[nss/private-disableSSL2OnFedora] Optionally disable SSL2 at build time
Elio Maldonado
emaldonado at fedoraproject.org
Mon Jun 2 16:03:48 UTC 2014
commit d0f5af3a949a2f2a8cff328f8b464a5f68254467
Author: Elio Maldonado <emaldona at redhat.com>
Date: Mon Jun 2 09:01:54 2014 -0700
Optionally disable SSL2 at build time
- disable ssl2 patches are for now essentially the same as the ones used in rhel-7
- add a patch to cleanup the manpages
disable-sslv2-libssl.patch | 75 ++++
disable-sslv2-tests.patch | 56 +++
manfixes.patch | 877 +++++++++++++++++++++++++++++++++++++++
nss-versus-softoken-tests.patch | 18 +-
nss.spec | 34 ++-
5 files changed, 1048 insertions(+), 12 deletions(-)
---
diff --git a/disable-sslv2-libssl.patch b/disable-sslv2-libssl.patch
new file mode 100644
index 0000000..a9bc128
--- /dev/null
+++ b/disable-sslv2-libssl.patch
@@ -0,0 +1,75 @@
+diff -up ./nss/lib/ssl/config.mk.disableSSL2 ./nss/lib/ssl/config.mk
+--- ./nss/lib/ssl/config.mk.disableSSL2 2013-09-25 06:57:55.000000000 -0700
++++ ./nss/lib/ssl/config.mk 2013-11-05 16:09:47.459727948 -0800
+@@ -7,6 +7,10 @@ ifdef NISCC_TEST
+ DEFINES += -DNISCC_TEST
+ endif
+
++ifdef NSS_NO_SSL2
++DEFINES += -DNSS_NO_SSL2
++endif
++
+ ifdef NSS_NO_PKCS11_BYPASS
+ DEFINES += -DNO_PKCS11_BYPASS
+ else
+diff -up ./nss/lib/ssl/sslsock.c.disableSSL2 ./nss/lib/ssl/sslsock.c
+--- ./nss/lib/ssl/sslsock.c.disableSSL2 2013-11-05 16:09:47.419727310 -0800
++++ ./nss/lib/ssl/sslsock.c 2013-11-05 16:09:47.461727980 -0800
+@@ -639,6 +639,14 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ break;
+
+ case SSL_ENABLE_SSL2:
++#ifdef NSS_NO_SSL2
++ if (on) {
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++ }
++ break;
++ ss->opt.enableSSL2 = on;
++#else
+ if (IS_DTLS(ss)) {
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -650,6 +658,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ if (on) {
+ ss->opt.v2CompatibleHello = on;
+ }
++#endif
+ ss->preferredCipher = NULL;
+ if (ss->cipherSpecs) {
+ PORT_Free(ss->cipherSpecs);
+@@ -671,6 +680,13 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ break;
+
+ case SSL_V2_COMPATIBLE_HELLO:
++#ifdef NSS_NO_SSL2
++ if (on) {
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++ break;
++ }
++#else
+ if (IS_DTLS(ss)) {
+ if (on) {
+ PORT_SetError(SEC_ERROR_INVALID_ARGS);
+@@ -678,6 +694,7 @@ SSL_OptionSet(PRFileDesc *fd, PRInt32 wh
+ }
+ break;
+ }
++#endif
+ ss->opt.v2CompatibleHello = on;
+ if (!on) {
+ ss->opt.enableSSL2 = on;
+@@ -1112,7 +1129,12 @@ SSL_CipherPolicySet(PRInt32 which, PRInt
+ if (ssl_IsRemovedCipherSuite(which)) {
+ rv = SECSuccess;
+ } else if (SSL_IS_SSL2_CIPHER(which)) {
++#ifdef NSS_NO_SSL2
++ PORT_SetError(SSL_ERROR_SSL2_DISABLED);
++ rv = SECFailure; /* not allowed */
++#else
+ rv = ssl2_SetPolicy(which, policy);
++#endif
+ } else {
+ rv = ssl3_SetPolicy((ssl3CipherSuite)which, policy);
+ }
diff --git a/disable-sslv2-tests.patch b/disable-sslv2-tests.patch
new file mode 100644
index 0000000..f2b51d7
--- /dev/null
+++ b/disable-sslv2-tests.patch
@@ -0,0 +1,56 @@
+diff -up ./nss/tests/chains/chains.sh.disableSSL2 ./nss/tests/chains/chains.sh
+--- ./nss/tests/chains/chains.sh.disableSSL2 2014-05-31 08:05:08.487016999 -0700
