Public bug reported: NSS should be rebuilt with this patch:
diff --git a/debian/libnss3.dirs b/debian/libnss3.dirs new file mode 100644 index 00000000..0f796964 --- /dev/null +++ b/debian/libnss3.dirs @@ -0,0 +1 @@ +etc/nss diff --git a/debian/rules b/debian/rules index 5ab1ced0..51bee160 100755 --- a/debian/rules +++ b/debian/rules @@ -128,6 +128,8 @@ override_dh_auto_build: NSS_USE_SYSTEM_SQLITE=1 \ NSS_ENABLE_ECC=1 \ CHECKLOC= \ + POLICY_FILE=pkcs11.txt \ + POLICY_PATH=/etc/nss \ $(TOOLCHAIN) override_dh_auto_clean: The directory could be another one, of course. This will allow us to create a system-wide /etc/nss/pkcs11.txt file which could load the NSS policy module. The upstream documentation is quite poor and outdated, unfortunately: https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_config_options/ https://firefox-source-docs.mozilla.org/security/nss/legacy/pkcs11/module_specs/index.html The current source code is the best documentation, and has a ton of tests that show how to use the policy module: - allow/disallow options: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n144 - versions and key sizes: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n437 - other qualifiers for algorithms (which types of signatures): https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n451 - tons of policy tests: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/ssl/sslpolicy.txt and https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/policy Here is a sample /etc/nss/pkcs11.txt which enables the policy module with certain values: library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" The same config snippet can of course be used in ~/.pki/nssdb/pkcs11.txt or in any of the other many places we have a pkcs11.txt file on the system (hence the need for this build option: to have just one place): - firefox: ~/snap/firefox/common/.mozilla/firefox/pqx65eu1.default/pkcs11.txt - thunderbid: ~/.thunderbird/6mxs87xg.default-release/pkcs11.txt - chrome and system-provided libnss3: ~/.pki/nssdb/pkcs11.txt Note thunderbird ships its own libnss3 (zomg), and would not be affected by this build change (unless it's done in the thunderbird source package too). ** Affects: nss (Ubuntu) Importance: Undecided Status: New ** Description changed: NSS should be rebuilt with this patch: diff --git a/debian/libnss3.dirs b/debian/libnss3.dirs new file mode 100644 index 00000000..0f796964 --- /dev/null +++ b/debian/libnss3.dirs @@ -0,0 +1 @@ +etc/nss diff --git a/debian/rules b/debian/rules index 5ab1ced0..51bee160 100755 --- a/debian/rules +++ b/debian/rules @@ -128,6 +128,8 @@ override_dh_auto_build: - NSS_USE_SYSTEM_SQLITE=1 \ - NSS_ENABLE_ECC=1 \ - CHECKLOC= \ + NSS_USE_SYSTEM_SQLITE=1 \ + NSS_ENABLE_ECC=1 \ + CHECKLOC= \ + POLICY_FILE=pkcs11.txt \ + POLICY_PATH=/etc/nss \ - $(TOOLCHAIN) - - override_dh_auto_clean: + $(TOOLCHAIN) + + override_dh_auto_clean: The directory could be another one, of course. This will allow us to create a system-wide /etc/nss/pkcs11.txt file which could load the NSS policy module. The upstream documentation is quite poor and outdated, unfortunately: https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_config_options/ https://firefox-source-docs.mozilla.org/security/nss/legacy/pkcs11/module_specs/index.html The current source code is the best documentation, and has a ton of tests that show how to use the policy module: - allow/disallow options: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n144 - versions and key sizes: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n437 - other qualifiers for algorithms (which types of signatures): https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n451 - tons of policy tests: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/ssl/sslpolicy.txt and https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/policy Here is a sample /etc/nss/pkcs11.txt which enables the policy module with certain values: library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" - - The same config snippet can of course be used in ~/.pki/nssdb/pkcs11.txt or in any of the other many places we have a pkcs11.txt file on the system (hence the need for this patch): + The same config snippet can of course be used in ~/.pki/nssdb/pkcs11.txt or in any of the other many places we have a pkcs11.txt file on the system (hence the need for this build option: to have just one place): - firefox: ~/snap/firefox/common/.mozilla/firefox/pqx65eu1.default/pkcs11.txt - thunderbid: ~/.thunderbird/6mxs87xg.default-release/pkcs11.txt - chrome and system-provided libnss3: ~/.pki/nssdb/pkcs11.txt Note thunderbird ships its own libnss3 (zomg), and would not be affected by this build change (unless it's done in the thunderbird source package too). -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to nss in Ubuntu. https://bugs.launchpad.net/bugs/2016303 Title: Rebuild NSS with support for system-wide config file Status in nss package in Ubuntu: New Bug description: NSS should be rebuilt with this patch: diff --git a/debian/libnss3.dirs b/debian/libnss3.dirs new file mode 100644 index 00000000..0f796964 --- /dev/null +++ b/debian/libnss3.dirs @@ -0,0 +1 @@ +etc/nss diff --git a/debian/rules b/debian/rules index 5ab1ced0..51bee160 100755 --- a/debian/rules +++ b/debian/rules @@ -128,6 +128,8 @@ override_dh_auto_build: NSS_USE_SYSTEM_SQLITE=1 \ NSS_ENABLE_ECC=1 \ CHECKLOC= \ + POLICY_FILE=pkcs11.txt \ + POLICY_PATH=/etc/nss \ $(TOOLCHAIN) override_dh_auto_clean: The directory could be another one, of course. This will allow us to create a system-wide /etc/nss/pkcs11.txt file which could load the NSS policy module. The upstream documentation is quite poor and outdated, unfortunately: https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_config_options/ https://firefox-source-docs.mozilla.org/security/nss/legacy/pkcs11/module_specs/index.html The current source code is the best documentation, and has a ton of tests that show how to use the policy module: - allow/disallow options: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n144 - versions and key sizes: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n437 - other qualifiers for algorithms (which types of signatures): https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n451 - tons of policy tests: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/ssl/sslpolicy.txt and https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/policy Here is a sample /etc/nss/pkcs11.txt which enables the policy module with certain values: library= name=Policy NSS=flags=policyOnly,moduleDB config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048" The same config snippet can of course be used in ~/.pki/nssdb/pkcs11.txt or in any of the other many places we have a pkcs11.txt file on the system (hence the need for this build option: to have just one place): - firefox: ~/snap/firefox/common/.mozilla/firefox/pqx65eu1.default/pkcs11.txt - thunderbid: ~/.thunderbird/6mxs87xg.default-release/pkcs11.txt - chrome and system-provided libnss3: ~/.pki/nssdb/pkcs11.txt Note thunderbird ships its own libnss3 (zomg), and would not be affected by this build change (unless it's done in the thunderbird source package too). To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nss/+bug/2016303/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
