Context Navigation

source: postlfs/security/nss.xml@ 6075712

Visit:

trunk

Last change on this file since 6075712 was b48b457d, checked in by Rahul Chandra <rahul@…>, 2 weeks ago
Update to nss-3.104
Property mode set to `100644`
File size: 16.1 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!-- for when .0 is not part of the new tarball name, but always referenced -->
8	<!ENTITY nss-url "archive.mozilla.org/pub/security/nss/releases">
9
10	<!-- micro versions-->
11	<!--<!ENTITY nss-download-http "https://&nss-url;/NSS_3_&nss-minor-version;_&nss-micro-version;_RTM/src/nss-&nss-version;.tar.gz">-->
12
13	<!-- no micro versions -->
14	<!ENTITY nss-download-http "https://&nss-url;/NSS_&nss-dir;_RTM/src/nss-&nss-version;.tar.gz">
15	<!ENTITY nss-download-ftp " ">
16	<!ENTITY nss-md5sum "031cfed208aad1030cbe8cb163f0e298">
17	<!ENTITY nss-size "73 MB">
18	<!ENTITY nss-buildsize "304 MB (add 149 MB for tests)">
19	<!ENTITY nss-time "0.8 SBU (with parallelism=4, add 16 SBU for tests on AMD Ryzens or at least 30 SBU on Intel machines)">
20	<!-- On my system, I got 64.2 SBU, but Bruce gets 18 SBU. -renodr -->
21	<!-- On my system, I got 63 SBU, but Xi gets ~18 SBU. -pierre (for 3.78) -->
22	<!-- On my 3400G for 3.79 I got 16 SBU -ken -->
23	<!-- Still 17 SBU for 3.81 - bdubbs -->
24	<!-- 73 SBU but I'm on Intel. -renodr -->
25	<!-- 3.86 amended the figures -ken
26	3400G 14 SBU with 6.0.12, but the remeasured SBU has become very slow
27	and maybe other people would see a ster SBU on a fresh build;
28	i7-4790 35 SBU with 6.0.12, no failures
29	Bruce's 3900X 19.3 SBU, his i7-12700K about 30 SBU, 12 failures
30
31	3.93:
32	Passed: 69982
33	Failed: 0
34	Failed with core: 0
35	ASan failures: 0
36	Unknown status: 2
37	TinderboxPrint:Unknown: 2
38
39	Test Results 3.95: (Intel i9-10900k) I got close to 70 SBU [rahul]
40
41	Passed: 69982
42	Failed: 0
43	Failed with core: 0
44	ASan failures: 0
45	Unknown status: 2
46	TinderboxPrint:Unknown: 2
47
48	Test Results 3.96: (AMD Ryzen 9 3900X) about 14 SBU [bdubbs]
49	Passed: 70289
50	Failed: 0
51	Failed with core: 0
52	ASan failures: 0
53	Unknown status: 2
54	TinderboxPrint:Unknown: 2
55
56	Test Results 3.97: (AMD Ryzen 7 1700) about 16 SBU [rahul]
57	Passed: 69809
58	Failed: 0
59	Failed with core: 0
60	ASan failures: 0
61	Unknown status: 2
62	TinderboxPrint:Unknown: 2
63
64	Test results 3.98: (Intel Xeon E5-1650v3) 25 SBU [renodr]
65	Tests summary:
66	Passed: 69919
67	Failed: 0
68	Failed with core: 0
69	ASan failures: 0
70	Unknown status: 2
71	TinderboxPrint:Unknown: 2
72
73	Test results 3.99: (AMD Ryzen 9 3900X) 14 SBU [bdubbs]
74	Tests summary:
75	Passed: 69953
76	Failed: 0
77	Failed with core: 0
78	ASan failures: 0
79	Unknown status: 2
80	TinderboxPrint:Unknown: 2
81
82	Test results 3.100 (Intel(R) Xeon(R) CPU E3-1245 v6, VBoxVM)
83	Tests summary:
84	Passed: 71813
85	Failed: 1
86	Failed with core: 0
87	ASan failures: 0
88	Unknown status: 2
89	TinderboxPrint:Unknown: 2
90
91	Test Results 3.103: (AMD Ryzen 7 1700 QEMU host-model) about 30 SBU [rahul]
92	Tests summary:
93	Passed: 73415
94	Failed: 0
95	Failed with core: 0
96	ASan failures: 0
97	Unknown status: 2
98	TinderboxPrint:Unknown: 2
99
100	Test Results 3.104: (Intel i9-10900k) 30 SBU [rahul]
101	Tests summary:
102	Passed: 73415
103	Failed: 0
104	Failed with core: 0
105	ASan failures: 0
106	Unknown status: 2
107	TinderboxPrint:Unknown: 2
108
109	-->
110	]>
111
112	<sect1 id="nss" xreflabel="nss-&nss-version;">
113	<?dbhtml filename="nss.html"?>
114
115	<title>NSS-&nss-version;</title>
116
117	<indexterm zone="nss">
118	<primary sortas="a-NSS">NSS</primary>
119	</indexterm>
120
121	<sect2 role="package">
122	<title>Introduction to NSS</title>
123
124	<para>
125	The Network Security Services (<application>NSS</application>) package is
126	a set of libraries designed to support cross-platform development of
127	security-enabled client and server applications. Applications built with
128	NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
129	S/MIME, X.509 v3 certificates, and other security standards. This is
130	useful for implementing SSL and S/MIME or other Internet security
131	standards into an application.
132	</para>
133
134	&lfs122_checked;
135
136	<bridgehead renderas="sect3">Package Information</bridgehead>
137	<itemizedlist spacing="compact">
138	<listitem>
139	<para>
140	Download (HTTP): <ulink url="&nss-download-http;"/>
141	</para>
142	</listitem>
143	<listitem>
144	<para>
145	Download (FTP): <ulink url="&nss-download-ftp;"/>
146	</para>
147	</listitem>
148	<listitem>
149	<para>
150	Download MD5 sum: &nss-md5sum;
151	</para>
152	</listitem>
153	<listitem>
154	<para>
155	Download size: &nss-size;
156	</para>
157	</listitem>
158	<listitem>
159	<para>
160	Estimated disk space required: &nss-buildsize;
161	</para>
162	</listitem>
163	<listitem>
164	<para>
165	Estimated build time: &nss-time;
166	</para>
167	</listitem>
168	</itemizedlist>
169
170	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
171	<itemizedlist spacing="compact">
172	<listitem>
173	<para>
174	Required patch:
175	<ulink url="&patch-root;/nss-&nss-version;-standalone-1.patch"/>
176	</para>
177	</listitem>
178	<!--
179	<listitem>
180	<para>
181	Required patch for processors lacking the <quote>adx</quote>
182	instruction set:
183	<ulink url="&patch-root;/nss-&nss-version;-illegal_instruction-1.patch"/>
184	</para>
185	</listitem>
186	-->
187	</itemizedlist>
188
189	<bridgehead renderas="sect3">NSS Dependencies</bridgehead>
190
191	<bridgehead renderas="sect4">Required</bridgehead>
192	<para role="required">
193	<xref linkend="nspr"/>
194	</para>
195
196	<bridgehead renderas="sect4">Recommended</bridgehead>
197	<para role="recommended">
198	<xref linkend="sqlite"/> and
199	<xref role="runtime" linkend="p11-kit"/> (runtime)
200	</para>
201
202	<para condition="html" role="usernotes">
203	Editor Notes: <ulink url="&blfs-wiki;/nss"/>
204	</para>
205	</sect2>
206
207	<sect2 role="installation">
208	<title>Installation of NSS</title>
209
210	<!--
211	<note>
212	<para>
213	Some old generations processors lack an assembler instruction that
214	is generated unconditionally by NSS-3.90. It leads to an
215	"illegal instruction" fault when running firefox. The availability
216	of this instruction is asserted by the <quote>adx</quote> flag
217	in <filename>/proc/cpuinfo</filename>. If this flag is not set,
218	apply the following patch:
219	</para>
220	</note>
221
222	<screen><userinput>grep -q adx /proc/cpuinfo \|\| \
223	patch -Np1 -i ../nss-&nss-version;-illegal_instruction-1.patch</userinput></screen>
224
225	-->
226	<para>
227	Install <application>NSS</application> by running the following commands:
228	</para>
229
230	<screen><userinput>patch -Np1 -i ../nss-&nss-version;-standalone-1.patch &&
231
232	cd nss &&
233
234	make BUILD_OPT=1 \
235	NSPR_INCLUDE_DIR=/usr/include/nspr \
236	USE_SYSTEM_ZLIB=1 \
237	ZLIB_LIBS=-lz \
238	NSS_ENABLE_WERROR=0 \
239	$([ $(uname -m) = x86_64 ] && echo USE_64=1) \
240	$([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1)</userinput></screen>
