Context Navigation

source: postlfs/security/nss.xml@ 6906954a

Visit:

12.1 ken/TL2024 lazarus trunk xry111/llvm18

Last change on this file since 6906954a was 6906954a, checked in by Thomas Trepl <thomas@…>, 3 months ago
Fix a typo
Property mode set to `100644`
File size: 15.1 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!-- for when .0 is not part of the new tarball name, but always referenced -->
8	<!ENTITY nss-url "archive.mozilla.org/pub/security/nss/releases">
9
10	<!-- micro versions-->
11	<!--<!ENTITY nss-download-http "https://&nss-url;/NSS_3_&nss-minor-version;_&nss-micro-version;_RTM/src/nss-&nss-version;.tar.gz">-->
12
13	<!-- no micro versions -->
14	<!ENTITY nss-download-http "https://&nss-url;/NSS_&nss-dir;_RTM/src/nss-&nss-version;.tar.gz">
15	<!ENTITY nss-download-ftp " ">
16	<!ENTITY nss-md5sum "4502fcae1b32da310fffdfb3c67f6985">
17	<!ENTITY nss-size "73 MB">
18	<!ENTITY nss-buildsize "312 MB (add 268 MB for tests)">
19	<!ENTITY nss-time "0.9 SBU (with parallelism=4, add 16 SBU for tests on AMD Ryzens or at least 30 SBU on Intel machines)">
20	<!-- On my system, I got 64.2 SBU, but Bruce gets 18 SBU. -renodr -->
21	<!-- On my system, I got 63 SBU, but Xi gets ~18 SBU. -pierre (for 3.78) -->
22	<!-- On my 3400G for 3.79 I got 16 SBU -ken -->
23	<!-- Still 17 SBU for 3.81 - bdubbs -->
24	<!-- 73 SBU but I'm on Intel. -renodr -->
25	<!-- 3.86 amended the figures -ken
26	3400G 14 SBU with 6.0.12, but the remeasured SBU has become very slow
27	and maybe other people would see a ster SBU on a fresh build;
28	i7-4790 35 SBU with 6.0.12, no failures
29	Bruce's 3900X 19.3 SBU, his i7-12700K about 30 SBU, 12 failures
30
31	3.93:
32	Passed: 69982
33	Failed: 0
34	Failed with core: 0
35	ASan failures: 0
36	Unknown status: 2
37	TinderboxPrint:Unknown: 2
38	-->
39	<!-- Test Results 3.95: (Intel i9-10900k) I got close to 70 SBU [rahul]
40
41	Passed: 69982
42	Failed: 0
43	Failed with core: 0
44	ASan failures: 0
45	Unknown status: 2
46	TinderboxPrint:Unknown: 2
47	-->
48
49	<!-- Test Results 3.96: (AMD Ryzen 9 3900X) about 14 SBU [bdubbs]
50	Passed: 70289
51	Failed: 0
52	Failed with core: 0
53	ASan failures: 0
54	Unknown status: 2
55	TinderboxPrint:Unknown: 2
56
57
58	-->
59	<!-- Test Results 3.97: (AMD Ryzen 7 1700) about 16 SBU [rahul]
60	Passed: 69809
61	Failed: 0
62	Failed with core: 0
63	ASan failures: 0
64	Unknown status: 2
65	TinderboxPrint:Unknown: 2
66	-->
67
68	<!-- Test results 3.98: (Intel Xeon E5-1650v3) 25 SBU [renodr]
69	Tests summary:
70	Passed: 69919
71	Failed: 0
72	Failed with core: 0
73	ASan failures: 0
74	Unknown status: 2
75	TinderboxPrint:Unknown: 2
76	-->
77
78	]>
79
80	<sect1 id="nss" xreflabel="nss-&nss-version;">
81	<?dbhtml filename="nss.html"?>
82
83
84	<title>NSS-&nss-version;</title>
85
86	<indexterm zone="nss">
87	<primary sortas="a-NSS">NSS</primary>
88	</indexterm>
89
90	<sect2 role="package">
91	<title>Introduction to NSS</title>
92
93	<para>
94	The Network Security Services (<application>NSS</application>) package is
95	a set of libraries designed to support cross-platform development of
96	security-enabled client and server applications. Applications built with
97	NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
98	S/MIME, X.509 v3 certificates, and other security standards. This is
99	useful for implementing SSL and S/MIME or other Internet security
100	standards into an application.
101	</para>
102
103	&lfs121_checked;
104
105	<bridgehead renderas="sect3">Package Information</bridgehead>
106	<itemizedlist spacing="compact">
107	<listitem>
108	<para>
109	Download (HTTP): <ulink url="&nss-download-http;"/>
110	</para>
111	</listitem>
112	<listitem>
113	<para>
114	Download (FTP): <ulink url="&nss-download-ftp;"/>
115	</para>
116	</listitem>
117	<listitem>
118	<para>
119	Download MD5 sum: &nss-md5sum;
120	</para>
121	</listitem>
122	<listitem>
123	<para>
124	Download size: &nss-size;
125	</para>
126	</listitem>
127	<listitem>
128	<para>
129	Estimated disk space required: &nss-buildsize;
130	</para>
131	</listitem>
132	<listitem>
133	<para>
134	Estimated build time: &nss-time;
135	</para>
136	</listitem>
137	</itemizedlist>
138
139	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
140	<itemizedlist spacing="compact">
141	<listitem>
142	<para>
143	Required patch:
144	<ulink url="&patch-root;/nss-&nss-version;-standalone-1.patch"/>
145	</para>
146	</listitem>
147	<!--
148	<listitem>
149	<para>
150	Required patch for processors lacking the <quote>adx</quote>
151	instruction set:
152	<ulink url="&patch-root;/nss-&nss-version;-illegal_instruction-1.patch"/>
153	</para>
154	</listitem>
155	-->
156	</itemizedlist>
157
158	<bridgehead renderas="sect3">NSS Dependencies</bridgehead>
159
160	<bridgehead renderas="sect4">Required</bridgehead>
161	<para role="required">
162	<xref linkend="nspr"/>
163	</para>
164
165	<bridgehead renderas="sect4">Recommended</bridgehead>
166	<para role="recommended">
167	<xref linkend="sqlite"/> and
168	<xref role="runtime" linkend="p11-kit"/> (runtime)
169	</para>
170
171	<para condition="html" role="usernotes">
172	Editor Notes: <ulink url="&blfs-wiki;/nss"/>
173	</para>
174	</sect2>
175
176	<sect2 role="installation">
177	<title>Installation of NSS</title>
178
179	<!--
180	<note>
181	<para>
182	Some old generations processors lack an assembler instruction that
183	is generated unconditionally by NSS-3.90. It leads to an
184	"illegal instruction" fault when running firefox. The availability
185	of this instruction is asserted by the <quote>adx</quote> flag
186	in <filename>/proc/cpuinfo</filename>. If this flag is not set,
187	apply the following patch:
188	</para>
189	</note>
190
191	<screen><userinput>grep -q adx /proc/cpuinfo \|\| \
192	patch -Np1 -i ../nss-&nss-version;-illegal_instruction-1.patch</userinput></screen>
193
194	-->
195	<para>
196	Install <application>NSS</application> by running the following commands:
197	</para>
198
199	<screen><userinput>patch -Np1 -i ../nss-&nss-version;-standalone-1.patch &&
200
201	cd nss &&
202
203	make BUILD_OPT=1 \
204	NSPR_INCLUDE_DIR=/usr/include/nspr \
205	USE_SYSTEM_ZLIB=1 \
206	ZLIB_LIBS=-lz \
207	NSS_ENABLE_WERROR=0 \
208	$([ $(uname -m) = x86_64 ] && echo USE_64=1) \
209	$([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1)</userinput></screen>
210
211	<para>
212	<!-- the unittest files get compiled automatically since nss-3.31.0 -->
213	To run the tests, execute the following commands<!--(1 test is known to fail)-->:
214	</para>
215
216	<screen remap="test"><userinput>cd tests &&
217	HOST=localhost DOMSUF=localdomain ./all.sh
218	cd ../</userinput></screen>
219
220	<note>
221	<para>Some information about the tests:</para>
222	<itemizedlist spacing="compact">
223	<listitem>
224	<para>
225	HOST=localhost and DOMSUF=localdomain are required.
226	Without these variables, a FQDN is
227	required to be specified and this generic way should work for
228	everyone, provided <systemitem>localhost.localdomain</systemitem>
229	is defined
230	<phrase revision='sysv'>
231	in <filename>/etc/hosts</filename>, as done in
232	<ulink url="&lfs-root;/chapter09/network.html#ch-config-hosts">
233	the LFS book</ulink>.
234	</phrase>
235	<phrase revision='systemd'>
236	by the <systemitem class='library'>myhostname</systemitem>
237	Name Service Switch module, as specified in
238	<ulink url="&lfs-root;/chapter08/glibc.html#conf-glibc">
239	the LFS book</ulink>.
240	</phrase>
241	</para>
242	</listitem>
243	<listitem>
244	<para>
245	The tests take a long time to run. If desired there is
246	information in the all.sh script about running subsets of the
247	total test suite.
248	</para>
249	</listitem>
250	<listitem>
251	<para>
252	When interrupting the tests, the test suite
253	fails to spin down test servers that are run. This leads to an
254	infinite loop in the tests where the test suite tries to kill a server
255	that doesn't exist anymore because it pulls the wrong PID.
256	</para>
257	</listitem>
258	<listitem>
259	<para>
260	Test suite results (in HTML format!) can be found at
261	../../test_results/security/localhost.1/results.html
262	</para>
263	</listitem>
264	<listitem>
265	<para>
266	A few tests might fail on some Intel machines for unknown reasons.
267	</para>
268	</listitem>
269	</itemizedlist>
270	</note>
271
272	<para>
273	Now, as the <systemitem class="username">root</systemitem> user:
274	</para>
275
276	<screen role="root"><userinput>cd ../dist &&
277
278	install -v -m755 Linux/lib/.so /usr/lib &&
279	install -v -m644 Linux/lib/{.chk,libcrmf.a} /usr/lib &&
280
281	install -v -m755 -d /usr/include/nss &&
282	cp -v -RL {public,private}/nss/* /usr/include/nss &&
283
284	install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin &&
285
286	install -v -m644 Linux*/lib/pkgconfig/nss.pc /usr/lib/pkgconfig</userinput></screen>
287
288	</sect2>
289
290	<sect2 role="commands">
291	<title>Command Explanations</title>
292
293	<para>
294	<parameter>BUILD_OPT=1</parameter>: This option is passed to
295	<command>make</command> so that the build is performed with no debugging
296	symbols built into the binaries and the default compiler optimizations are
297	used.
298	</para>
299
300	<para>
301	<parameter>NSPR_INCLUDE_DIR=/usr/include/nspr</parameter>: This option
302	sets the location of the nspr headers.
303	</para>
304
305	<para>
306	<parameter>USE_SYSTEM_ZLIB=1</parameter>: This option is passed to
307	<command>make</command> to ensure that the
308	<filename class="libraryfile">libssl3.so</filename> library is linked to
309	the system installed <application>zlib</application> instead of the
310	in-tree version.
311	</para>
312
313	<para>
314	<parameter>ZLIB_LIBS=-lz</parameter>: This option provides the
315	linker flags needed to link to the system <application>zlib</application>.
316	</para>
317
318	<para>
319	<command>$([ $(uname -m) = x86_64 ] && echo USE_64=1)</command>:
320	The <parameter>USE_64=1</parameter> option is <emphasis>required on
321	x86_64</emphasis>, otherwise <command>make</command> will try (and fail)
322	to create 32-bit objects. The [ $(uname -m) = x86_64 ] test ensures it
323	has no effect on a 32 bit system.
324	</para>
325
326	<para>
327	<command>([ -f /usr/include/sqlite3.h ] && echo
328	NSS_USE_SYSTEM_SQLITE=1)</command>: This tests if
329	<application>sqlite</application> is installed and if so it
330	<command>echo</command>s the option NSS_USE_SYSTEM_SQLITE=1 to
331	<command>make</command> so that
332	<filename class="libraryfile">libsoftokn3.so</filename> will link against
333	the system version of sqlite.
334	</para>
335
336	<para>
337	<option>NSS_DISABLE_GTESTS=1</option>: If you don't need to run
338	NSS test suite, append this option to <command>make</command> command,
339	to prevent the compilation of tests and save some build time.
340	</para>
341
342	</sect2>
343
344	<sect2 role="configuration">
345	<title>Configuring NSS</title>
346
347	<para>
348	If <xref linkend="p11-kit"/> is installed, the
349	<application>p11-kit</application> trust module
350	(<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
351	drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
352	transparently make the system CAs available to
353	<application>NSS</application> aware applications, rather than the static
354	lib provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
355	<systemitem class="username">root</systemitem> user, execute the following
356	command:
357	</para>
358
359	<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
360
361	<para>
362	Additionally, for dependent applications that do not use the internal
363	database (<filename>/usr/lib/libnssckbi.so</filename>), the
364	<filename>/usr/sbin/make-ca</filename> script included on the
365	<xref linkend="make-ca"/> page can generate a system wide NSS DB with the
366	<parameter>-n</parameter> switch, or by modifying the
367	<filename>/etc/make-ca/make-ca.conf</filename> file.
368	</para>
369
370	</sect2>
371
372	<sect2 role="content">
373	<title>Contents</title>
374
375	<segmentedlist>
376	<segtitle>Installed Programs</segtitle>
377	<segtitle>Installed Libraries</segtitle>
378	<segtitle>Installed Directories</segtitle>
379
380	<seglistitem>
381	<seg>
382	certutil, nss-config, and pk12util
383	</seg>
384	<seg>
385	libcrmf.a, libfreebl3.so, libfreeblpriv3.so,
386	libnss3.so, libnssckbi.so, libnssckbi-testlib.so,
387	libnssdbm3.so, libnsssysinit.so, libnssutil3.so,
388	libpkcs11testmodule.so, libsmime3.so, libsoftokn3.so,
389	and libssl3.so
390	</seg>
391	<seg>
392	/usr/include/nss
393	</seg>
394	</seglistitem>
395	</segmentedlist>
396
397	<variablelist>
398	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
399	<?dbfo list-presentation="list"?>
400	<?dbhtml list-presentation="table"?>
401
402	<varlistentry id="certutil">
403	<term><command>certutil</command></term>
404	<listitem>
405	<para>
406	is the Mozilla Certificate Database Tool. It is a command-line
407	utility that can create and modify the Netscape Communicator
408	cert8.db and key3.db database files. It can also list, generate,
409	modify, or delete certificates within the cert8.db file and create
410	or change the password, generate new public and private key pairs,
411	display the contents of the key database, or delete key pairs within
412	the key3.db file
413	</para>
414	<indexterm zone="nss certutil">
415	<primary sortas="b-certutil">certutil</primary>
416	</indexterm>
417	</listitem>
418	</varlistentry>
419
420	<varlistentry id="nss-config">
421	<term><command>nss-config</command></term>
422	<listitem>
423	<para>
424	is used to determine the NSS library settings of the installed NSS
425	libraries
426	</para>
427	<indexterm zone="nss nss-config">
428	<primary sortas="b-nss-config">nss-config</primary>
429	</indexterm>
430	</listitem>
431	</varlistentry>
432
433	<varlistentry id="pk12util">
434	<term><command>pk12util</command></term>
435	<listitem>
436	<para>
437	is a tool for importing certificates and keys from pkcs #12 files
438	into NSS or exporting them. It can also list certificates and keys
439	in such files
440	</para>
441	<indexterm zone="nss pk12util">
442	<primary sortas="b-pk12util">pk12util</primary>
443	</indexterm>
444	</listitem>
445	</varlistentry>
446
447	</variablelist>
448
449	</sect2>
450
451	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: