Context Navigation

source: postlfs/security/nss.xml@ 4071cee

Visit:

12.2 lazarus trunk xry111/for-12.3 xry111/spidermonkey128

Last change on this file since 4071cee was 4071cee, checked in by Rahul Chandra <rahul@…>, 6 weeks ago
Update to nss-3.103
Property mode set to `100644`
File size: 15.8 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!-- for when .0 is not part of the new tarball name, but always referenced -->
8	<!ENTITY nss-url "archive.mozilla.org/pub/security/nss/releases">
9
10	<!-- micro versions-->
11	<!--<!ENTITY nss-download-http "https://&nss-url;/NSS_3_&nss-minor-version;_&nss-micro-version;_RTM/src/nss-&nss-version;.tar.gz">-->
12
13	<!-- no micro versions -->
14	<!ENTITY nss-download-http "https://&nss-url;/NSS_&nss-dir;_RTM/src/nss-&nss-version;.tar.gz">
15	<!ENTITY nss-download-ftp " ">
16	<!ENTITY nss-md5sum "2823082a44b9dd71d6281108e0bab03f">
17	<!ENTITY nss-size "73 MB">
18	<!ENTITY nss-buildsize "304 MB (add 149 MB for tests)">
19	<!ENTITY nss-time "0.8 SBU (with parallelism=4, add 16 SBU for tests on AMD Ryzens or at least 30 SBU on Intel machines)">
20	<!-- On my system, I got 64.2 SBU, but Bruce gets 18 SBU. -renodr -->
21	<!-- On my system, I got 63 SBU, but Xi gets ~18 SBU. -pierre (for 3.78) -->
22	<!-- On my 3400G for 3.79 I got 16 SBU -ken -->
23	<!-- Still 17 SBU for 3.81 - bdubbs -->
24	<!-- 73 SBU but I'm on Intel. -renodr -->
25	<!-- 3.86 amended the figures -ken
26	3400G 14 SBU with 6.0.12, but the remeasured SBU has become very slow
27	and maybe other people would see a ster SBU on a fresh build;
28	i7-4790 35 SBU with 6.0.12, no failures
29	Bruce's 3900X 19.3 SBU, his i7-12700K about 30 SBU, 12 failures
30
31	3.93:
32	Passed: 69982
33	Failed: 0
34	Failed with core: 0
35	ASan failures: 0
36	Unknown status: 2
37	TinderboxPrint:Unknown: 2
38
39	Test Results 3.95: (Intel i9-10900k) I got close to 70 SBU [rahul]
40
41	Passed: 69982
42	Failed: 0
43	Failed with core: 0
44	ASan failures: 0
45	Unknown status: 2
46	TinderboxPrint:Unknown: 2
47
48	Test Results 3.96: (AMD Ryzen 9 3900X) about 14 SBU [bdubbs]
49	Passed: 70289
50	Failed: 0
51	Failed with core: 0
52	ASan failures: 0
53	Unknown status: 2
54	TinderboxPrint:Unknown: 2
55
56	Test Results 3.97: (AMD Ryzen 7 1700) about 16 SBU [rahul]
57	Passed: 69809
58	Failed: 0
59	Failed with core: 0
60	ASan failures: 0
61	Unknown status: 2
62	TinderboxPrint:Unknown: 2
63
64	Test results 3.98: (Intel Xeon E5-1650v3) 25 SBU [renodr]
65	Tests summary:
66	Passed: 69919
67	Failed: 0
68	Failed with core: 0
69	ASan failures: 0
70	Unknown status: 2
71	TinderboxPrint:Unknown: 2
72
73	Test results 3.99: (AMD Ryzen 9 3900X) 14 SBU [bdubbs]
74	Tests summary:
75	Passed: 69953
76	Failed: 0
77	Failed with core: 0
78	ASan failures: 0
79	Unknown status: 2
80	TinderboxPrint:Unknown: 2
81
82	Test results 3.100 (Intel(R) Xeon(R) CPU E3-1245 v6, VBoxVM)
83	Tests summary:
84	Passed: 71813
85	Failed: 1
86	Failed with core: 0
87	ASan failures: 0
88	Unknown status: 2
89	TinderboxPrint:Unknown: 2
90
91	Test Results 3.103: (AMD Ryzen 7 1700 QEMU host-model) about 30 SBU [rahul]
92	Tests summary:
93	Passed: 73415
94	Failed: 0
95	Failed with core: 0
96	ASan failures: 0
97	Unknown status: 2
98	TinderboxPrint:Unknown: 2
99	-->
100	]>
101
102	<sect1 id="nss" xreflabel="nss-&nss-version;">
103	<?dbhtml filename="nss.html"?>
104
105	<title>NSS-&nss-version;</title>
106
107	<indexterm zone="nss">
108	<primary sortas="a-NSS">NSS</primary>
109	</indexterm>
110
111	<sect2 role="package">
112	<title>Introduction to NSS</title>
113
114	<para>
115	The Network Security Services (<application>NSS</application>) package is
116	a set of libraries designed to support cross-platform development of
117	security-enabled client and server applications. Applications built with
118	NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
119	S/MIME, X.509 v3 certificates, and other security standards. This is
120	useful for implementing SSL and S/MIME or other Internet security
121	standards into an application.
