Re: [blfs-dev] BLFS certificate store

Wed, 09 Nov 2016 16:47:35 -0800 

Ken Moffat wrote:

On Wed, Nov 09, 2016 at 12:27:41PM -0600, DJ Lucas wrote:


There seems to be some confusion about what we currently have.
Unfortunately, what we have now (and had previously) has no effect on
FF/SM/TB/Chromium (or anything else using NSS instead of OpenSSL). They
all use the built-ins in NSS's libnssckbi.so and their own local copy of
additional certificates unless told to use something else (ie: the
proposed shared nssdb in /etc/pki/nssdb). Which reminds me, the script I
posted yesterday is not a complete solution.


I'm certainly in the confused camp - I had no idea the in-use certs
were hardcoded into a library.  So, no objections, and I don't want
to distract you from your proposed working solution, but -


Okay, so how to make it work. I tested my making my own CA and importing the
root cert. Here are necessary changes in addition to the HOWTO links.

dj [ ~/LFS/BLFS/trunk/BOOK-no-lib64 ]$ cat /etc/pki/nssdb/pkcs11.txt
library=libnsssysinit.so
name=NSS Internal PKCS #11 Module
parameters=configdir='sql:/etc/pki/nssdb' certPrefix='' keyPrefix=''
secmod='secmod.db' flags= updatedir='' updateCertPrefix=''
updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=Flags=internal,moduleDBOnly,critical trustOrder=75 cipherOrder=100 
slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512]
askpw=any timeout=30})

Changes are (noted by asterisks) library=*libnsssysinit.so*,
configdir=`sql:*/etc/pki/nssdb*' and Flags=internal,*moduleDBOnly,*critical



I don't have /etc/pki/nssdb/pkcs11.txt.


dj [ ~/LFS/BLFS/trunk/BOOK-no-lib64 ]$ cat ~/.pki/nssdb/pkcs11.txt


But I do have the equivalent ~/.pki/nssdb/pkcs11.txt on my desktop
systems.

Where did your /etc/ version come from ?



I have no /etc/pki or ~/.pki directories, but I do have /etc/pkcs11/ with 
only pkcs11.conf.example.



I do have  libnssckbi.so but I don't see where FF loads it.  I also looked 
at the nss source.  Can you point out where the certs are in that tarball?


  -- Bruce


--
http://lists.linuxfromscratch.org/listinfo/blfs-dev
FAQ: http://www.linuxfromscratch.org/blfs/faq.html
Unsubscribe: See the above information page




























					Reply via email to