source: postlfs/security/nss.xml@ 9029db2

<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
   "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
  <!ENTITY % general-entities SYSTEM "../../general.ent">
  %general-entities;

<!-- for when .0 is not part of the new tarball name, but always referenced -->
<!ENTITY nss-url "archive.mozilla.org/pub/security/nss/releases">

<!-- micro versions -->
<!--<!ENTITY nss-download-http "https://&nss-url;/NSS_3_&nss-minor-version;_&nss-micro-version;_RTM/src/nss-&nss-version;.tar.gz">-->

<!-- no micro versions -->
<!ENTITY nss-download-http "https://&nss-url;/NSS_3_&nss-minor-version;_RTM/src/nss-&nss-version;.tar.gz">

  <!ENTITY nss-download-ftp  " ">
  <!ENTITY nss-md5sum        "e07573e1c0e1e5bef7c05075f8dfa46d">
  <!ENTITY nss-size          "79 MB">
  <!-- With 3.60, back to only -j1 builds using the 'legacy' build,
    (new-style needs 'gyp', tests smaller but imprenetrable. See#14549 -->
  <!ENTITY nss-buildsize     "304 MB (add 96 MB for tests)">
  <!ENTITY nss-time          "8.1 SBU (add 20 SBU for tests)">
]>

<sect1 id="nss" xreflabel="NSS-&nss-version;">
  <?dbhtml filename="nss.html"?>

  <sect1info>
    <othername>$LastChangedBy$</othername>
    <date>$Date$</date>
  </sect1info>

  <title>NSS-&nss-version;</title>

  <indexterm zone="nss">
    <primary sortas="a-NSS">NSS</primary>
  </indexterm>

  <sect2 role="package">
    <title>Introduction to NSS</title>

    <para>
      The Network Security Services (<application>NSS</application>) package is
      a set of libraries designed to support cross-platform development of
      security-enabled client and server applications. Applications built with
      NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
      S/MIME, X.509 v3 certificates, and other security standards. This is
      useful for implementing SSL and S/MIME or other Internet security
      standards into an application.
    </para>

    &lfs101_checked;

    <bridgehead renderas="sect3">Package Information</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Download (HTTP): <ulink url="&nss-download-http;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download (FTP): <ulink url="&nss-download-ftp;"/>
        </para>
      </listitem>
      <listitem>
        <para>
          Download MD5 sum: &nss-md5sum;
        </para>
      </listitem>
      <listitem>
        <para>
          Download size: &nss-size;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated disk space required: &nss-buildsize;
        </para>
      </listitem>
      <listitem>
        <para>
          Estimated build time: &nss-time;
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">Additional Downloads</bridgehead>
    <itemizedlist spacing="compact">
      <listitem>
        <para>
          Required patch:
          <ulink url="&patch-root;/nss-&nss-version;-standalone-1.patch"/>
        </para>
      </listitem>
    </itemizedlist>

    <bridgehead renderas="sect3">NSS Dependencies</bridgehead>

    <bridgehead renderas="sect4">Required</bridgehead>
    <para role="required">
      <xref linkend="nspr"/>
    </para>

    <bridgehead renderas="sect4">Recommended</bridgehead>
    <para role="recommended">
      <xref linkend="sqlite"/> and
      <xref role="runtime" linkend="p11-kit"/> (runtime)
    </para>

    <para condition="html" role="usernotes">
      User Notes: <ulink url="&blfs-wiki;/nss"/>
    </para>
  </sect2>

  <sect2 role="installation">
    <title>Installation of NSS</title>

    <!-- In 3.53.x, parallel build was possible. See
         http://lists.linuxfromscratch.org/pipermail/blfs-dev/2020-June/037498.html
         for more information. -->

    <!-- And with another rebuild of nss-3.54, all is well again, but broken in 3.60 -->
    <note>
      <para>
        This package does not support parallel build.
      </para>
    </note>

    <para>
      Install <application>NSS</application> by running the following commands:
    </para>

<screen><userinput>patch -Np1 -i ../nss-&nss-version;-standalone-1.patch &amp;&amp;

cd nss &amp;&amp;

make -j1 BUILD_OPT=1                  \
  NSPR_INCLUDE_DIR=/usr/include/nspr  \
  USE_SYSTEM_ZLIB=1                   \
  ZLIB_LIBS=-lz                       \
  NSS_ENABLE_WERROR=0                 \
  $([ $(uname -m) = x86_64 ] &amp;&amp; echo USE_64=1) \
  $([ -f /usr/include/sqlite3.h ] &amp;&amp; echo NSS_USE_SYSTEM_SQLITE=1)</userinput></screen>

    <para>
      <!-- the unittest files get compiled automatically since nss-3.31.0 -->
      <!-- The unit tests were run during the build.-->
      To run the tests, execute the following commands (5 tests are known to fail):
    </para>

<screen remap="test"><userinput>cd tests &amp;&amp;
HOST=localhost DOMSUF=localdomain ./all.sh &amp;&amp;
cd ../</userinput></screen>
    
    <!--   Some information about the tests:
         - HOST=localhost and DOMSUF=localdomain require the changes done to
           /etc/hosts in r11892 (LFS). Without these variables, a FQDN is
           required to specified, and this generic way should work for
           everyone.
         - With NSS-3.53, there were 53,866 tests. The tests take an
           extremely long time to run. 
         - Another interesting discovery has to do with interrupting the tests.
           It was discovered that, when interrupting the tests, the test suite
           fails to spin down test servers that are run. This leads to an
           infinite loop in the tests where the test suite tries to kill a server
           that doesn't exist anymore because it pulls the wrong PID.
         - Test suite results (in HTML format!) can be found at 
           ../../test_results/security/localhost.1/
     -->

    <para>
      Now, as the <systemitem class="username">root</systemitem> user:
    </para>

<screen role="root"><userinput>cd ../dist                                                          &amp;&amp;

install -v -m755 Linux*/lib/*.so              /usr/lib              &amp;&amp;
install -v -m644 Linux*/lib/{*.chk,libcrmf.a} /usr/lib              &amp;&amp;

install -v -m755 -d                           /usr/include/nss      &amp;&amp;
cp -v -RL {public,private}/nss/*              /usr/include/nss      &amp;&amp;
chmod -v 644                                  /usr/include/nss/*    &amp;&amp;

install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin &amp;&amp;

install -v -m644 Linux*/lib/pkgconfig/nss.pc  /usr/lib/pkgconfig</userinput></screen>

  </sect2>

  <sect2 role="commands">
    <title>Command Explanations</title>

    <para>
      <parameter>BUILD_OPT=1</parameter>: This option is passed to
      <command>make</command> so that the build is performed with no debugging
      symbols built into the binaries and the default compiler optimizations are
      used.
    </para>

    <para>
      <parameter>NSPR_INCLUDE_DIR=/usr/include/nspr</parameter>: This option
      sets the location of the nspr headers.
    </para>

    <para>
      <parameter>USE_SYSTEM_ZLIB=1</parameter>: This option is passed to
      <command>make</command> to ensure that the
      <filename class="libraryfile">libssl3.so</filename> library is linked to
      the system installed <application>zlib</application> instead of the
      in-tree version.
    </para>

    <para>
      <parameter>ZLIB_LIBS=-lz</parameter>: This option provides the
      linker flags needed to link to the system <application>zlib</application>.
    </para>

    <para>
      <command>$([ $(uname -m) = x86_64 ] &amp;&amp; echo USE_64=1)</command>:
      The <parameter>USE_64=1</parameter> option is <emphasis>required on
      x86_64</emphasis>, otherwise <command>make</command> will try (and fail)
      to create 32-bit objects. The [ $(uname -m) = x86_64 ] test ensures it
      has no effect on a 32 bit system.
    </para>

    <para>
      <command>([ -f /usr/include/sqlite3.h ] &amp;&amp; echo
      NSS_USE_SYSTEM_SQLITE=1)</command>: This tests if
      <application>sqlite</application> is installed and if so it
      <command>echo</command>s the option NSS_USE_SYSTEM_SQLITE=1 to
      <command>make</command> so that
      <filename class="libraryfile">libsoftokn3.so</filename> will link against
      the system version of sqlite.
    </para>

    <para>
      <option>NSS_DISABLE_GTESTS=1</option>: If you don't need to run
      NSS test suite, append this option to <command>make</command> command,
      to prevent the compilation of tests and save some build time.
    </para>

  </sect2>

  <sect2 role="configuration">
    <title>Configuring NSS</title>

    <para>
      If <xref linkend="p11-kit"/> is installed, the
      <application>p11-kit</application> trust module
      (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
      drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
      transparently make the system CAs available to
      <application>NSS</application> aware applications, rather than the static
      list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
      <systemitem class="username">root</systemitem> user, execute the following
      commands:
    </para>

<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>

    <para>
      Additionally, for dependent applications that do not use the internal
      database (<filename>/usr/lib/libnssckbi.so</filename>), the
      <filename>/usr/sbin/make-ca</filename> script, included on the
      <xref linkend="make-ca"/> page can generate a system wide NSS DB with the
      <parameter>-n</parameter> switch, or by modifying the
      <filename>/etc/make-ca.conf</filename> file.
    </para>

  </sect2>

  <sect2 role="content">
    <title>Contents</title>

    <segmentedlist>
      <segtitle>Installed Programs</segtitle>
      <segtitle>Installed Libraries</segtitle>
      <segtitle>Installed Directories</segtitle>

      <seglistitem>
        <seg>
          certutil, nss-config, and pk12util
        </seg>
        <seg>
          libcrmf.a, libfreebl3.so, libfreeblpriv3.so,
          libnss3.so, libnssckbi.so, libnssckbi-testlib.so,
          libnssdbm3.so, libnsssysinit.so, libnssutil3.so, 
          libpkcs11testmodule.so, libsmime3.so, libsoftokn3.so, 
          and libssl3.so
        </seg>
        <seg>
          /usr/include/nss
        </seg>
      </seglistitem>
    </segmentedlist>

    <variablelist>
      <bridgehead renderas="sect3">Short Descriptions</bridgehead>
      <?dbfo list-presentation="list"?>
      <?dbhtml list-presentation="table"?>

      <varlistentry id="certutil">
        <term><command>certutil</command></term>
        <listitem>
          <para>
            is the Mozilla Certificate Database Tool. It is a command-line
            utility that can create and modify the Netscape Communicator
            cert8.db and key3.db database files. It can also list, generate,
            modify, or delete certificates within the cert8.db file and create
            or change the password, generate new public and private key pairs,
            display the contents of the key database, or delete key pairs within
            the key3.db file
          </para>
          <indexterm zone="nss certutil">
            <primary sortas="b-certutil">certutil</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="nss-config">
        <term><command>nss-config</command></term>
        <listitem>
          <para>
            is used to determine the NSS library settings of the installed NSS
            libraries
          </para>
          <indexterm zone="nss nss-config">
            <primary sortas="b-nss-config">nss-config</primary>
          </indexterm>
        </listitem>
      </varlistentry>

      <varlistentry id="pk12util">
        <term><command>pk12util</command></term>
        <listitem>
          <para>
            is a tool for importing certificates and keys from pkcs #12 files
            into NSS or exporting them. It can also list certificates and keys
            in such files
          </para>
          <indexterm zone="nss pk12util">
            <primary sortas="b-pk12util">pk12util</primary>
          </indexterm>
        </listitem>
      </varlistentry>

    </variablelist>

  </sect2>

</sect1>