122	</para>
123
124	&lfs121_checked;
125
126	<bridgehead renderas="sect3">Package Information</bridgehead>
127	<itemizedlist spacing="compact">
128	<listitem>
129	<para>
130	Download (HTTP): <ulink url="&nss-download-http;"/>
131	</para>
132	</listitem>
133	<listitem>
134	<para>
135	Download (FTP): <ulink url="&nss-download-ftp;"/>
136	</para>
137	</listitem>
138	<listitem>
139	<para>
140	Download MD5 sum: &nss-md5sum;
141	</para>
142	</listitem>
143	<listitem>
144	<para>
145	Download size: &nss-size;
146	</para>
147	</listitem>
148	<listitem>
149	<para>
150	Estimated disk space required: &nss-buildsize;
151	</para>
152	</listitem>
153	<listitem>
154	<para>
155	Estimated build time: &nss-time;
156	</para>
157	</listitem>
158	</itemizedlist>
159
160	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
161	<itemizedlist spacing="compact">
162	<listitem>
163	<para>
164	Required patch:
165	<ulink url="&patch-root;/nss-&nss-version;-standalone-1.patch"/>
166	</para>
167	</listitem>
168	<!--
169	<listitem>
170	<para>
171	Required patch for processors lacking the <quote>adx</quote>
172	instruction set:
173	<ulink url="&patch-root;/nss-&nss-version;-illegal_instruction-1.patch"/>
174	</para>
175	</listitem>
176	-->
177	</itemizedlist>
178
179	<bridgehead renderas="sect3">NSS Dependencies</bridgehead>
180
181	<bridgehead renderas="sect4">Required</bridgehead>
182	<para role="required">
183	<xref linkend="nspr"/>
184	</para>
185
186	<bridgehead renderas="sect4">Recommended</bridgehead>
187	<para role="recommended">
188	<xref linkend="sqlite"/> and
189	<xref role="runtime" linkend="p11-kit"/> (runtime)
190	</para>
191
192	<para condition="html" role="usernotes">
193	Editor Notes: <ulink url="&blfs-wiki;/nss"/>
194	</para>
195	</sect2>
196
197	<sect2 role="installation">
198	<title>Installation of NSS</title>
199
200	<!--
201	<note>
202	<para>
203	Some old generations processors lack an assembler instruction that
204	is generated unconditionally by NSS-3.90. It leads to an
205	"illegal instruction" fault when running firefox. The availability
206	of this instruction is asserted by the <quote>adx</quote> flag
207	in <filename>/proc/cpuinfo</filename>. If this flag is not set,
208	apply the following patch:
209	</para>
210	</note>
211
212	<screen><userinput>grep -q adx /proc/cpuinfo \|\| \
213	patch -Np1 -i ../nss-&nss-version;-illegal_instruction-1.patch</userinput></screen>
214
215	-->
216	<para>
217	Install <application>NSS</application> by running the following commands:
218	</para>
219
220	<screen><userinput>patch -Np1 -i ../nss-&nss-version;-standalone-1.patch &&
221
222	cd nss &&
223
224	make BUILD_OPT=1 \
225	NSPR_INCLUDE_DIR=/usr/include/nspr \
226	USE_SYSTEM_ZLIB=1 \
227	ZLIB_LIBS=-lz \
228	NSS_ENABLE_WERROR=0 \
229	$([ $(uname -m) = x86_64 ] && echo USE_64=1) \
230	$([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1)</userinput></screen>
