<varlistentry id="pk12util">
	473	<term><command>pk12util</command></term>
	474	<listitem>
	475	<para>
	476	is a tool for importing certificates and keys from pkcs #12 files
	477	into NSS or exporting them. It can also list certificates and keys
[4c24eb0a]	478	in such files
[9333a525]	479	</para>
	480	<indexterm zone="nss pk12util">
	481	<primary sortas="b-pk12util">pk12util</primary>
	482	</indexterm>
	483	</listitem>
	484	</varlistentry>
[61562907]	485
[9333a525]	486	</variablelist>
[61562907]	487
[30f88917]	488	</sect2>
[61562907]	489
[30f88917]	490	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: