source: postlfs/security/nss.xml@ 9029db2

10.1 11.0 11.1 11.2 lazarus qt5new trunk upgradedb xry111/intltool xry111/soup3 xry111/test-20220226
Last change on this file since 9029db2 was 9029db2, checked in by Bruce Dubbs <bdubbs@…>, 19 months ago

Tag most of General Libraries and dependencies

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@24241 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 12.2 KB
Line 
1<?xml version="1.0" encoding="ISO-8859-1"?>
2<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3 "http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4 <!ENTITY % general-entities SYSTEM "../../general.ent">
5 %general-entities;
6
7<!-- for when .0 is not part of the new tarball name, but always referenced -->
8<!ENTITY nss-url "archive.mozilla.org/pub/security/nss/releases">
9
10<!-- micro versions -->
11<!--<!ENTITY nss-download-http "https://&nss-url;/NSS_3_&nss-minor-version;_&nss-micro-version;_RTM/src/nss-&nss-version;.tar.gz">-->
12
13<!-- no micro versions -->
14<!ENTITY nss-download-http "https://&nss-url;/NSS_3_&nss-minor-version;_RTM/src/nss-&nss-version;.tar.gz">
15
16 <!ENTITY nss-download-ftp " ">
17 <!ENTITY nss-md5sum "e07573e1c0e1e5bef7c05075f8dfa46d">
18 <!ENTITY nss-size "79 MB">
19 <!-- With 3.60, back to only -j1 builds using the 'legacy' build,
20 (new-style needs 'gyp', tests smaller but imprenetrable. See#14549 -->
21 <!ENTITY nss-buildsize "304 MB (add 96 MB for tests)">
22 <!ENTITY nss-time "8.1 SBU (add 20 SBU for tests)">
23]>
24
25<sect1 id="nss" xreflabel="NSS-&nss-version;">
26 <?dbhtml filename="nss.html"?>
27
28 <sect1info>
29 <othername>$LastChangedBy$</othername>
30 <date>$Date$</date>
31 </sect1info>
32
33 <title>NSS-&nss-version;</title>
34
35 <indexterm zone="nss">
36 <primary sortas="a-NSS">NSS</primary>
37 </indexterm>
38
39 <sect2 role="package">
40 <title>Introduction to NSS</title>
41
42 <para>
43 The Network Security Services (<application>NSS</application>) package is
44 a set of libraries designed to support cross-platform development of
45 security-enabled client and server applications. Applications built with
46 NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
47 S/MIME, X.509 v3 certificates, and other security standards. This is
48 useful for implementing SSL and S/MIME or other Internet security
49 standards into an application.
50 </para>
51
52 &lfs101_checked;
53
54 <bridgehead renderas="sect3">Package Information</bridgehead>
55 <itemizedlist spacing="compact">
56 <listitem>
57 <para>
58 Download (HTTP): <ulink url="&nss-download-http;"/>
59 </para>
60 </listitem>
61 <listitem>
62 <para>
63 Download (FTP): <ulink url="&nss-download-ftp;"/>
64 </para>
65 </listitem>
66 <listitem>
67 <para>
68 Download MD5 sum: &nss-md5sum;
69 </para>
70 </listitem>
71 <listitem>
72 <para>
73 Download size: &nss-size;
74 </para>
75 </listitem>
76 <listitem>
77 <para>
78 Estimated disk space required: &nss-buildsize;
79 </para>
80 </listitem>
81 <listitem>
82 <para>
83 Estimated build time: &nss-time;
84 </para>
85 </listitem>
86 </itemizedlist>
87
88 <bridgehead renderas="sect3">Additional Downloads</bridgehead>
89 <itemizedlist spacing="compact">
90 <listitem>
91 <para>
92 Required patch:
93 <ulink url="&patch-root;/nss-&nss-version;-standalone-1.patch"/>
94 </para>
95 </listitem>
96 </itemizedlist>
97
98 <bridgehead renderas="sect3">NSS Dependencies</bridgehead>
99
100 <bridgehead renderas="sect4">Required</bridgehead>
101 <para role="required">
102 <xref linkend="nspr"/>
103 </para>
104
105 <bridgehead renderas="sect4">Recommended</bridgehead>
106 <para role="recommended">
107 <xref linkend="sqlite"/> and
108 <xref role="runtime" linkend="p11-kit"/> (runtime)
109 </para>
110
111 <para condition="html" role="usernotes">
112 User Notes: <ulink url="&blfs-wiki;/nss"/>
113 </para>
114 </sect2>
115
116 <sect2 role="installation">
117 <title>Installation of NSS</title>
118
119 <!-- In 3.53.x, parallel build was possible. See
120 http://lists.linuxfromscratch.org/pipermail/blfs-dev/2020-June/037498.html
121 for more information. -->
122
123 <!-- And with another rebuild of nss-3.54, all is well again, but broken in 3.60 -->
124 <note>
125 <para>
126 This package does not support parallel build.
127 </para>
128 </note>
129
130 <para>
131 Install <application>NSS</application> by running the following commands:
132 </para>
133
134<screen><userinput>patch -Np1 -i ../nss-&nss-version;-standalone-1.patch &amp;&amp;
135
136cd nss &amp;&amp;
137
138make -j1 BUILD_OPT=1 \
139 NSPR_INCLUDE_DIR=/usr/include/nspr \
140 USE_SYSTEM_ZLIB=1 \
141 ZLIB_LIBS=-lz \
142 NSS_ENABLE_WERROR=0 \
143 $([ $(uname -m) = x86_64 ] &amp;&amp; echo USE_64=1) \
144 $([ -f /usr/include/sqlite3.h ] &amp;&amp; echo NSS_USE_SYSTEM_SQLITE=1)</userinput></screen>
145
146 <para>
147 <!-- the unittest files get compiled automatically since nss-3.31.0 -->
148 <!-- The unit tests were run during the build.-->
149 To run the tests, execute the following commands (5 tests are known to fail):
150 </para>
151
152<screen remap="test"><userinput>cd tests &amp;&amp;
153HOST=localhost DOMSUF=localdomain ./all.sh &amp;&amp;
154cd ../</userinput></screen>
155
156 <!-- Some information about the tests:
157 - HOST=localhost and DOMSUF=localdomain require the changes done to
158 /etc/hosts in r11892 (LFS). Without these variables, a FQDN is
159 required to specified, and this generic way should work for
160 everyone.
161 - With NSS-3.53, there were 53,866 tests. The tests take an
162 extremely long time to run.
163 - Another interesting discovery has to do with interrupting the tests.
164 It was discovered that, when interrupting the tests, the test suite
165 fails to spin down test servers that are run. This leads to an
166 infinite loop in the tests where the test suite tries to kill a server
167 that doesn't exist anymore because it pulls the wrong PID.
168 - Test suite results (in HTML format!) can be found at
169 ../../test_results/security/localhost.1/
170 -->
171
172 <para>
173 Now, as the <systemitem class="username">root</systemitem> user:
174 </para>
175
176<screen role="root"><userinput>cd ../dist &amp;&amp;
177
178install -v -m755 Linux*/lib/*.so /usr/lib &amp;&amp;
179install -v -m644 Linux*/lib/{*.chk,libcrmf.a} /usr/lib &amp;&amp;
180
181install -v -m755 -d /usr/include/nss &amp;&amp;
182cp -v -RL {public,private}/nss/* /usr/include/nss &amp;&amp;
183chmod -v 644 /usr/include/nss/* &amp;&amp;
184
185install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin &amp;&amp;
186
187install -v -m644 Linux*/lib/pkgconfig/nss.pc /usr/lib/pkgconfig</userinput></screen>
188
189 </sect2>
190
191 <sect2 role="commands">
192 <title>Command Explanations</title>
193
194 <para>
195 <parameter>BUILD_OPT=1</parameter>: This option is passed to
196 <command>make</command> so that the build is performed with no debugging
197 symbols built into the binaries and the default compiler optimizations are
198 used.
199 </para>
200
201 <para>
202 <parameter>NSPR_INCLUDE_DIR=/usr/include/nspr</parameter>: This option
203 sets the location of the nspr headers.
204 </para>
205
206 <para>
207 <parameter>USE_SYSTEM_ZLIB=1</parameter>: This option is passed to
208 <command>make</command> to ensure that the
209 <filename class="libraryfile">libssl3.so</filename> library is linked to
210 the system installed <application>zlib</application> instead of the
211 in-tree version.
212 </para>
213
214 <para>
215 <parameter>ZLIB_LIBS=-lz</parameter>: This option provides the
216 linker flags needed to link to the system <application>zlib</application>.
217 </para>
218
219 <para>
220 <command>$([ $(uname -m) = x86_64 ] &amp;&amp; echo USE_64=1)</command>:
221 The <parameter>USE_64=1</parameter> option is <emphasis>required on
222 x86_64</emphasis>, otherwise <command>make</command> will try (and fail)
223 to create 32-bit objects. The [ $(uname -m) = x86_64 ] test ensures it
224 has no effect on a 32 bit system.
225 </para>
226
227 <para>
228 <command>([ -f /usr/include/sqlite3.h ] &amp;&amp; echo
229 NSS_USE_SYSTEM_SQLITE=1)</command>: This tests if
230 <application>sqlite</application> is installed and if so it
231 <command>echo</command>s the option NSS_USE_SYSTEM_SQLITE=1 to
232 <command>make</command> so that
233 <filename class="libraryfile">libsoftokn3.so</filename> will link against
234 the system version of sqlite.
235 </para>
236
237 <para>
238 <option>NSS_DISABLE_GTESTS=1</option>: If you don't need to run
239 NSS test suite, append this option to <command>make</command> command,
240 to prevent the compilation of tests and save some build time.
241 </para>
242
243 </sect2>
244
245 <sect2 role="configuration">
246 <title>Configuring NSS</title>
247
248 <para>
249 If <xref linkend="p11-kit"/> is installed, the
250 <application>p11-kit</application> trust module
251 (<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
252 drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
253 transparently make the system CAs available to
254 <application>NSS</application> aware applications, rather than the static
255 list provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
256 <systemitem class="username">root</systemitem> user, execute the following
257 commands:
258 </para>
259
260<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
261
262 <para>
263 Additionally, for dependent applications that do not use the internal
264 database (<filename>/usr/lib/libnssckbi.so</filename>), the
265 <filename>/usr/sbin/make-ca</filename> script, included on the
266 <xref linkend="make-ca"/> page can generate a system wide NSS DB with the
267 <parameter>-n</parameter> switch, or by modifying the
268 <filename>/etc/make-ca.conf</filename> file.
269 </para>
270
271 </sect2>
272
273 <sect2 role="content">
274 <title>Contents</title>
275
276 <segmentedlist>
277 <segtitle>Installed Programs</segtitle>
278 <segtitle>Installed Libraries</segtitle>
279 <segtitle>Installed Directories</segtitle>
280
281 <seglistitem>
282 <seg>
283 certutil, nss-config, and pk12util
284 </seg>
285 <seg>
286 libcrmf.a, libfreebl3.so, libfreeblpriv3.so,
287 libnss3.so, libnssckbi.so, libnssckbi-testlib.so,
288 libnssdbm3.so, libnsssysinit.so, libnssutil3.so,
289 libpkcs11testmodule.so, libsmime3.so, libsoftokn3.so,
290 and libssl3.so
291 </seg>
292 <seg>
293 /usr/include/nss
294 </seg>
295 </seglistitem>
296 </segmentedlist>
297
298 <variablelist>
299 <bridgehead renderas="sect3">Short Descriptions</bridgehead>
300 <?dbfo list-presentation="list"?>
301 <?dbhtml list-presentation="table"?>
302
303 <varlistentry id="certutil">
304 <term><command>certutil</command></term>
305 <listitem>
306 <para>
307 is the Mozilla Certificate Database Tool. It is a command-line
308 utility that can create and modify the Netscape Communicator
309 cert8.db and key3.db database files. It can also list, generate,
310 modify, or delete certificates within the cert8.db file and create
311 or change the password, generate new public and private key pairs,
312 display the contents of the key database, or delete key pairs within
313 the key3.db file
314 </para>
315 <indexterm zone="nss certutil">
316 <primary sortas="b-certutil">certutil</primary>
317 </indexterm>
318 </listitem>
319 </varlistentry>
320
321 <varlistentry id="nss-config">
322 <term><command>nss-config</command></term>
323 <listitem>
324 <para>
325 is used to determine the NSS library settings of the installed NSS
326 libraries
327 </para>
328 <indexterm zone="nss nss-config">
329 <primary sortas="b-nss-config">nss-config</primary>
330 </indexterm>
331 </listitem>
332 </varlistentry>
333
334 <varlistentry id="pk12util">
335 <term><command>pk12util</command></term>
336 <listitem>
337 <para>
338 is a tool for importing certificates and keys from pkcs #12 files
339 into NSS or exporting them. It can also list certificates and keys
340 in such files
341 </para>
342 <indexterm zone="nss pk12util">
343 <primary sortas="b-pk12util">pk12util</primary>
344 </indexterm>
345 </listitem>
346 </varlistentry>
347
348 </variablelist>
349
350 </sect2>
351
352</sect1>
Note: See TracBrowser for help on using the repository browser.