231
232	<para>
233	<!-- the unittest files get compiled automatically since nss-3.31.0 -->
234	To run the tests, execute the following commands<!--(1 test is known to fail)-->:
235	</para>
236
237	<screen remap="test"><userinput>cd tests &&
238	HOST=localhost DOMSUF=localdomain ./all.sh
239	cd ../</userinput></screen>
240
241	<note>
242	<para>Some information about the tests:</para>
243	<itemizedlist spacing="compact">
244	<listitem>
245	<para>
246	HOST=localhost and DOMSUF=localdomain are required.
247	Without these variables, a FQDN is
248	required to be specified and this generic way should work for
249	everyone, provided <systemitem>localhost.localdomain</systemitem>
250	is defined
251	<phrase revision='sysv'>
252	in <filename>/etc/hosts</filename>, as done in
253	<ulink url="&lfs-root;/chapter09/network.html#ch-config-hosts">
254	the LFS book</ulink>.
255	</phrase>
256	<phrase revision='systemd'>
257	by the <systemitem class='library'>myhostname</systemitem>
258	Name Service Switch module, as specified in
259	<ulink url="&lfs-root;/chapter08/glibc.html#conf-glibc">
260	the LFS book</ulink>.
261	</phrase>
262	</para>
263	</listitem>
264	<listitem>
265	<para>
266	The tests take a long time to run. If desired there is
267	information in the all.sh script about running subsets of the
268	total test suite.
269	</para>
270	</listitem>
271	<listitem>
272	<para>
273	When interrupting the tests, the test suite
274	fails to spin down test servers that are run. This leads to an
275	infinite loop in the tests where the test suite tries to kill a server
276	that doesn't exist anymore because it pulls the wrong PID.
277	</para>
278	</listitem>
279	<listitem>
280	<para>
281	Test suite results (in HTML format!) can be found at
282	../../test_results/security/localhost.1/results.html
283	</para>
284	</listitem>
285	<listitem>
286	<para>
287	A few tests might fail on some Intel machines for unknown reasons.
288	</para>
289	</listitem>
290	</itemizedlist>
291	</note>
292
293	<para>
294	Now, as the <systemitem class="username">root</systemitem> user:
295	</para>
296
297	<screen role="root"><userinput>cd ../dist &&
298
299	install -v -m755 Linux/lib/.so /usr/lib &&
300	install -v -m644 Linux/lib/{.chk,libcrmf.a} /usr/lib &&
301
302	install -v -m755 -d /usr/include/nss &&
303	cp -v -RL {public,private}/nss/* /usr/include/nss &&
304
305	install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin &&
306
307	install -v -m644 Linux*/lib/pkgconfig/nss.pc /usr/lib/pkgconfig</userinput></screen>
308
309	</sect2>
310
311	<sect2 role="commands">
312	<title>Command Explanations</title>
313
314	<para>
315	<parameter>BUILD_OPT=1</parameter>: This option is passed to
316	<command>make</command> so that the build is performed with no debugging
317	symbols built into the binaries and the default compiler optimizations are
318	used.
319	</para>
320
321	<para>
322	<parameter>NSPR_INCLUDE_DIR=/usr/include/nspr</parameter>: This option
323	sets the location of the nspr headers.
324	</para>
325
326	<para>
327	<parameter>USE_SYSTEM_ZLIB=1</parameter>: This option is passed to
328	<command>make</command> to ensure that the
329	<filename class="libraryfile">libssl3.so</filename> library is linked to
330	the system installed <application>zlib</application> instead of the
331	in-tree version.
332	</para>
333
334	<para>
335	<parameter>ZLIB_LIBS=-lz</parameter>: This option provides the
336	linker flags needed to link to the system <application>zlib</application>.
337	</para>
338
339	<para>
340	<command>$([ $(uname -m) = x86_64 ] && echo USE_64=1)</command>:
341	The <parameter>USE_64=1</parameter> option is <emphasis>required on
342	x86_64</emphasis>, otherwise <command>make</command> will try (and fail)
343	to create 32-bit objects. The [ $(uname -m) = x86_64 ] test ensures it
344	has no effect on a 32 bit system.
345	</para>
346
347	<para>
348	<command>([ -f /usr/include/sqlite3.h ] && echo
349	NSS_USE_SYSTEM_SQLITE=1)</command>: This tests if
350	<application>sqlite</application> is installed and if so it
351	<command>echo</command>s the option NSS_USE_SYSTEM_SQLITE=1 to
352	<command>make</command> so that
353	<filename class="libraryfile">libsoftokn3.so</filename> will link against
354	the system version of sqlite.
355	</para>
356
357	<para>
358	<option>NSS_DISABLE_GTESTS=1</option>: If you don't need to run
359	NSS test suite, append this option to <command>make</command> command,
360	to prevent the compilation of tests and save some build time.
361	</para>
362
363	</sect2>
364
365	<sect2 role="configuration">
366	<title>Configuring NSS</title>
367
368	<para>
369	If <xref linkend="p11-kit"/> is installed, the
370	<application>p11-kit</application> trust module
371	(<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
372	drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
373	transparently make the system CAs available to
374	<application>NSS</application> aware applications, rather than the static
375	library provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
376	<systemitem class="username">root</systemitem> user, execute the following
377	command:
378	</para>
379
380	<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
381
382	<para>
383	Additionally, for dependent applications that do not use the internal
384	database (<filename>/usr/lib/libnssckbi.so</filename>), the
385	<filename>/usr/sbin/make-ca</filename> script included on the
386	<xref linkend="make-ca"/> page can generate a system wide NSS DB with the
387	<parameter>-n</parameter> switch, or by modifying the
388	<filename>/etc/make-ca/make-ca.conf</filename> file.
389	</para>
390
391	</sect2>
392
393	<sect2 role="content">
394	<title>Contents</title>
395
396	<segmentedlist>
397	<segtitle>Installed Programs</segtitle>
398	<segtitle>Installed Libraries</segtitle>
399	<segtitle>Installed Directories</segtitle>
400
401	<seglistitem>
402	<seg>
403	certutil, nss-config, and pk12util
404	</seg>
405	<seg>
406	libcrmf.a, libfreebl3.so, libfreeblpriv3.so,
407	libnss3.so, libnssckbi.so, libnssckbi-testlib.so,
408	libnssdbm3.so, libnsssysinit.so, libnssutil3.so,
409	libpkcs11testmodule.so, libsmime3.so, libsoftokn3.so,
410	and libssl3.so
411	</seg>
412	<seg>
413	/usr/include/nss
414	</seg>
415	</seglistitem>
416	</segmentedlist>
417
418	<variablelist>
419	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
420	<?dbfo list-presentation="list"?>
421	<?dbhtml list-presentation="table"?>
422
423	<varlistentry id="certutil">
424	<term><command>certutil</command></term>
425	<listitem>
426	<para>
427	is the Mozilla Certificate Database Tool. It is a command-line
428	utility that can create and modify the Netscape Communicator
429	cert8.db and key3.db database files. It can also list, generate,
430	modify, or delete certificates within the cert8.db file and create
431	or change the password, generate new public and private key pairs,
432	display the contents of the key database, or delete key pairs within
433	the key3.db file
434	</para>
435	<indexterm zone="nss certutil">
436	<primary sortas="b-certutil">certutil</primary>
437	</indexterm>
438	</listitem>
439	</varlistentry>
440
441	<varlistentry id="nss-config">
442	<term><command>nss-config</command></term>
443	<listitem>
444	<para>
445	is used to determine the NSS library settings of the installed NSS
446	libraries
447	</para>
448	<indexterm zone="nss nss-config">
449	<primary sortas="b-nss-config">nss-config</primary>
450	</indexterm>
451	</listitem>
452	</varlistentry>
453
454	<varlistentry id="pk12util">
455	<term><command>pk12util</command></term>
456	<listitem>
457	<para>
458	is a tool for importing certificates and keys from pkcs #12 files
459	into NSS or exporting them. It can also list certificates and keys
460	in such files
461	</para>
462	<indexterm zone="nss pk12util">
463	<primary sortas="b-pk12util">pk12util</primary>
464	</indexterm>
465	</listitem>
466	</varlistentry>
467
468	</variablelist>
469
470	</sect2>
471
472	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: