Context Navigation

source: postlfs/security/nss.xml@ c82a9ca

Visit:

trunk

Last change on this file since c82a9ca was c82a9ca, checked in by Bruce Dubbs <bdubbs@…>, 9 days ago
Update to nss-3.105.
Property mode set to `100644`
File size: 16.3 KB

Line
1	<?xml version="1.0" encoding="UTF-8"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!-- for when .0 is not part of the new tarball name, but always referenced -->
8	<!ENTITY nss-url "archive.mozilla.org/pub/security/nss/releases">
9
10	<!-- micro versions-->
11	<!--<!ENTITY nss-download-http "https://&nss-url;/NSS_3_&nss-minor-version;_&nss-micro-version;_RTM/src/nss-&nss-version;.tar.gz">-->
12
13	<!-- no micro versions -->
14	<!ENTITY nss-download-http "https://&nss-url;/NSS_&nss-dir;_RTM/src/nss-&nss-version;.tar.gz">
15	<!ENTITY nss-download-ftp " ">
16	<!ENTITY nss-md5sum "1657133aebd0f844ffe6556398ff1907">
17	<!ENTITY nss-size "73 MB">
18	<!ENTITY nss-buildsize "305 MB (add 154 MB for tests)">
19	<!ENTITY nss-time "0.7 SBU (with parallelism=4, add 16 SBU for tests on AMD Ryzens or at least 30 SBU on Intel machines)">
20	<!-- On my system, I got 64.2 SBU, but Bruce gets 18 SBU. -renodr -->
21	<!-- On my system, I got 63 SBU, but Xi gets ~18 SBU. -pierre (for 3.78) -->
22	<!-- On my 3400G for 3.79 I got 16 SBU -ken -->
23	<!-- Still 17 SBU for 3.81 - bdubbs -->
24	<!-- 73 SBU but I'm on Intel. -renodr -->
25	<!-- 3.86 amended the figures -ken
26	3400G 14 SBU with 6.0.12, but the remeasured SBU has become very slow
27	and maybe other people would see a ster SBU on a fresh build;
28	i7-4790 35 SBU with 6.0.12, no failures
29	Bruce's 3900X 19.3 SBU, his i7-12700K about 30 SBU, 12 failures
30
31	3.93:
32	Passed: 69982
33	Failed: 0
34	Failed with core: 0
35	ASan failures: 0
36	Unknown status: 2
37	TinderboxPrint:Unknown: 2
38
39	Test Results 3.95: (Intel i9-10900k) I got close to 70 SBU [rahul]
40
41	Passed: 69982
42	Failed: 0
43	Failed with core: 0
44	ASan failures: 0
45	Unknown status: 2
46	TinderboxPrint:Unknown: 2
47
48	Test Results 3.96: (AMD Ryzen 9 3900X) about 14 SBU [bdubbs]
49	Passed: 70289
50	Failed: 0
51	Failed with core: 0
52	ASan failures: 0
53	Unknown status: 2
54	TinderboxPrint:Unknown: 2
55
56	Test Results 3.97: (AMD Ryzen 7 1700) about 16 SBU [rahul]
57	Passed: 69809
58	Failed: 0
59	Failed with core: 0
60	ASan failures: 0
61	Unknown status: 2
62	TinderboxPrint:Unknown: 2
63
64	Test results 3.98: (Intel Xeon E5-1650v3) 25 SBU [renodr]
65	Tests summary:
66	Passed: 69919
67	Failed: 0
68	Failed with core: 0
69	ASan failures: 0
70	Unknown status: 2
71	TinderboxPrint:Unknown: 2
72
73	Test results 3.99: (AMD Ryzen 9 3900X) 14 SBU [bdubbs]
74	Tests summary:
75	Passed: 69953
76	Failed: 0
77	Failed with core: 0
78	ASan failures: 0
79	Unknown status: 2
80	TinderboxPrint:Unknown: 2
81
82	Test results 3.100 (Intel(R) Xeon(R) CPU E3-1245 v6, VBoxVM)
83	Tests summary:
84	Passed: 71813
85	Failed: 1
86	Failed with core: 0
87	ASan failures: 0
88	Unknown status: 2
89	TinderboxPrint:Unknown: 2
90
91	Test Results 3.103: (AMD Ryzen 7 1700 QEMU host-model) about 30 SBU [rahul]
92	Tests summary:
93	Passed: 73415
94	Failed: 0
95	Failed with core: 0
96	ASan failures: 0
97	Unknown status: 2
98	TinderboxPrint:Unknown: 2
99
100	Test Results 3.104: (Intel i9-10900k) 30 SBU [rahul]
101	Tests summary:
102	Passed: 73415
103	Failed: 0
104	Failed with core: 0
105	ASan failures: 0
106	Unknown status: 2
107	TinderboxPrint:Unknown: 2
108
109	Test Results 3.105: (Intel i7-14700K) 16 SBU [bdubbs]
110	Tests summary:
111	Passed: 75943
112	Failed: 0
113	Failed with core: 0
114	ASan failures: 0
115	Unknown status: 2
116	TinderboxPrint:Unknown: 2
117	-->
118	]>
119
120	<sect1 id="nss" xreflabel="nss-&nss-version;">
121	<?dbhtml filename="nss.html"?>
122
123	<title>NSS-&nss-version;</title>
124
125	<indexterm zone="nss">
126	<primary sortas="a-NSS">NSS</primary>
127	</indexterm>
128
129	<sect2 role="package">
130	<title>Introduction to NSS</title>
131
132	<para>
133	The Network Security Services (<application>NSS</application>) package is
134	a set of libraries designed to support cross-platform development of
135	security-enabled client and server applications. Applications built with
136	NSS can support SSL v2 and v3, TLS, PKCS #5, PKCS #7, PKCS #11, PKCS #12,
137	S/MIME, X.509 v3 certificates, and other security standards. This is
138	useful for implementing SSL and S/MIME or other Internet security
139	standards into an application.
140	</para>
141
142	&lfs122_checked;
143
144	<bridgehead renderas="sect3">Package Information</bridgehead>
145	<itemizedlist spacing="compact">
146	<listitem>
147	<para>
148	Download (HTTP): <ulink url="&nss-download-http;"/>
149	</para>
150	</listitem>
151	<listitem>
152	<para>
153	Download (FTP): <ulink url="&nss-download-ftp;"/>
154	</para>
155	</listitem>
156	<listitem>
157	<para>
158	Download MD5 sum: &nss-md5sum;
159	</para>
160	</listitem>
161	<listitem>
162	<para>
163	Download size: &nss-size;
164	</para>
165	</listitem>
166	<listitem>
167	<para>
168	Estimated disk space required: &nss-buildsize;
169	</para>
170	</listitem>
171	<listitem>
172	<para>
173	Estimated build time: &nss-time;
174	</para>
175	</listitem>
176	</itemizedlist>
177
178	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
179	<itemizedlist spacing="compact">
180	<listitem>
181	<para>
182	Required patch:
183	<ulink url="&patch-root;/nss-standalone-1.patch"/>
184	</para>
185	</listitem>
186	<!--
187	<listitem>
188	<para>
189	Required patch for processors lacking the <quote>adx</quote>
190	instruction set:
191	<ulink url="&patch-root;/nss-&nss-version;-illegal_instruction-1.patch"/>
192	</para>
193	</listitem>
194	-->
195	</itemizedlist>
196
197	<bridgehead renderas="sect3">NSS Dependencies</bridgehead>
198
199	<bridgehead renderas="sect4">Required</bridgehead>
200	<para role="required">
201	<xref linkend="nspr"/>
202	</para>
203
204	<bridgehead renderas="sect4">Recommended</bridgehead>
205	<para role="recommended">
206	<xref linkend="sqlite"/> and
207	<xref role="runtime" linkend="p11-kit"/> (runtime)
208	</para>
209
210	<para condition="html" role="usernotes">
211	Editor Notes: <ulink url="&blfs-wiki;/nss"/>
212	</para>
213	</sect2>
214
215	<sect2 role="installation">
216	<title>Installation of NSS</title>
217
218	<!--
219	<note>
220	<para>
221	Some old generations processors lack an assembler instruction that
222	is generated unconditionally by NSS-3.90. It leads to an
223	"illegal instruction" fault when running firefox. The availability
224	of this instruction is asserted by the <quote>adx</quote> flag
225	in <filename>/proc/cpuinfo</filename>. If this flag is not set,
226	apply the following patch:
227	</para>
228	</note>
229
230	<screen><userinput>grep -q adx /proc/cpuinfo \|\| \
231	patch -Np1 -i ../nss-&nss-version;-illegal_instruction-1.patch</userinput></screen>
232
233	-->
234	<para>
235	Install <application>NSS</application> by running the following commands:
236	</para>
237
238	<screen><userinput>patch -Np1 -i ../nss-standalone-1.patch &&
239
240	cd nss &&
241
242	make BUILD_OPT=1 \
243	NSPR_INCLUDE_DIR=/usr/include/nspr \
244	USE_SYSTEM_ZLIB=1 \
245	ZLIB_LIBS=-lz \
246	NSS_ENABLE_WERROR=0 \
247	$([ $(uname -m) = x86_64 ] && echo USE_64=1) \
248	$([ -f /usr/include/sqlite3.h ] && echo NSS_USE_SYSTEM_SQLITE=1)</userinput></screen>
249
250	<para>
251	<!-- the unittest files get compiled automatically since nss-3.31.0 -->
252	To run the tests, execute the following commands<!--(1 test is known to fail)-->:
253	</para>
254
255	<screen remap="test"><userinput>cd tests &&
256	HOST=localhost DOMSUF=localdomain ./all.sh
257	cd ../</userinput></screen>
258
259	<note>
260	<para>Some information about the tests:</para>
261	<itemizedlist spacing="compact">
262	<listitem>
263	<para>
264	HOST=localhost and DOMSUF=localdomain are required.
265	Without these variables, a FQDN is
266	required to be specified and this generic way should work for
267	everyone, provided <systemitem>localhost.localdomain</systemitem>
268	is defined
269	<phrase revision='sysv'>
270	in <filename>/etc/hosts</filename>, as done in
271	<ulink url="&lfs-root;/chapter09/network.html#ch-config-hosts">
272	the LFS book</ulink>.
273	</phrase>
274	<phrase revision='systemd'>
275	by the <systemitem class='library'>myhostname</systemitem>
276	Name Service Switch module, as specified in
277	<ulink url="&lfs-root;/chapter08/glibc.html#conf-glibc">
278	the LFS book</ulink>.
279	</phrase>
280	</para>
281	</listitem>
282	<listitem>
283	<para>
284	The tests take a long time to run. If desired there is
285	information in the all.sh script about running subsets of the
286	total test suite.
287	</para>
288	</listitem>
289	<listitem>
290	<para>
291	When interrupting the tests, the test suite
292	fails to spin down test servers that are run. This leads to an
293	infinite loop in the tests where the test suite tries to kill a server
294	that doesn't exist anymore because it pulls the wrong PID.
295	</para>
296	</listitem>
297	<listitem>
298	<para>
299	Test suite results (in HTML format!) can be found at
300	../../test_results/security/localhost.1/results.html
301	</para>
302	</listitem>
303	<listitem>
304	<para>
305	A few tests might fail on some Intel machines for unknown reasons.
306	</para>
307	</listitem>
308	</itemizedlist>
309	</note>
310
311	<para>
312	Now, as the <systemitem class="username">root</systemitem> user:
313	</para>
314
315	<screen role="root"><userinput>cd ../dist &&
316
317	install -v -m755 Linux/lib/.so /usr/lib &&
318	install -v -m644 Linux/lib/{.chk,libcrmf.a} /usr/lib &&
319
320	install -v -m755 -d /usr/include/nss &&
321	cp -v -RL {public,private}/nss/* /usr/include/nss &&
322
323	install -v -m755 Linux*/bin/{certutil,nss-config,pk12util} /usr/bin &&
324
325	install -v -m644 Linux*/lib/pkgconfig/nss.pc /usr/lib/pkgconfig</userinput></screen>
326
327	</sect2>
328
329	<sect2 role="commands">
330	<title>Command Explanations</title>
331
332	<para>
333	<parameter>BUILD_OPT=1</parameter>: This option is passed to
334	<command>make</command> so that the build is performed with no debugging
335	symbols built into the binaries and the default compiler optimizations are
336	used.
337	</para>
338
339	<para>
340	<parameter>NSPR_INCLUDE_DIR=/usr/include/nspr</parameter>: This option
341	sets the location of the nspr headers.
342	</para>
343
344	<para>
345	<parameter>USE_SYSTEM_ZLIB=1</parameter>: This option is passed to
346	<command>make</command> to ensure that the
347	<filename class="libraryfile">libssl3.so</filename> library is linked to
348	the system installed <application>zlib</application> instead of the
349	in-tree version.
350	</para>
351
352	<para>
353	<parameter>ZLIB_LIBS=-lz</parameter>: This option provides the
354	linker flags needed to link to the system <application>zlib</application>.
355	</para>
356
357	<para>
358	<command>$([ $(uname -m) = x86_64 ] && echo USE_64=1)</command>:
359	The <parameter>USE_64=1</parameter> option is <emphasis>required on
360	x86_64</emphasis>, otherwise <command>make</command> will try (and fail)
361	to create 32-bit objects. The [ $(uname -m) = x86_64 ] test ensures it
362	has no effect on a 32 bit system.
363	</para>
364
365	<para>
366	<command>([ -f /usr/include/sqlite3.h ] && echo
367	NSS_USE_SYSTEM_SQLITE=1)</command>: This tests if
368	<application>sqlite</application> is installed and if so it
369	<command>echo</command>s the option NSS_USE_SYSTEM_SQLITE=1 to
370	<command>make</command> so that
371	<filename class="libraryfile">libsoftokn3.so</filename> will link against
372	the system version of sqlite.
373	</para>
374
375	<para>
376	<option>NSS_DISABLE_GTESTS=1</option>: If you don't need to run
377	NSS test suite, append this option to <command>make</command> command,
378	to prevent the compilation of tests and save some build time.
379	</para>
380
381	</sect2>
382
383	<sect2 role="configuration">
384	<title>Configuring NSS</title>
385
386	<para>
387	If <xref linkend="p11-kit"/> is installed, the
388	<application>p11-kit</application> trust module
389	(<filename>/usr/lib/pkcs11/p11-kit-trust.so</filename>) can be used as a
390	drop-in replacement for <filename>/usr/lib/libnssckbi.so</filename> to
391	transparently make the system CAs available to
392	<application>NSS</application> aware applications, rather than the static
393	library provided by <filename>/usr/lib/libnssckbi.so</filename>. As the
394	<systemitem class="username">root</systemitem> user, execute the following
395	command:
396	</para>
397
398	<screen role="root"><userinput>ln -sfv ./pkcs11/p11-kit-trust.so /usr/lib/libnssckbi.so</userinput></screen>
399
400	<para>
401	Additionally, for dependent applications that do not use the internal
402	database (<filename>/usr/lib/libnssckbi.so</filename>), the
403	<filename>/usr/sbin/make-ca</filename> script included on the
404	<xref linkend="make-ca"/> page can generate a system wide NSS DB with the
405	<parameter>-n</parameter> switch, or by modifying the
406	<filename>/etc/make-ca/make-ca.conf</filename> file.
407	</para>
408
409	</sect2>
410
411	<sect2 role="content">
412	<title>Contents</title>
413
414	<segmentedlist>
415	<segtitle>Installed Programs</segtitle>
416	<segtitle>Installed Libraries</segtitle>
417	<segtitle>Installed Directories</segtitle>
418
419	<seglistitem>
420	<seg>
421	certutil, nss-config, and pk12util
422	</seg>
423	<seg>
424	libcrmf.a, libfreebl3.so, libfreeblpriv3.so,
425	libnss3.so, libnssckbi.so, libnssckbi-testlib.so,
426	libnssdbm3.so, libnsssysinit.so, libnssutil3.so,
427	libpkcs11testmodule.so, libsmime3.so, libsoftokn3.so,
428	and libssl3.so
429	</seg>
430	<seg>
431	/usr/include/nss
432	</seg>
433	</seglistitem>
434	</segmentedlist>
435
436	<variablelist>
437	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
438	<?dbfo list-presentation="list"?>
439	<?dbhtml list-presentation="table"?>
440
441	<varlistentry id="certutil">
442	<term><command>certutil</command></term>
443	<listitem>
444	<para>
445	is the Mozilla Certificate Database Tool. It is a command-line
446	utility that can create and modify the Netscape Communicator
447	cert8.db and key3.db database files. It can also list, generate,
448	modify, or delete certificates within the cert8.db file and create
449	or change the password, generate new public and private key pairs,
450	display the contents of the key database, or delete key pairs within
451	the key3.db file
452	</para>
453	<indexterm zone="nss certutil">
454	<primary sortas="b-certutil">certutil</primary>
455	</indexterm>
456	</listitem>
457	</varlistentry>
458
459	<varlistentry id="nss-config">
460	<term><command>nss-config</command></term>
461	<listitem>
462	<para>
463	is used to determine the NSS library settings of the installed NSS
464	libraries
465	</para>
466	<indexterm zone="nss nss-config">
467	<primary sortas="b-nss-config">nss-config</primary>
468	</indexterm>
469	</listitem>
470	</varlistentry>
471
472	<varlistentry id="pk12util">
473	<term><command>pk12util</command></term>
474	<listitem>
475	<para>
476	is a tool for importing certificates and keys from pkcs #12 files
477	into NSS or exporting them. It can also list certificates and keys
478	in such files
479	</para>
480	<indexterm zone="nss pk12util">
481	<primary sortas="b-pk12util">pk12util</primary>
482	</indexterm>
483	</listitem>
484	</varlistentry>
485
486	</variablelist>
487
488	</sect2>
489
490	</sect1>

Note: See TracBrowser for help on using the repository browser.

Download in other formats: