Context Navigation

source: postlfs/security/nss.xml@ 6075712

Visit:

trunk

Last change on this file since 6075712 was b48b457d, checked in by Rahul Chandra <rahul@…>, 2 weeks ago
Update to nss-3.104
Property mode set to `100644`
File size: 16.1 KB

Rev	Line
[ab4fdfc]	1	<?xml version="1.0" encoding="UTF-8"?>
[6732c094]	2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
	3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
[30f88917]	4	<!ENTITY % general-entities SYSTEM "../../general.ent">
	5	%general-entities;
	6
[09b524b]	7	<!-- for when .0 is not part of the new tarball name, but always referenced -->
[23ed085]	8	<!ENTITY nss-url "archive.mozilla.org/pub/security/nss/releases">
[299d5c54]	9
[6968e3cb]	10	<!-- micro versions-->
[fe83f5c]	11	<!--<!ENTITY nss-download-http "https://&nss-url;/NSS_3_&nss-minor-version;_&nss-micro-version;_RTM/src/nss-&nss-version;.tar.gz">-->
[02b153a]	12
[d445316]	13	<!-- no micro versions -->
[3638081]	14	<!ENTITY nss-download-http "https://&nss-url;/NSS_&nss-dir;_RTM/src/nss-&nss-version;.tar.gz">
[365c6fb]	15	<!ENTITY nss-download-ftp " ">
[b48b457d]	16	<!ENTITY nss-md5sum "031cfed208aad1030cbe8cb163f0e298">
[bc49eed]	17	<!ENTITY nss-size "73 MB">
[4071cee]	18	<!ENTITY nss-buildsize "304 MB (add 149 MB for tests)">
[191e629]	19	<!ENTITY nss-time "0.8 SBU (with parallelism=4, add 16 SBU for tests on AMD Ryzens or at least 30 SBU on Intel machines)">
[0771e2f]	20	<!-- On my system, I got 64.2 SBU, but Bruce gets 18 SBU. -renodr -->
[b0b536c]	21	<!-- On my system, I got 63 SBU, but Xi gets ~18 SBU. -pierre (for 3.78) -->
[71e36c7]	22	<!-- On my 3400G for 3.79 I got 16 SBU -ken -->
[43fb57c]	23	<!-- Still 17 SBU for 3.81 - bdubbs -->
[65aeaa02]	24	<!-- 73 SBU but I'm on Intel. -renodr -->
[0d7f7190]	25	<!-- 3.86 amended the figures -ken
	26	3400G 14 SBU with 6.0.12, but the remeasured SBU has become very slow
	27	and maybe other people would see a ster SBU on a fresh build;
	28	i7-4790 35 SBU with 6.0.12, no failures
[e440af5]	29	Bruce's 3900X 19.3 SBU, his i7-12700K about 30 SBU, 12 failures
[7939b3d8]	30
[6848b244]	31	3.93:
	32	Passed: 69982
[7939b3d8]	33	Failed: 0
	34	Failed with core: 0
	35	ASan failures: 0
	36	Unknown status: 2
	37	TinderboxPrint:Unknown: 2
[7a6a43b]	38
	39	Test Results 3.95: (Intel i9-10900k) I got close to 70 SBU [rahul]
[8e93424]	40
[a8d72e7d]	41	Passed: 69982
	42	Failed: 0
	43	Failed with core: 0
	44	ASan failures: 0
	45	Unknown status: 2
	46	TinderboxPrint:Unknown: 2
[8e93424]	47
[7a6a43b]	48	Test Results 3.96: (AMD Ryzen 9 3900X) about 14 SBU [bdubbs]
[8e93424]	49	Passed: 70289
	50	Failed: 0
	51	Failed with core: 0
	52	ASan failures: 0
	53	Unknown status: 2
	54	TinderboxPrint:Unknown: 2
	55
[7a6a43b]	56	Test Results 3.97: (AMD Ryzen 7 1700) about 16 SBU [rahul]
[ec78b82]	57	Passed: 69809
	58	Failed: 0
	59	Failed with core: 0
	60	ASan failures: 0
	61	Unknown status: 2
	62	TinderboxPrint:Unknown: 2
	63
[7a6a43b]	64	Test results 3.98: (Intel Xeon E5-1650v3) 25 SBU [renodr]
[95cff34]	65	Tests summary:
	66	Passed: 69919
	67	Failed: 0
	68	Failed with core: 0
	69	ASan failures: 0
	70	Unknown status: 2
	71	TinderboxPrint:Unknown: 2
	72
[7a6a43b]	73	Test results 3.99: (AMD Ryzen 9 3900X) 14 SBU [bdubbs]
	74	Tests summary:
	75	Passed: 69953
	76	Failed: 0
	77	Failed with core: 0
	78	ASan failures: 0
	79	Unknown status: 2
	80	TinderboxPrint:Unknown: 2
[910936c]	81
[4071cee]	82	Test results 3.100 (Intel(R) Xeon(R) CPU E3-1245 v6, VBoxVM)
[910936c]	83	Tests summary:
	84	Passed: 71813
	85	Failed: 1
	86	Failed with core: 0
	87	ASan failures: 0
	88	Unknown status: 2
	89	TinderboxPrint:Unknown: 2
[4071cee]	90
	91	Test Results 3.103: (AMD Ryzen 7 1700 QEMU host-model) about 30 SBU [rahul]
	92	Tests summary:
	93	Passed: 73415
	94	Failed: 0
	95	Failed with core: 0
	96	ASan failures: 0
	97	Unknown status: 2
	98	TinderboxPrint:Unknown: 2
[b48b457d]	99
	100	Test Results 3.104: (Intel i9-10900k) 30 SBU [rahul]
	101	Tests summary:
	102	Passed: 73415
	103	Failed: 0
	104	Failed with core: 0
	105	ASan failures: 0
	106	Unknown status: 2
	107	TinderboxPrint:Unknown: 2
	108
[7a6a43b]	109	-->
[30f88917]	110	]>
	111
[b4ca8bb]	112	<sect1 id="nss" xreflabel="nss-&nss-version;">
[30f88917]	113	<?dbhtml filename="nss.html"?>
	114
	115	<title>NSS-&nss-version;</title>
	116
	117	<indexterm zone="nss">
	118	<primary sortas="a-NSS">NSS</primary>
	119	</indexterm>
	120
	121	<sect2 role="package">
	122	<title>Introduction to NSS</title>
	123
[9333a525]	124	<para>
	125	The Network Security Services (<application>NSS</application>) package is
	126	a set of libraries designed to support cross-platform development of
	127	security-enabled client and server applications. Applications built with
	128	NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
	129	S/MIME, X.509 v3 certificates, and other security standards. This is
	130	useful for implementing SSL and S/MIME or other Internet security
	131	standards into an application.
	132	</para>
[30f88917]	133
[e320358]	134	&lfs122_checked;
[e3060aa]	135
[30f88917]	136	<bridgehead renderas="sect3">Package Information</bridgehead>
	137	<itemizedlist spacing="compact">
	138	<listitem>
[9333a525]	139	<para>
	140	Download (HTTP): <ulink url="&nss-download-http;"/>
	141	</para>
[30f88917]	142	</listitem>
	143	<listitem>
[9333a525]	144	<para>
	145	Download (FTP): <ulink url="&nss-download-ftp;"/>
	146	</para>
[30f88917]	147	</listitem>
	148	<listitem>
[9333a525]	149	<para>
[0f62b2b]	150	Download MD5 sum: &nss-md5sum;
	151	</para>
[30f88917]	152	</listitem>
	153	<listitem>
[9333a525]	154	<para>
	155	Download size: &nss-size;
	156	</para>
[30f88917]	157	</listitem>
	158	<listitem>
[9333a525]	159	<para>
	160	Estimated disk space required: &nss-buildsize;
	161	</para>
[30f88917]	162	</listitem>
	163	<listitem>
[9333a525]	164	<para>
	165	Estimated build time: &nss-time;
	166	</para>
[30f88917]	167	</listitem>
	168	</itemizedlist>
	169
[299d5c54]	170	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
	171	<itemizedlist spacing="compact">
	172	<listitem>
	173	<para>
	174	Required patch:
[a41a3ea9]	175	<ulink url="&patch-root;/nss-&nss-version;-standalone-1.patch"/>
[299d5c54]	176	</para>
	177	</listitem>
[907a269]	178	<!--
[2980344]	179	<listitem>
	180	<para>
	181	Required patch for processors lacking the <quote>adx</quote>
	182	instruction set:
	183	<ulink url="&patch-root;/nss-&nss-version;-illegal_instruction-1.patch"/>
	184	</para>
	185	</listitem>
[907a269]	186	-->
[299d5c54]	187	</itemizedlist>
	188
[dd44df7e]	189	<bridgehead renderas="sect3">NSS Dependencies</bridgehead>
	190
	191	<bridgehead renderas="sect4">Required</bridgehead>
[9333a525]	192	<para role="required">
	193	<xref linkend="nspr"/>
	194	</para>
[dd44df7e]	195
	196	<bridgehead renderas="sect4">Recommended</bridgehead>
[9333a525]	197	<para role="recommended">
[96e9478]	198	<xref linkend="sqlite"/> and
	199	<xref role="runtime" linkend="p11-kit"/> (runtime)
[9333a525]	200	</para>
[dd44df7e]	201
[9333a525]	202	<para condition="html" role="usernotes">
[42ddc30]	203	Editor Notes: <ulink url="&blfs-wiki;/nss"/>
[9333a525]	204	</para>
[30f88917]	205	</sect2>
	206
	207	<sect2 role="installation">
	208	<title>Installation of NSS</title>
	209
[907a269]	210	<!--
[2c3969a]	211	<note>
	212	<para>
[2980344]	213	Some old generations processors lack an assembler instruction that
	214	is generated unconditionally by NSS-3.90. It leads to an
	215	"illegal instruction" fault when running firefox. The availability
	216	of this instruction is asserted by the <quote>adx</quote> flag
	217	in <filename>/proc/cpuinfo</filename>. If this flag is not set,
	218	apply the following patch:
[2c3969a]	219	</para>
[cd29bc9]	220	</note>
[2980344]	221
	222	<screen><userinput>grep -q adx /proc/cpuinfo \|\| \
	223	patch -Np1 -i ../nss-&nss-version;-illegal_instruction-1.patch</userinput></screen>
[2c3969a]	224
[907a269]	225	-->
[9333a525]	226	<para>
	227	Install <application>NSS</application> by running the following commands:
	228	</para>
	229
[a41a3ea9]	230	<screen><userinput>patch -Np1 -i ../nss-&nss-version;-standalone-1.patch &&
[b6d3d395]	231
[299d5c54]	232	cd nss &&
[2beaab8]	233
[1b9bf3e]	234	make BUILD_OPT=1 \
[731d374]	235	NSPR_INCLUDE_DIR=/usr/include/nspr \
	236	USE_SYSTEM_ZLIB=1 \
	237	ZLIB_LIBS=-lz \
[af9fba4]	238	NSS_ENABLE_WERROR=0 \
[a45062d]	239	$([ $(uname -m) = x86_64 ] && echo USE_64=1) \
[2beaab8]	240	$([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1)</userinput></screen>
[9333a525]	241
	242	<para>
[4158a9b]	243	<!-- the unittest files get compiled automatically since nss-3.31.0 -->
[9e1670e1]	244	To run the tests, execute the following commands<!--(1 test is known to fail)-->:
[9333a525]	245	</para>
[30f88917]	246
[b68a004]	247	<screen remap="test"><userinput>cd tests &&
[c7768882]	248	HOST=localhost DOMSUF=localdomain ./all.sh
[b68a004]	249	cd ../</userinput></screen>
[8558044]	250
	251	<note>
[73c6f44e]	252	<para>Some information about the tests:</para>
	253	<itemizedlist spacing="compact">
	254	<listitem>
	255	<para>
[6968e3cb]	256	HOST=localhost and DOMSUF=localdomain are required.
[73c6f44e]	257	Without these variables, a FQDN is
[fef4473]	258	required to be specified and this generic way should work for
[b0b536c]	259	everyone, provided <systemitem>localhost.localdomain</systemitem>
[334db6e5]	260	is defined
	261	<phrase revision='sysv'>
	262	in <filename>/etc/hosts</filename>, as done in
	263	<ulink url="&lfs-root;/chapter09/network.html#ch-config-hosts">
	264	the LFS book</ulink>.
	265	</phrase>
	266	<phrase revision='systemd'>
	267	by the <systemitem class='library'>myhostname</systemitem>
[8f45785]	268	Name Service Switch module, as specified in
[334db6e5]	269	<ulink url="&lfs-root;/chapter08/glibc.html#conf-glibc">
	270	the LFS book</ulink>.
	271	</phrase>
[73c6f44e]	272	</para>
	273	</listitem>
	274	<listitem>
	275	<para>
[7939b3d8]	276	The tests take a long time to run. If desired there is
[8558044]	277	information in the all.sh script about running subsets of the
[73c6f44e]	278	total test suite.
	279	</para>
	280	</listitem>
	281	<listitem>
	282	<para>
	283	When interrupting the tests, the test suite
[b68a004]	284	fails to spin down test servers that are run. This leads to an
	285	infinite loop in the tests where the test suite tries to kill a server
	286	that doesn't exist anymore because it pulls the wrong PID.
[73c6f44e]	287	</para>
	288	</listitem>
	289	<listitem>
	290	<para>
[8558044]	291	Test suite results (in HTML format!) can be found at
[73c6f44e]	292	../../test_results/security/localhost.1/results.html
	293	</para>
	294	</listitem>
[0d7f7190]	295	<listitem>
	296	<para>
	297	A few tests might fail on some Intel machines for unknown reasons.
	298	</para>
	299	</listitem>
[73c6f44e]	300	</itemizedlist>
	301	</note>
[b68a004]	302
[9333a525]	303	<para>
	304	Now, as the <systemitem class="username">root</systemitem> user:
	305	</para>
	306
[2beaab8]	307	<screen role="root"><userinput>cd ../dist &&
	308
	309	install -v -m755 Linux/lib/.so /usr/lib &&
	310	install -v -m644 Linux/lib/{.chk,libcrmf.a} /usr/lib &&
	311
	312	install -v -m755 -d /usr/include/nss &&
	313	cp -v -RL {public,private}/nss/* /usr/include/nss &&
	314
[299d5c54]	315	install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin &&
[2beaab8]	316
[2b64864b]	317	install -v -m644 Linux*/lib/pkgconfig/nss.pc /usr/lib/pkgconfig</userinput></screen>
[299d5c54]	318
[30f88917]	319	</sect2>
	320
	321	<sect2 role="commands">
	322	<title>Command Explanations</title>
	323
[9333a525]	324	<para>
	325	<parameter>BUILD_OPT=1</parameter>: This option is passed to
	326	<command>make</command> so that the build is performed with no debugging
	327	symbols built into the binaries and the default compiler optimizations are
	328	used.
	329	</para>
	330
	331	<para>
[0d7900a]	332	<parameter>NSPR_INCLUDE_DIR=/usr/include/nspr</parameter>: This option
[9333a525]	333	sets the location of the nspr headers.
	334	</para>
	335
	336	<para>
	337	<parameter>USE_SYSTEM_ZLIB=1</parameter>: This option is passed to
	338	<command>make</command> to ensure that the
	339	<filename class="libraryfile">libssl3.so</filename> library is linked to
	340	the system installed <application>zlib</application> instead of the
	341	in-tree version.
	342	</para>
	343
	344	<para>
	345	<parameter>ZLIB_LIBS=-lz</parameter>: This option provides the
	346	linker flags needed to link to the system <application>zlib</application>.
	347	</para>
[a45062d]	348
	349	<para>
	350	<command>$([ $(uname -m) = x86_64 ] && echo USE_64=1)</command>:
	351	The <parameter>USE_64=1</parameter> option is <emphasis>required on
	352	x86_64</emphasis>, otherwise <command>make</command> will try (and fail)
	353	to create 32-bit objects. The [ $(uname -m) = x86_64 ] test ensures it
	354	has no effect on a 32 bit system.
	355	</para>
	356
	357	<para>
	358	<command>([ -f /usr/include/sqlite3.h ] && echo
	359	NSS_USE_SYSTEM_SQLITE=1)</command>: This tests if
	360	<application>sqlite</application> is installed and if so it
	361	<command>echo</command>s the option NSS_USE_SYSTEM_SQLITE=1 to
	362	<command>make</command> so that
	363	<filename class="libraryfile">libsoftokn3.so</filename> will link against
	364	the system version of sqlite.
	365	</para>
[299d5c54]	366
[d65b11c]	367	<para>
[26b48ac]	368	<option>NSS_DISABLE_GTESTS=1</option>: If you don't need to run
[d65b11c]	369	NSS test suite, append this option to <command>make</command> command,
	370	to prevent the compilation of tests and save some build time.
	371	</para>
	372
[30f88917]	373	</sect2>
	374
[4a16903]	375	<sect2 role="configuration">
	376	<title>Configuring NSS</title>
	377
[47274444]	378	<para>
	379	If <xref linkend="p11-kit"/> is installed, the
	380	<application>p11-kit</application> trust module
	381	(<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
	382	drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
	383	transparently make the system CAs available to
	384	<application>NSS</application> aware applications, rather than the static
[d1c7bee]	385	library provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
[47274444]	386	<systemitem class="username">root</systemitem> user, execute the following
[01e2c90]	387	command:
[47274444]	388	</para>
[4a16903]	389
[5c69a2d]	390	<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
[4a16903]	391
[47274444]	392	<para>
	393	Additionally, for dependent applications that do not use the internal
	394	database (<filename>/usr/lib/libnssckbi.so</filename>), the
[fef4473]	395	<filename>/usr/sbin/make-ca</filename> script included on the
[47274444]	396	<xref linkend="make-ca"/> page can generate a system wide NSS DB with the
	397	<parameter>-n</parameter> switch, or by modifying the
[0771e2f]	398	<filename>/etc/make-ca/make-ca.conf</filename> file.
[47274444]	399	</para>
[4a16903]	400
	401	</sect2>
	402
[30f88917]	403	<sect2 role="content">
	404	<title>Contents</title>
	405
	406	<segmentedlist>
	407	<segtitle>Installed Programs</segtitle>
	408	<segtitle>Installed Libraries</segtitle>
	409	<segtitle>Installed Directories</segtitle>
	410
	411	<seglistitem>
[9333a525]	412	<seg>
[299d5c54]	413	certutil, nss-config, and pk12util
[61562907]	414	</seg>
	415	<seg>
[b68a004]	416	libcrmf.a, libfreebl3.so, libfreeblpriv3.so,
	417	libnss3.so, libnssckbi.so, libnssckbi-testlib.so,
[8558044]	418	libnssdbm3.so, libnsssysinit.so, libnssutil3.so,
	419	libpkcs11testmodule.so, libsmime3.so, libsoftokn3.so,
[23ed085]	420	and libssl3.so
[61562907]	421	</seg>
	422	<seg>
	423	/usr/include/nss
[9333a525]	424	</seg>
[30f88917]	425	</seglistitem>
	426	</segmentedlist>
	427
	428	<variablelist>
	429	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
	430	<?dbfo list-presentation="list"?>
	431	<?dbhtml list-presentation="table"?>
	432
[9333a525]	433	<varlistentry id="certutil">
	434	<term><command>certutil</command></term>
	435	<listitem>
	436	<para>
	437	is the Mozilla Certificate Database Tool. It is a command-line
	438	utility that can create and modify the Netscape Communicator
	439	cert8.db and key3.db database files. It can also list, generate,
	440	modify, or delete certificates within the cert8.db file and create
	441	or change the password, generate new public and private key pairs,
	442	display the contents of the key database, or delete key pairs within
[4c24eb0a]	443	the key3.db file
[9333a525]	444	</para>
	445	<indexterm zone="nss certutil">
	446	<primary sortas="b-certutil">certutil</primary>
	447	</indexterm>
	448	</listitem>
	449	</varlistentry>
	450
[299d5c54]	451	<varlistentry id="nss-config">
	452	<term><command>nss-config</command></term>
	453	<listitem>
	454	<para>
	455	is used to determine the NSS library settings of the installed NSS
[4c24eb0a]	456	libraries
[299d5c54]	457	</para>
	458	<indexterm zone="nss nss-config">
	459	<primary sortas="b-nss-config">nss-config</primary>
	460	</indexterm>
	461	</listitem>
	462	</varlistentry>
	463
[9333a525]	464	<varlistentry id="pk12util">
	465	<term><command>pk12util</command></term>
	466	<listitem>
	467	<para>
	468	is a tool for importing certificates and keys from pkcs #12 files
	469	into NSS or exporting them. It can also list certificates and keys
[4c24eb0a]	470	in such files
[9333a525]	471	</para>
	472	<indexterm zone="nss pk12util">
	473	<primary sortas="b-pk12util">pk12util</primary>
	474	</indexterm>
	475	</listitem>
	476	</varlistentry>
[61562907]	477
[9333a525]	478	</variablelist>
[61562907]	479
[30f88917]	480	</sect2>
[61562907]	481
[30f88917]	482	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: