Context Navigation

source: postlfs/security/nss.xml@ b5866f1

Visit:

trunk

Last change on this file since b5866f1 was 910936c, checked in by Thomas Trepl <thomas@…>, 8 weeks ago
Upgrade nss-3.100
Property mode set to `100644`
File size: 15.6 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!-- for when .0 is not part of the new tarball name, but always referenced -->
8	<!ENTITY nss-url "archive.mozilla.org/pub/security/nss/releases">
9
10	<!-- micro versions-->
11	<!--<!ENTITY nss-download-http "https://&nss-url;/NSS_3_&nss-minor-version;_&nss-micro-version;_RTM/src/nss-&nss-version;.tar.gz">-->
12
13	<!-- no micro versions -->
14	<!ENTITY nss-download-http "https://&nss-url;/NSS_&nss-dir;_RTM/src/nss-&nss-version;.tar.gz">
15	<!ENTITY nss-download-ftp " ">
16	<!ENTITY nss-md5sum "91d114f373c71ed04c4fca96958cdcd1">
17	<!ENTITY nss-size "73.1 MB">
18	<!ENTITY nss-buildsize "304 MB (add 268 MB for tests)">
19	<!ENTITY nss-time "1.1 SBU (with parallelism=4, add 16 SBU for tests on AMD Ryzens or at least 30 SBU on Intel machines)">
20	<!-- On my system, I got 64.2 SBU, but Bruce gets 18 SBU. -renodr -->
21	<!-- On my system, I got 63 SBU, but Xi gets ~18 SBU. -pierre (for 3.78) -->
22	<!-- On my 3400G for 3.79 I got 16 SBU -ken -->
23	<!-- Still 17 SBU for 3.81 - bdubbs -->
24	<!-- 73 SBU but I'm on Intel. -renodr -->
25	<!-- 3.86 amended the figures -ken
26	3400G 14 SBU with 6.0.12, but the remeasured SBU has become very slow
27	and maybe other people would see a ster SBU on a fresh build;
28	i7-4790 35 SBU with 6.0.12, no failures
29	Bruce's 3900X 19.3 SBU, his i7-12700K about 30 SBU, 12 failures
30
31	3.93:
32	Passed: 69982
33	Failed: 0
34	Failed with core: 0
35	ASan failures: 0
36	Unknown status: 2
37	TinderboxPrint:Unknown: 2
38
39	Test Results 3.95: (Intel i9-10900k) I got close to 70 SBU [rahul]
40
41	Passed: 69982
42	Failed: 0
43	Failed with core: 0
44	ASan failures: 0
45	Unknown status: 2
46	TinderboxPrint:Unknown: 2
47
48	Test Results 3.96: (AMD Ryzen 9 3900X) about 14 SBU [bdubbs]
49	Passed: 70289
50	Failed: 0
51	Failed with core: 0
52	ASan failures: 0
53	Unknown status: 2
54	TinderboxPrint:Unknown: 2
55
56	Test Results 3.97: (AMD Ryzen 7 1700) about 16 SBU [rahul]
57	Passed: 69809
58	Failed: 0
59	Failed with core: 0
60	ASan failures: 0
61	Unknown status: 2
62	TinderboxPrint:Unknown: 2
63
64	Test results 3.98: (Intel Xeon E5-1650v3) 25 SBU [renodr]
65	Tests summary:
66	Passed: 69919
67	Failed: 0
68	Failed with core: 0
69	ASan failures: 0
70	Unknown status: 2
71	TinderboxPrint:Unknown: 2
72
73	Test results 3.99: (AMD Ryzen 9 3900X) 14 SBU [bdubbs]
74	Tests summary:
75	Passed: 69953
76	Failed: 0
77	Failed with core: 0
78	ASan failures: 0
79	Unknown status: 2
80	TinderboxPrint:Unknown: 2
81
82	Rest results 3.100 (Intel(R) Xeon(R) CPU E3-1245 v6, VBoxVM)
83	Tests summary:
84	Passed: 71813
85	Failed: 1
86	Failed with core: 0
87	ASan failures: 0
88	Unknown status: 2
89	TinderboxPrint:Unknown: 2
90	-->
91	]>
92
93	<sect1 id="nss" xreflabel="nss-&nss-version;">
94	<?dbhtml filename="nss.html"?>
95
96	<title>NSS-&nss-version;</title>
97
98	<indexterm zone="nss">
99	<primary sortas="a-NSS">NSS</primary>
100	</indexterm>
101
102	<sect2 role="package">
103	<title>Introduction to NSS</title>
104
105	<para>
106	The Network Security Services (<application>NSS</application>) package is
107	a set of libraries designed to support cross-platform development of
108	security-enabled client and server applications. Applications built with
109	NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
110	S/MIME, X.509 v3 certificates, and other security standards. This is
111	useful for implementing SSL and S/MIME or other Internet security
112	standards into an application.
113	</para>
114
115	&lfs121_checked;
116
117	<bridgehead renderas="sect3">Package Information</bridgehead>
118	<itemizedlist spacing="compact">
119	<listitem>
120	<para>
121	Download (HTTP): <ulink url="&nss-download-http;"/>
122	</para>
123	</listitem>
124	<listitem>
125	<para>
126	Download (FTP): <ulink url="&nss-download-ftp;"/>
127	</para>
128	</listitem>
129	<listitem>
130	<para>
131	Download MD5 sum: &nss-md5sum;
132	</para>
133	</listitem>
134	<listitem>
135	<para>
136	Download size: &nss-size;
137	</para>
138	</listitem>
139	<listitem>
140	<para>
141	Estimated disk space required: &nss-buildsize;
142	</para>
143	</listitem>
144	<listitem>
145	<para>
146	Estimated build time: &nss-time;
147	</para>
148	</listitem>
149	</itemizedlist>
150
151	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
152	<itemizedlist spacing="compact">
153	<listitem>
154	<para>
155	Required patch:
156	<ulink url="&patch-root;/nss-&nss-version;-standalone-1.patch"/>
157	</para>
158	</listitem>
159	<!--
160	<listitem>
161	<para>
162	Required patch for processors lacking the <quote>adx</quote>
163	instruction set:
164	<ulink url="&patch-root;/nss-&nss-version;-illegal_instruction-1.patch"/>
165	</para>
166	</listitem>
167	-->
168	</itemizedlist>
169
170	<bridgehead renderas="sect3">NSS Dependencies</bridgehead>
171
172	<bridgehead renderas="sect4">Required</bridgehead>
173	<para role="required">
174	<xref linkend="nspr"/>
175	</para>
176
177	<bridgehead renderas="sect4">Recommended</bridgehead>
178	<para role="recommended">
179	<xref linkend="sqlite"/> and
180	<xref role="runtime" linkend="p11-kit"/> (runtime)
181	</para>
182
183	<para condition="html" role="usernotes">
184	Editor Notes: <ulink url="&blfs-wiki;/nss"/>
185	</para>
186	</sect2>
187
188	<sect2 role="installation">
189	<title>Installation of NSS</title>
190
191	<!--
192	<note>
193	<para>
194	Some old generations processors lack an assembler instruction that
195	is generated unconditionally by NSS-3.90. It leads to an
196	"illegal instruction" fault when running firefox. The availability
197	of this instruction is asserted by the <quote>adx</quote> flag
198	in <filename>/proc/cpuinfo</filename>. If this flag is not set,
199	apply the following patch:
200	</para>
201	</note>
202
203	<screen><userinput>grep -q adx /proc/cpuinfo \|\| \
204	patch -Np1 -i ../nss-&nss-version;-illegal_instruction-1.patch</userinput></screen>
205
206	-->
207	<para>
208	Install <application>NSS</application> by running the following commands:
209	</para>
210
211	<screen><userinput>patch -Np1 -i ../nss-&nss-version;-standalone-1.patch &&
212
213	cd nss &&
214
215	make BUILD_OPT=1 \
216	NSPR_INCLUDE_DIR=/usr/include/nspr \
217	USE_SYSTEM_ZLIB=1 \
218	ZLIB_LIBS=-lz \
219	NSS_ENABLE_WERROR=0 \
220	$([ $(uname -m) = x86_64 ] && echo USE_64=1) \
221	$([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1)</userinput></screen>
222
223	<para>
224	<!-- the unittest files get compiled automatically since nss-3.31.0 -->
225	To run the tests, execute the following commands<!--(1 test is known to fail)-->:
226	</para>
227
228	<screen remap="test"><userinput>cd tests &&
229	HOST=localhost DOMSUF=localdomain ./all.sh
230	cd ../</userinput></screen>
231
232	<note>
233	<para>Some information about the tests:</para>
234	<itemizedlist spacing="compact">
235	<listitem>
236	<para>
237	HOST=localhost and DOMSUF=localdomain are required.
238	Without these variables, a FQDN is
239	required to be specified and this generic way should work for
240	everyone, provided <systemitem>localhost.localdomain</systemitem>
241	is defined
242	<phrase revision='sysv'>
243	in <filename>/etc/hosts</filename>, as done in
244	<ulink url="&lfs-root;/chapter09/network.html#ch-config-hosts">
245	the LFS book</ulink>.
246	</phrase>
247	<phrase revision='systemd'>
248	by the <systemitem class='library'>myhostname</systemitem>
249	Name Service Switch module, as specified in
250	<ulink url="&lfs-root;/chapter08/glibc.html#conf-glibc">
251	the LFS book</ulink>.
252	</phrase>
253	</para>
254	</listitem>
255	<listitem>
256	<para>
257	The tests take a long time to run. If desired there is
258	information in the all.sh script about running subsets of the
259	total test suite.
260	</para>
261	</listitem>
262	<listitem>
263	<para>
264	When interrupting the tests, the test suite
265	fails to spin down test servers that are run. This leads to an
266	infinite loop in the tests where the test suite tries to kill a server
267	that doesn't exist anymore because it pulls the wrong PID.
268	</para>
269	</listitem>
270	<listitem>
271	<para>
272	Test suite results (in HTML format!) can be found at
273	../../test_results/security/localhost.1/results.html
274	</para>
275	</listitem>
276	<listitem>
277	<para>
278	A few tests might fail on some Intel machines for unknown reasons.
279	</para>
280	</listitem>
281	</itemizedlist>
282	</note>
283
284	<para>
285	Now, as the <systemitem class="username">root</systemitem> user:
286	</para>
287
288	<screen role="root"><userinput>cd ../dist &&
289
290	install -v -m755 Linux/lib/.so /usr/lib &&
291	install -v -m644 Linux/lib/{.chk,libcrmf.a} /usr/lib &&
292
293	install -v -m755 -d /usr/include/nss &&
294	cp -v -RL {public,private}/nss/* /usr/include/nss &&
295
296	install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin &&
297
298	install -v -m644 Linux*/lib/pkgconfig/nss.pc /usr/lib/pkgconfig</userinput></screen>
299
300	</sect2>
301
302	<sect2 role="commands">
303	<title>Command Explanations</title>
304
305	<para>
306	<parameter>BUILD_OPT=1</parameter>: This option is passed to
307	<command>make</command> so that the build is performed with no debugging
308	symbols built into the binaries and the default compiler optimizations are
309	used.
310	</para>
311
312	<para>
313	<parameter>NSPR_INCLUDE_DIR=/usr/include/nspr</parameter>: This option
314	sets the location of the nspr headers.
315	</para>
316
317	<para>
318	<parameter>USE_SYSTEM_ZLIB=1</parameter>: This option is passed to
319	<command>make</command> to ensure that the
320	<filename class="libraryfile">libssl3.so</filename> library is linked to
321	the system installed <application>zlib</application> instead of the
322	in-tree version.
323	</para>
324
325	<para>
326	<parameter>ZLIB_LIBS=-lz</parameter>: This option provides the
327	linker flags needed to link to the system <application>zlib</application>.
328	</para>
329
330	<para>
331	<command>$([ $(uname -m) = x86_64 ] && echo USE_64=1)</command>:
332	The <parameter>USE_64=1</parameter> option is <emphasis>required on
333	x86_64</emphasis>, otherwise <command>make</command> will try (and fail)
334	to create 32-bit objects. The [ $(uname -m) = x86_64 ] test ensures it
335	has no effect on a 32 bit system.
336	</para>
337
338	<para>
339	<command>([ -f /usr/include/sqlite3.h ] && echo
340	NSS_USE_SYSTEM_SQLITE=1)</command>: This tests if
341	<application>sqlite</application> is installed and if so it
342	<command>echo</command>s the option NSS_USE_SYSTEM_SQLITE=1 to
343	<command>make</command> so that
344	<filename class="libraryfile">libsoftokn3.so</filename> will link against
345	the system version of sqlite.
346	</para>
347
348	<para>
349	<option>NSS_DISABLE_GTESTS=1</option>: If you don't need to run
350	NSS test suite, append this option to <command>make</command> command,
351	to prevent the compilation of tests and save some build time.
352	</para>
353
354	</sect2>
355
356	<sect2 role="configuration">
357	<title>Configuring NSS</title>
358
359	<para>
360	If <xref linkend="p11-kit"/> is installed, the
361	<application>p11-kit</application> trust module
362	(<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
363	drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
364	transparently make the system CAs available to
365	<application>NSS</application> aware applications, rather than the static
366	library provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
367	<systemitem class="username">root</systemitem> user, execute the following
368	command:
369	</para>
370
371	<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
372
373	<para>
374	Additionally, for dependent applications that do not use the internal
375	database (<filename>/usr/lib/libnssckbi.so</filename>), the
376	<filename>/usr/sbin/make-ca</filename> script included on the
377	<xref linkend="make-ca"/> page can generate a system wide NSS DB with the
378	<parameter>-n</parameter> switch, or by modifying the
379	<filename>/etc/make-ca/make-ca.conf</filename> file.
380	</para>
381
382	</sect2>
383
384	<sect2 role="content">
385	<title>Contents</title>
386
387	<segmentedlist>
388	<segtitle>Installed Programs</segtitle>
389	<segtitle>Installed Libraries</segtitle>
390	<segtitle>Installed Directories</segtitle>
391
392	<seglistitem>
393	<seg>
394	certutil, nss-config, and pk12util
395	</seg>
396	<seg>
397	libcrmf.a, libfreebl3.so, libfreeblpriv3.so,
398	libnss3.so, libnssckbi.so, libnssckbi-testlib.so,
399	libnssdbm3.so, libnsssysinit.so, libnssutil3.so,
400	libpkcs11testmodule.so, libsmime3.so, libsoftokn3.so,
401	and libssl3.so
402	</seg>
403	<seg>
404	/usr/include/nss
405	</seg>
406	</seglistitem>
407	</segmentedlist>
408
409	<variablelist>
410	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
411	<?dbfo list-presentation="list"?>
412	<?dbhtml list-presentation="table"?>
413
414	<varlistentry id="certutil">
415	<term><command>certutil</command></term>
416	<listitem>
417	<para>
418	is the Mozilla Certificate Database Tool. It is a command-line
419	utility that can create and modify the Netscape Communicator
420	cert8.db and key3.db database files. It can also list, generate,
421	modify, or delete certificates within the cert8.db file and create
422	or change the password, generate new public and private key pairs,
423	display the contents of the key database, or delete key pairs within
424	the key3.db file
425	</para>
426	<indexterm zone="nss certutil">
427	<primary sortas="b-certutil">certutil</primary>
428	</indexterm>
429	</listitem>
430	</varlistentry>
431
432	<varlistentry id="nss-config">
433	<term><command>nss-config</command></term>
434	<listitem>
435	<para>
436	is used to determine the NSS library settings of the installed NSS
437	libraries
438	</para>
439	<indexterm zone="nss nss-config">
440	<primary sortas="b-nss-config">nss-config</primary>
441	</indexterm>
442	</listitem>
443	</varlistentry>
444
445	<varlistentry id="pk12util">
446	<term><command>pk12util</command></term>
447	<listitem>
448	<para>
449	is a tool for importing certificates and keys from pkcs #12 files
450	into NSS or exporting them. It can also list certificates and keys
451	in such files
452	</para>
453	<indexterm zone="nss pk12util">
454	<primary sortas="b-pk12util">pk12util</primary>
455	</indexterm>
456	</listitem>
457	</varlistentry>
458
459	</variablelist>
460
461	</sect2>
462
463	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: