Ubuntu
nss package

Rebuild NSS with support for system-wide config file

Bug #2016303 reported by Andreas Hasenack
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
nss (Ubuntu)
New
Undecided
Unassigned

Bug Description

NSS should be rebuilt with this patch:

diff --git a/debian/libnss3.dirs b/debian/libnss3.dirs
new file mode 100644
index 00000000..0f796964
--- /dev/null
+++ b/debian/libnss3.dirs
@@ -0,0 +1 @@
+etc/nss
diff --git a/debian/rules b/debian/rules
index 5ab1ced0..51bee160 100755
--- a/debian/rules
+++ b/debian/rules
@@ -128,6 +128,8 @@ override_dh_auto_build:
                NSS_USE_SYSTEM_SQLITE=1 \
                NSS_ENABLE_ECC=1 \
                CHECKLOC= \
+ POLICY_FILE=pkcs11.txt \
+ POLICY_PATH=/etc/nss \
                $(TOOLCHAIN)

 override_dh_auto_clean:

The directory could be another one, of course. This will allow us to create a system-wide /etc/nss/pkcs11.txt file which could load the NSS policy module.

The upstream documentation is quite poor and outdated, unfortunately:
https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_config_options/
https://firefox-source-docs.mozilla.org/security/nss/legacy/pkcs11/module_specs/index.html

The current source code is the best documentation, and has a ton of tests that show how to use the policy module:

- allow/disallow options: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n144
- versions and key sizes: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n437
- other qualifiers for algorithms (which types of signatures): https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n451
- tons of policy tests: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/ssl/sslpolicy.txt and https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/policy

Here is a sample /etc/nss/pkcs11.txt which enables the policy module with certain values:
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"

The same config snippet can of course be used in ~/.pki/nssdb/pkcs11.txt or in any of the other many places we have a pkcs11.txt file on the system (hence the need for this build option: to have just one place):
- firefox: ~/snap/firefox/common/.mozilla/firefox/pqx65eu1.default/pkcs11.txt
- thunderbid: ~/.thunderbird/6mxs87xg.default-release/pkcs11.txt
- chrome and system-provided libnss3: ~/.pki/nssdb/pkcs11.txt

Note thunderbird ships its own libnss3 (zomg), and would not be affected by this build change (unless it's done in the thunderbird source package too).

See original description
Andreas Hasenack (ahasenack)
description: updated
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.