On November 9, 2016 3:52:49 PM CST, Ken Moffat <[email protected]> wrote: >On Wed, Nov 09, 2016 at 12:27:41PM -0600, DJ Lucas wrote: >> > >> > There seems to be some confusion about what we currently have. >> > Unfortunately, what we have now (and had previously) has no effect >on >> > FF/SM/TB/Chromium (or anything else using NSS instead of OpenSSL). >They >> > all use the built-ins in NSS's libnssckbi.so and their own local >copy of >> > additional certificates unless told to use something else (ie: the >> > proposed shared nssdb in /etc/pki/nssdb). Which reminds me, the >script I >> > posted yesterday is not a complete solution. >> > >I'm certainly in the confused camp - I had no idea the in-use certs >were hardcoded into a library. So, no objections, and I don't want >to distract you from your proposed working solution, but - >> >> Okay, so how to make it work. I tested my making my own CA and >importing the >> root cert. Here are necessary changes in addition to the HOWTO links. >> >> dj [ ~/LFS/BLFS/trunk/BOOK-no-lib64 ]$ cat /etc/pki/nssdb/pkcs11.txt >> library=libnsssysinit.so >> name=NSS Internal PKCS #11 Module >> parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix='' >> secmod='secmod.db' flags= updatedir='' updateCertPrefix='' >> updateKeyPrefix='' updateid='' updateTokenDescription='' >> NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 >cipherOrder=100 >slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] >> askpw=any timeout=30}) >> >> Changes are (noted by asterisks) library=*libnsssysinit.so*, >> configdir=`sql:*/etc/pki/nssdb*' and >Flags=internal,*moduleDBOnly,*critical >> > >I don't have /etc/pki/nssdb/pkcs11.txt. >> >> dj [ ~/LFS/BLFS/trunk/BOOK-no-lib64 ]$ cat ~/.pki/nssdb/pkcs11.txt > >But I do have the equivalent ~/.pki/nssdb/pkcs11.txt on my desktop >systems. > >Where did your /etc/ version come from ?
The script that I posted the other day. > >ĸen >-- >`I shall take my mountains', said Lu-Tze. `The climate will be good >for them.' -- Small Gods >-- >http://lists.linuxfromscratch.org/listinfo/blfs-dev >FAQ: http://www.linuxfromscratch.org/blfs/faq.html >Unsubscribe: See the above information page -- Sent from my Android device with K-9 Mail. Please excuse my brevity. -- http://lists.linuxfromscratch.org/listinfo/blfs-dev FAQ: http://www.linuxfromscratch.org/blfs/faq.html Unsubscribe: See the above information page
