| 2023-04-14 14:20:27 |
Andreas Hasenack |
description |
NSS should be rebuilt with this patch:
diff --git a/debian/libnss3.dirs b/debian/libnss3.dirs
new file mode 100644
index 00000000..0f796964
--- /dev/null
+++ b/debian/libnss3.dirs
@@ -0,0 +1 @@
+etc/nss
diff --git a/debian/rules b/debian/rules
index 5ab1ced0..51bee160 100755
--- a/debian/rules
+++ b/debian/rules
@@ -128,6 +128,8 @@ override_dh_auto_build:
NSS_USE_SYSTEM_SQLITE=1 \
NSS_ENABLE_ECC=1 \
CHECKLOC= \
+ POLICY_FILE=pkcs11.txt \
+ POLICY_PATH=/etc/nss \
$(TOOLCHAIN)
override_dh_auto_clean:
The directory could be another one, of course. This will allow us to create a system-wide /etc/nss/pkcs11.txt file which could load the NSS policy module.
The upstream documentation is quite poor and outdated, unfortunately:
https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_config_options/
https://firefox-source-docs.mozilla.org/security/nss/legacy/pkcs11/module_specs/index.html
The current source code is the best documentation, and has a ton of tests that show how to use the policy module:
- allow/disallow options: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n144
- versions and key sizes: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n437
- other qualifiers for algorithms (which types of signatures): https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n451
- tons of policy tests: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/ssl/sslpolicy.txt and https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/policy
Here is a sample /etc/nss/pkcs11.txt which enables the policy module with certain values:
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
The same config snippet can of course be used in ~/.pki/nssdb/pkcs11.txt or in any of the other many places we have a pkcs11.txt file on the system (hence the need for this patch):
- firefox: ~/snap/firefox/common/.mozilla/firefox/pqx65eu1.default/pkcs11.txt
- thunderbid: ~/.thunderbird/6mxs87xg.default-release/pkcs11.txt
- chrome and system-provided libnss3: ~/.pki/nssdb/pkcs11.txt
Note thunderbird ships its own libnss3 (zomg), and would not be affected by this build change (unless it's done in the thunderbird source package too). |
NSS should be rebuilt with this patch:
diff --git a/debian/libnss3.dirs b/debian/libnss3.dirs
new file mode 100644
index 00000000..0f796964
--- /dev/null
+++ b/debian/libnss3.dirs
@@ -0,0 +1 @@
+etc/nss
diff --git a/debian/rules b/debian/rules
index 5ab1ced0..51bee160 100755
--- a/debian/rules
+++ b/debian/rules
@@ -128,6 +128,8 @@ override_dh_auto_build:
NSS_USE_SYSTEM_SQLITE=1 \
NSS_ENABLE_ECC=1 \
CHECKLOC= \
+ POLICY_FILE=pkcs11.txt \
+ POLICY_PATH=/etc/nss \
$(TOOLCHAIN)
override_dh_auto_clean:
The directory could be another one, of course. This will allow us to create a system-wide /etc/nss/pkcs11.txt file which could load the NSS policy module.
The upstream documentation is quite poor and outdated, unfortunately:
https://firefox-source-docs.mozilla.org/security/nss/legacy/nss_config_options/
https://firefox-source-docs.mozilla.org/security/nss/legacy/pkcs11/module_specs/index.html
The current source code is the best documentation, and has a ton of tests that show how to use the policy module:
- allow/disallow options: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n144
- versions and key sizes: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n437
- other qualifiers for algorithms (which types of signatures): https://git.launchpad.net/ubuntu/+source/nss/tree/nss/lib/pk11wrap/pk11pars.c#n451
- tons of policy tests: https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/ssl/sslpolicy.txt and https://git.launchpad.net/ubuntu/+source/nss/tree/nss/tests/policy
Here is a sample /etc/nss/pkcs11.txt which enables the policy module with certain values:
library=
name=Policy
NSS=flags=policyOnly,moduleDB
config="disallow=ALL allow=HMAC-SHA256:HMAC-SHA1:HMAC-SHA384:HMAC-SHA512:CURVE25519:SECP256R1:SECP384R1:SECP521R1:aes256-gcm:chacha20-poly1305:aes256-cbc:aes128-gcm:aes128-cbc:SHA256:SHA384:SHA512:SHA224:ECDHE-RSA:ECDHE-ECDSA:RSA:DHE-RSA:ECDSA:RSA-PSS:RSA-PKCS:tls-version-min=tls1.2:dtls-version-min=dtls1.2:DH-MIN=2048:DSA-MIN=2048:RSA-MIN=2048"
The same config snippet can of course be used in ~/.pki/nssdb/pkcs11.txt or in any of the other many places we have a pkcs11.txt file on the system (hence the need for this build option: to have just one place):
- firefox: ~/snap/firefox/common/.mozilla/firefox/pqx65eu1.default/pkcs11.txt
- thunderbid: ~/.thunderbird/6mxs87xg.default-release/pkcs11.txt
- chrome and system-provided libnss3: ~/.pki/nssdb/pkcs11.txt
Note thunderbird ships its own libnss3 (zomg), and would not be affected by this build change (unless it's done in the thunderbird source package too). |
|