241
242	<para>
243	<!-- the unittest files get compiled automatically since nss-3.31.0 -->
244	To run the tests, execute the following commands<!--(1 test is known to fail)-->:
245	</para>
246
247	<screen remap="test"><userinput>cd tests &&
248	HOST=localhost DOMSUF=localdomain ./all.sh
249	cd ../</userinput></screen>
250
251	<note>
252	<para>Some information about the tests:</para>
253	<itemizedlist spacing="compact">
254	<listitem>
255	<para>
256	HOST=localhost and DOMSUF=localdomain are required.
257	Without these variables, a FQDN is
258	required to be specified and this generic way should work for
259	everyone, provided <systemitem>localhost.localdomain</systemitem>
260	is defined
261	<phrase revision='sysv'>
262	in <filename>/etc/hosts</filename>, as done in
263	<ulink url="&lfs-root;/chapter09/network.html#ch-config-hosts">
264	the LFS book</ulink>.
265	</phrase>
266	<phrase revision='systemd'>
267	by the <systemitem class='library'>myhostname</systemitem>
268	Name Service Switch module, as specified in
269	<ulink url="&lfs-root;/chapter08/glibc.html#conf-glibc">
270	the LFS book</ulink>.
271	</phrase>
272	</para>
273	</listitem>
274	<listitem>
275	<para>
276	The tests take a long time to run. If desired there is
277	information in the all.sh script about running subsets of the
278	total test suite.
279	</para>
280	</listitem>
281	<listitem>
282	<para>
283	When interrupting the tests, the test suite
284	fails to spin down test servers that are run. This leads to an
285	infinite loop in the tests where the test suite tries to kill a server
286	that doesn't exist anymore because it pulls the wrong PID.
287	</para>
288	</listitem>
289	<listitem>
290	<para>
291	Test suite results (in HTML format!) can be found at
292	../../test_results/security/localhost.1/results.html
293	</para>
294	</listitem>
295	<listitem>
296	<para>
297	A few tests might fail on some Intel machines for unknown reasons.
298	</para>
299	</listitem>
300	</itemizedlist>
301	</note>
302
303	<para>
304	Now, as the <systemitem class="username">root</systemitem> user:
305	</para>
306
307	<screen role="root"><userinput>cd ../dist &&
308
309	install -v -m755 Linux/lib/.so /usr/lib &&
310	install -v -m644 Linux/lib/{.chk,libcrmf.a} /usr/lib &&
311
312	install -v -m755 -d /usr/include/nss &&
313	cp -v -RL {public,private}/nss/* /usr/include/nss &&
314
315	install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin &&
316
317	install -v -m644 Linux*/lib/pkgconfig/nss.pc /usr/lib/pkgconfig</userinput></screen>
318
319	</sect2>
320
321	<sect2 role="commands">
322	<title>Command Explanations</title>
323
324	<para>
325	<parameter>BUILD_OPT=1</parameter>: This option is passed to
326	<command>make</command> so that the build is performed with no debugging
327	symbols built into the binaries and the default compiler optimizations are
328	used.
329	</para>
330
331	<para>
332	<parameter>NSPR_INCLUDE_DIR=/usr/include/nspr</parameter>: This option
333	sets the location of the nspr headers.
334	</para>
335
336	<para>
337	<parameter>USE_SYSTEM_ZLIB=1</parameter>: This option is passed to
338	<command>make</command> to ensure that the
339	<filename class="libraryfile">libssl3.so</filename> library is linked to
340	the system installed <application>zlib</application> instead of the
341	in-tree version.
342	</para>
343
344	<para>
345	<parameter>ZLIB_LIBS=-lz</parameter>: This option provides the
346	linker flags needed to link to the system <application>zlib</application>.
347	</para>
348
349	<para>
350	<command>$([ $(uname -m) = x86_64 ] && echo USE_64=1)</command>:
351	The <parameter>USE_64=1</parameter> option is <emphasis>required on
352	x86_64</emphasis>, otherwise <command>make</command> will try (and fail)
353	to create 32-bit objects. The [ $(uname -m) = x86_64 ] test ensures it
354	has no effect on a 32 bit system.
355	</para>
356
357	<para>
358	<command>([ -f /usr/include/sqlite3.h ] && echo
359	NSS_USE_SYSTEM_SQLITE=1)</command>: This tests if
360	<application>sqlite</application> is installed and if so it
361	<command>echo</command>s the option NSS_USE_SYSTEM_SQLITE=1 to
362	<command>make</command> so that
363	<filename class="libraryfile">libsoftokn3.so</filename> will link against
364	the system version of sqlite.
365	</para>
366
367	<para>
368	<option>NSS_DISABLE_GTESTS=1</option>: If you don't need to run
369	NSS test suite, append this option to <command>make</command> command,
370	to prevent the compilation of tests and save some build time.
371	</para>
372
373	</sect2>
374
375	<sect2 role="configuration">
376	<title>Configuring NSS</title>
377
378	<para>
379	If <xref linkend="p11-kit"/> is installed, the
380	<application>p11-kit</application> trust module
381	(<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
382	drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
383	transparently make the system CAs available to
384	<application>NSS</application> aware applications, rather than the static
385	library provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
386	<systemitem class="username">root</systemitem> user, execute the following
387	command:
388	</para>
389
390	<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
391
392	<para>
393	Additionally, for dependent applications that do not use the internal
394	database (<filename>/usr/lib/libnssckbi.so</filename>), the
395	<filename>/usr/sbin/make-ca</filename> script included on the
396	<xref linkend="make-ca"/> page can generate a system wide NSS DB with the
397	<parameter>-n</parameter> switch, or by modifying the
398	<filename>/etc/make-ca/make-ca.conf</filename> file.
399	</para>
400
401	</sect2>
402
403	<sect2 role="content">
404	<title>Contents</title>
405
406	<segmentedlist>
407	<segtitle>Installed Programs</segtitle>
408	<segtitle>Installed Libraries</segtitle>
409	<segtitle>Installed Directories</segtitle>
410
411	<seglistitem>
412	<seg>
413	certutil, nss-config, and pk12util
414	</seg>
415	<seg>
416	libcrmf.a, libfreebl3.so, libfreeblpriv3.so,
417	libnss3.so, libnssckbi.so, libnssckbi-testlib.so,
418	libnssdbm3.so, libnsssysinit.so, libnssutil3.so,
419	libpkcs11testmodule.so, libsmime3.so, libsoftokn3.so,
420	and libssl3.so
421	</seg>
422	<seg>
423	/usr/include/nss
424	</seg>
425	</seglistitem>
426	</segmentedlist>
427
428	<variablelist>
429	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
430	<?dbfo list-presentation="list"?>
431	<?dbhtml list-presentation="table"?>
432
433	<varlistentry id="certutil">
434	<term><command>certutil</command></term>
435	<listitem>
436	<para>
437	is the Mozilla Certificate Database Tool. It is a command-line
438	utility that can create and modify the Netscape Communicator
439	cert8.db and key3.db database files. It can also list, generate,
440	modify, or delete certificates within the cert8.db file and create
441	or change the password, generate new public and private key pairs,
442	display the contents of the key database, or delete key pairs within
443	the key3.db file
444	</para>
445	<indexterm zone="nss certutil">
446	<primary sortas="b-certutil">certutil</primary>
447	</indexterm>
448	</listitem>
449	</varlistentry>
450
451	<varlistentry id="nss-config">
452	<term><command>nss-config</command></term>
453	<listitem>
454	<para>
455	is used to determine the NSS library settings of the installed NSS
456	libraries
457	</para>
458	<indexterm zone="nss nss-config">
459	<primary sortas="b-nss-config">nss-config</primary>
460	</indexterm>
461	</listitem>
462	</varlistentry>
463
464	<varlistentry id="pk12util">
465	<term><command>pk12util</command></term>
466	<listitem>
467	<para>
468	is a tool for importing certificates and keys from pkcs #12 files
469	into NSS or exporting them. It can also list certificates and keys
470	in such files
471	</para>
472	<indexterm zone="nss pk12util">
473	<primary sortas="b-pk12util">pk12util</primary>
474	</indexterm>
475	</listitem>
476	</varlistentry>
477
478	</variablelist>
479
480	</sect2>
481
482	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: