Status changed to 'Confirmed' because the bug affects multiple users.
** Changed in: nss (Ubuntu)
Status: New => Confirmed
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to nss in Ubuntu.
https://bugs.launchpad.net/bugs/2016303
Title:
Rebuild NSS with support for system-wide config file
Status in nss package in Ubuntu:
Confirmed
Bug description:
NSS should be rebuilt with this patch:
diff --git a/debian/libnss3.dirs b/debian/libnss3.dirs
new file mode 100644
index 00000000..0f796964
--- /dev/null
+++ b/debian/libnss3.dirs
@@ -0,0 +1 @@
+etc/nss
diff --git a/debian/rules b/debian/rules
index 5ab1ced0..51bee160 100755
--- a/debian/rules
+++ b/debian/rules
@@ -128,6 +128,8 @@ override_dh_auto_build:
NSS_USE_SYSTEM_SQLITE=1 \
NSS_ENABLE_ECC=1 \
CHECKLOC= \
+ POLICY_FILE=pkcs11.txt \
+ POLICY_PATH=/etc/nss \
$(TOOLCHAIN)
override_dh_auto_clean:
The directory could be another one, of course. This will allow us to
create a system-wide /etc/nss/pkcs11.txt file which could load the NSS
policy module.
The upstream documentation is quite poor and outdated, unfortunately:
https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_config_options/
https://firefox-source-docs.mozilla.org/security/nss/legacy/pkcs11/module_specs/index.html
The current source code is the best documentation, and has a ton of
tests that show how to use the policy module:
- allow/disallow options:
https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n144
- versions and key sizes:
https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n437
- other qualifiers for algorithms (which types of signatures):
https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n451
- tons of policy tests:
https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/ssl/sslpolicy.txt
and https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/policy
Here is a sample /etc/nss/pkcs11.txt which enables the policy module with
certain values:
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=ALL
allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
The same config snippet can of course be used in ~/.pki/nssdb/pkcs11.txt or
in any of the other many places we have a pkcs11.txt file on the system (hence
the need for this build option: to have just one place):
- firefox: ~/snap/firefox/common/.mozilla/firefox/pqx65eu1.default/pkcs11.txt
- thunderbid: ~/.thunderbird/6mxs87xg.default-release/pkcs11.txt
- chrome and system-provided libnss3: ~/.pki/nssdb/pkcs11.txt
Note thunderbird ships its own libnss3 (zomg), and would not be
affected by this build change (unless it's done in the thunderbird
source package too).
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/nss/+bug/2016303/+subscriptions
--
Mailing list: https://launchpad.net/~touch-packages
Post to : [email protected]
Unsubscribe : https://launchpad.net/~touch-packages
More help : https://help.launchpad.net/ListHelp