++++ ./nss/tests/chains/chains.sh 2014-05-31 08:07:53.817239640 -0700
+@@ -40,7 +40,11 @@ is_httpserv_alive()
+ fi
+
+ echo "kill -0 ${PID} >/dev/null 2>/dev/null"
++ if [ "${NSS_NO_SSL2}" = "1" ]; then
++ echo "skipping kill because NSS_NO_SSL=${NSS_NO_SSL2}"
++ else
+ kill -0 ${PID} >/dev/null 2>/dev/null || Exit 10 "Fatal - httpserv process not detectable"
++ fi
+
+ echo "httpserv with PID ${PID} found at `date`"
+ }
+@@ -59,7 +63,11 @@ wait_for_httpserv()
+ echo "tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v"
+ ${BINDIR}/tstclnt -p ${NSS_AIA_PORT} -h ${HOSTADDR} -q -v
+ if [ $? -ne 0 ]; then
+- html_failed "Waiting for Server"
++ if [ "${NSS_NO_SSL2}" = "1" ]; then
++ html_passed "Waiting for Server is supposed to fail"
++ else
++ html_failed "Waiting for Server"
++ fi
+ fi
+ fi
+ is_httpserv_alive
+@@ -1180,7 +1188,11 @@ parse_config()
+ TESTNAME="Test that OCSP server is reachable"
+ check_ocsp ${VALUE}
+ if [ $? -ne 0 ]; then
++ if [ "${NSS_NO_SSL2}" = "1" ]; then
++ html_passed "$TESTNAME"
++ else
+ html_failed "$TESTNAME"
++ fi
+ break;
+ else
+ html_passed "$TESTNAME"
+diff -up ./nss/tests/ssl/ssl.sh.disableSSL2 ./nss/tests/ssl/ssl.sh
+--- ./nss/tests/ssl/ssl.sh.disableSSL2 2014-05-01 20:27:18.000000000 -0700
++++ ./nss/tests/ssl/ssl.sh 2014-05-31 08:04:34.586582044 -0700
+@@ -278,6 +278,12 @@ ssl_cov()
+ echo "${testname}" | grep "SSL2" > /dev/null
+ SSL2=$?
+
++ # skip export and ssl2 tests when build has disabled SSL2
++ if [ "${NSS_NO_SSL2}" = "1" ] && [ -n ${EXP} -o -n ${SSL2} ]; then
++ echo "SKIPPED"
++ continue
++ fi
++
+ if [ "${SSL2}" -eq 0 ] ; then
+ # We cannot use asynchronous cert verification with SSL2
+ SSL2_FLAGS=-O
diff --git a/manfixes.patch b/manfixes.patch
new file mode 100644
index 0000000..8fe4491
--- /dev/null
+++ b/manfixes.patch
@@ -0,0 +1,877 @@
+diff -up ./nss/doc/certutil.xml.cleanup ./nss/doc/certutil.xml
+--- ./nss/doc/certutil.xml.cleanup 2014-05-12 07:53:59.711219952 -0700
++++ ./nss/doc/certutil.xml 2014-05-12 07:53:59.763220129 -0700
+@@ -196,10 +196,10 @@ If this option is not used, the validity
+ <para><command>certutil</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). </para>
+ <para>NSS recognizes the following prefixes:</para>
+ <itemizedlist>
+- <listitem><para><command>sql: requests the newer database</command></para></listitem>
+- <listitem><para><command>dbm: requests the legacy database</command></para></listitem>
++ <listitem><para><command>sql:</command> requests the newer database</para></listitem>
++ <listitem><para><command>dbm:</command> requests the legacy database</para></listitem>
+ </itemizedlist>
+- <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then dbm: is the default.</para>
++ <para>If no prefix is specified the default type is retrieved from NSS_DEFAULT_DB_TYPE. If NSS_DEFAULT_DB_TYPE is not set then <command>dbm:</command> is the default.</para>
+ </listitem>
+ </varlistentry>
+
+@@ -432,11 +432,11 @@ of the attribute codes:
+
+ <varlistentry>
+ <term>-1 | --keyUsage keyword,keyword</term>
+- <listitem><para>Set a Netscape Certificate Type Extension in the certificate. There are several available keywords:</para>
++ <listitem><para>Set an X.509 V3 Certificate Type Extension in the certificate. There are several available keywords:</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+- digital signature
++ digitalSignature
+ </para>
+ </listitem>
+ <listitem>
+@@ -498,7 +498,7 @@ of the attribute codes:
+
+ <varlistentry>
+ <term>-5 | --nsCertType keyword,keyword</term>
+- <listitem><para>Add a Netscape certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para>
++ <listitem><para>Add an X.509 V3 certificate type extension to a certificate that is being created or added to the database. There are several available keywords:</para>
+ <itemizedlist>
+ <listitem>
+ <para>
+diff -up ./nss/doc/cmsutil.xml.cleanup ./nss/doc/cmsutil.xml
+--- ./nss/doc/cmsutil.xml.cleanup 2013-11-09 09:23:30.000000000 -0800
++++ ./nss/doc/cmsutil.xml 2014-05-12 07:53:59.763220129 -0700
+@@ -62,16 +62,16 @@ The options and arguments for the cmsuti
+ </para>
+ <variablelist>
+ <varlistentry>
+- <term>-D </term>
+- <listitem><para>Decode a message.</para></listitem>
+- </varlistentry>
+-
+- <varlistentry>
+ <term>-C</term>
+ <listitem><para>Encrypt a message.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
++ <term>-D </term>
++ <listitem><para>Decode a message.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>-E </term>
+ <listitem><para>Envelope a message.</para></listitem>
+ </varlistentry>
+@@ -267,23 +267,11 @@ cmsutil -S [-i infile] [-o outfile] [-d
+
+ </refsection>
+
+- <refsection>
++ <refsection id="seealso">
+ <title>See also</title>
+ <para>certutil(1)</para>
+ </refsection>
+
+-
+- <refsection id="seealso">
+- <title>See Also</title>
+- <para></para>
+- <para>
+- </para>
+- <para>
+- </para>
+- <para>
+- </para>
+- </refsection>
+-
+ <!-- don't change -->
+ <refsection id="resources">
+ <title>Additional Resources</title>
+diff -up ./nss/doc/crlutil.xml.cleanup ./nss/doc/crlutil.xml
+--- ./nss/doc/crlutil.xml.cleanup 2013-11-09 09:23:30.000000000 -0800
++++ ./nss/doc/crlutil.xml 2014-05-12 08:14:08.126368273 -0700
+@@ -76,15 +76,6 @@ The options and arguments for the crluti
+
+ <variablelist>
+ <varlistentry>
+- <term>-G </term>
+- <listitem>
+- <para>
+-Create new Certificate Revocation List(CRL).
+- </para>
+- </listitem>
+- </varlistentry>
+-
+- <varlistentry>
+ <term>-D </term>
+ <listitem>
+ <para>
+@@ -93,40 +84,38 @@ Delete Certificate Revocation List from
+ </listitem>
+ </varlistentry>
+
+-
+ <varlistentry>
+- <term>-I </term>
++ <term>-E </term>
+ <listitem>
+ <para>
+-Import a CRL to the cert database
++Erase all CRLs of specified type from the cert database
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>-E </term>
++ <term>-G </term>
+ <listitem>
+ <para>
+-Erase all CRLs of specified type from the cert database
++Create new Certificate Revocation List (CRL).
+ </para>
+ </listitem>
+ </varlistentry>
+
+-
+ <varlistentry>
+- <term>-L </term>
++ <term>-I </term>
+ <listitem>
+ <para>
+-List existing CRL located in cert database file.
++Import a CRL to the cert database
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>-S </term>
++ <term>-L </term>
+ <listitem>
+ <para>
+-Show contents of a CRL file which isn't stored in the database.
++List existing CRL located in cert database file.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -141,43 +130,34 @@ Modify existing CRL which can be located
+ </varlistentry>
+
+ <varlistentry>
+- <term>-G </term>
++ <term>-S </term>
+ <listitem>
+ <para>
+-
++Show contents of a CRL file which isn't stored in the database.
+ </para>
+ </listitem>
+ </varlistentry>
+ </variablelist>
+
+ <para><command>Arguments</command></para>
+- <para>Option arguments modify an action and are lowercase.</para>
++ <para>Option arguments modify an action.</para>
+
+ <variablelist>
+
+ <varlistentry>
+- <term>-B </term>
+- <listitem>
+- <para>
+-Bypass CA signature checks.
+- </para>
+- </listitem>
+- </varlistentry>
+-
+- <varlistentry>
+- <term>-P dbprefix </term>
++ <term>-a </term>
+ <listitem>
+ <para>
+-Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.
++Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>-a </term>
++ <term>-B </term>
+ <listitem>
+ <para>
+-Use ASCII format or allow the use of ASCII format for input and output. This formatting follows RFC #1113.
++Bypass CA signature checks.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -204,19 +184,19 @@ The NSS database files must reside in th
+ </varlistentry>
+
+ <varlistentry>
+- <term>-i crl-file </term>
++ <term>-f password-file </term>
+ <listitem>
+ <para>
+-Specify the file which contains the CRL to import or show.
++Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file.
+ </para>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>-f password-file </term>
++ <term>-i crl-file </term>
+ <listitem>
+ <para>
+-Specify a file that will automatically supply the password to include in a certificate or to access a certificate database. This is a plain-text file containing one password. Be sure to prevent unauthorized access to this file.
++Specify the file which contains the CRL to import or show.
+ </para>
+ </listitem>
+ </varlistentry>
+@@ -249,6 +229,15 @@ Specify the output file name for new CRL
+ </varlistentry>
+
+ <varlistentry>
++ <term>-P dbprefix </term>
++ <listitem>
++ <para>
++Specify the prefix used on the NSS security database files (for example, my_cert8.db and my_key3.db). This option is provided as a special case. Changing the names of the certificate and key databases is not recommended.
++ </para>
++ </listitem>
++ </varlistentry>
++
++ <varlistentry>
+ <term>-t crl-type </term>
+ <listitem>
+ <para>
+@@ -355,7 +344,7 @@ Implemented Extensions
+ * Add The Authority Key Identifier extension:
+ </para>
+ <para>
+- The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL.
++The authority key identifier extension provides a means of identifying the public key corresponding to the private key used to sign a CRL.
+ </para>
+ <para>
+ authKeyId critical [key-id | dn cert-serial]
+@@ -504,21 +493,9 @@ crlutil -G|-M -c crl-gen-file -n nicknam
+ </programlisting>
+ </refsection>
+
+- <refsection>
+- <title>See also</title>
+- <para>certutil(1)</para>
+- </refsection>
+-
+-
+ <refsection id="seealso">
+ <title>See Also</title>
+- <para></para>
+- <para>
+- </para>
+- <para>
+- </para>
+- <para>
+- </para>
++ <para>certutil(1)</para>
+ </refsection>
+
+ <!-- don't change -->
+diff -up ./nss/doc/modutil.xml.cleanup ./nss/doc/modutil.xml
+--- ./nss/doc/modutil.xml.cleanup 2014-05-12 07:53:59.723219994 -0700
++++ ./nss/doc/modutil.xml 2014-05-12 07:53:59.763220129 -0700
+@@ -625,7 +625,8 @@ DISABLE: 0x40000000</progr
+ <para><command>Executable</command> specifies that the file is to be executed during the course of the installation. Typically, this string is used for a setup program provided by a module vendor, such as a self-extracting setup executable. More than one file can be specified as executable, in which case the files are run in the order in which they are specified in the script file.</para>
+ <para><command>FilePermissions</command> sets permissions on any referenced files in a string of octal digits, according to the standard Unix format. This string is a bitwise OR.</para>
+
+-<programlisting>user read: 0400
++<programlisting>
++user read: 0400
+ user write: 0200
+ user execute: 0100
+ group read: 0040
+@@ -633,7 +634,8 @@ group write: 0020
+ group execute: 0010
+ other read: 0004
+ other write: 0002
+-other execute: 0001</programlisting>
++other execute: 0001
++</programlisting>
+
+ <para>Some platforms may not understand these permissions. They are applied only insofar as they make sense for the current platform. If this attribute is omitted, a default of 777 is assumed.</para>
+ </refsection>
+@@ -693,7 +695,7 @@ Using the SQLite databases must be manua
+ <para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
+ <programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>
+
+-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
++<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
+
+ <para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
+ <itemizedlist>
+diff -up ./nss/doc/pk12util.xml.cleanup ./nss/doc/pk12util.xml
+--- ./nss/doc/pk12util.xml.cleanup 2013-11-09 09:23:30.000000000 -0800
++++ ./nss/doc/pk12util.xml 2014-05-12 07:53:59.763220129 -0700
+@@ -27,16 +27,14 @@
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>pk12util</command>
+- <arg>-i p12File [-h tokenname] [-v] [common-options] </arg>
+- <arg>
+- -l p12File [-h tokenname] [-r] [common-options] </arg>
+- <arg>
+- -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [common-options] </arg>
+- <arg>
+-
+-common-options are:
+-[-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
+- </arg>
++ <arg>-i p12File|-l p12File|-o p12File</arg>
++ <arg>-d [sql:]directory</arg>
++ <arg>-h tokenname</arg>
++ <arg>-P dbprefix</arg>
++ <arg>-r</arg>
++ <arg>-v</arg>
++ <arg>-k slotPasswordFile|-K slotPassword</arg>
++ <arg>-w p12filePasswordFile|-W p12filePassword</arg>
+ </cmdsynopsis>
+ </refsynopsisdiv>
+
+@@ -73,22 +71,20 @@ common-options are:
+
+ <para><command>Arguments</command></para>
+ <variablelist>
+-
+ <varlistentry>
+- <term>-n certname</term>
+- <listitem><para>Specify the nickname of the cert and private key to export.</para></listitem>
++ <term>-c keyCipher</term>
++ <listitem><para>Specify the key encryption algorithm.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>-d [sql:]directory</term>
+- <listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para>
+- <para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem>
++ <term>-C certCipher</term>
++ <listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>-P prefix</term>
+- <listitem><para>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
+- Changing the names of the certificate and key databases is not recommended.</para></listitem>
++ <term>-d [sql:]directory</term>
++ <listitem><para>Specify the database directory into which to import to or export from certificates and keys.</para>
++ <para><command>pk12util</command> supports two types of databases: the legacy security databases (<filename>cert8.db</filename>, <filename>key3.db</filename>, and <filename>secmod.db</filename>) and new SQLite databases (<filename>cert9.db</filename>, <filename>key4.db</filename>, and <filename>pkcs11.txt</filename>). If the prefix <command>sql:</command> is not used, then the tool assumes that the given databases are in the old format.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+@@ -97,11 +93,6 @@ common-options are:
+ </varlistentry>
+
+ <varlistentry>
+- <term>-v </term>
+- <listitem><para>Enable debug logging when importing.</para></listitem>
+- </varlistentry>
+-
+- <varlistentry>
+ <term>-k slotPasswordFile</term>
+ <listitem><para>Specify the text file containing the slot's password.</para></listitem>
+ </varlistentry>
+@@ -112,39 +103,46 @@ common-options are:
+ </varlistentry>
+
+ <varlistentry>
+- <term>-w p12filePasswordFile</term>
+- <listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem>
++ <term>-m | --key-len keyLength</term>
++ <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>-W p12filePassword</term>
+- <listitem><para>Specify the pkcs #12 file password.</para></listitem>
++ <term>-n | --cert-key-len certKeyLength</term>
++ <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>-c keyCipher</term>
+- <listitem><para>Specify the key encryption algorithm.</para></listitem>
++ <term>-n certname</term>
++ <listitem><para>Specify the nickname of the cert and private key to export.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>-C certCipher</term>
+- <listitem><para>Specify the key cert (overall package) encryption algorithm.</para></listitem>
++ <term>-P prefix</term>
++ <listitem><para>Specify the prefix used on the certificate and key databases. This option is provided as a special case.
++ Changing the names of the certificate and key databases is not recommended.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>-m | --key-len keyLength</term>
+- <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the private key.</para></listitem>
++ <term>-r</term>
++ <listitem><para>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>-n | --cert-key-len certKeyLength</term>
+- <listitem><para>Specify the desired length of the symmetric key to be used to encrypt the certificates and other meta-data.</para></listitem>
++ <term>-v </term>
++ <listitem><para>Enable debug logging when importing.</para></listitem>
+ </varlistentry>
+
+ <varlistentry>
+- <term>-r</term>
+- <listitem><para>Dumps all of the data in raw (binary) form. This must be saved as a DER file. The default is to return information in a pretty-print ASCII format, which displays the information about the certificates and public keys in the p12 file.</para></listitem>
++ <term>-w p12filePasswordFile</term>
++ <listitem><para>Specify the text file containing the pkcs #12 file password.</para></listitem>
++ </varlistentry>
++
++ <varlistentry>
++ <term>-W p12filePassword</term>
++ <listitem><para>Specify the pkcs #12 file password.</para></listitem>
+ </varlistentry>
++
+ </variablelist>
+ </refsection>
+
+@@ -237,9 +235,12 @@ common-options are:
+ <para><command>Importing Keys and Certificates</command></para>
+ <para>The most basic usage of <command>pk12util</command> for importing a certificate or key is the PKCS#12 input file (<option>-i</option>) and some way to specify the security database being accessed (either <option>-d</option> for a directory or <option>-h</option> for a token).
+ </para>
+-<programlisting>pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting>
++ <para>
++ pk12util -i p12File [-h tokenname] [-v] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]
++ </para>
+ <para>For example:</para>
+-<programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
++ <para> </para>
++ <programlisting># pk12util -i /tmp/cert-files/users.p12 -d sql:/home/my/sharednssdb
+
+ Enter a password which will be used to encrypt your keys.
+ The password should be at least 8 characters long,
+@@ -253,18 +254,18 @@ pk12util: PKCS12 IMPORT SUCCESSFUL</prog
+ <para><command>Exporting Keys and Certificates</command></para>
+ <para>Using the <command>pk12util</command> command to export certificates and keys requires both the name of the certificate to extract from the database (<option>-n</option>) and the PKCS#12-formatted output file to write to. There are optional parameters that can be used to encrypt the file to protect the certificate material.
+ </para>
+-<programlisting>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting>
++ <para>pk12util -o p12File -n certname [-c keyCipher] [-C certCipher] [-m|--key_len keyLen] [-n|--cert_key_len certKeyLen] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</para>
+ <para>For example:</para>
+-<programlisting># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
++ <programlisting># pk12util -o certs.p12 -n Server-Cert -d sql:/home/my/sharednssdb
+ Enter password for PKCS12 file:
+ Re-enter password: </programlisting>
+
+ <para><command>Listing Keys and Certificates</command></para>
+ <para>The information in a <filename>.p12</filename> file are not human-readable. The certificates and keys in the file can be printed (listed) in a human-readable pretty-print format that shows information for every certificate and any public keys in the <filename>.p12</filename> file.
+ </para>
+-<programlisting>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</programlisting>
++ <para>pk12util -l p12File [-h tokenname] [-r] [-d [sql:]directory] [-P dbprefix] [-k slotPasswordFile|-K slotPassword] [-w p12filePasswordFile|-W p12filePassword]</para>
+ <para>For example, this prints the default ASCII output:</para>
+-<programlisting># pk12util -l certs.p12
++ <programlisting># pk12util -l certs.p12
+
+ Enter password for PKCS12 file:
+ Key(shrouded):
+@@ -283,9 +284,9 @@ Certificate:
+ Issuer: "E=personal-freemail at thawte.com,CN=Thawte Personal Freemail C
+ A,OU=Certification Services Division,O=Thawte Consulting,L=Cape T
+ own,ST=Western Cape,C=ZA"
+-....</programlisting>
++ </programlisting>
+ <para>Alternatively, the <option>-r</option> prints the certificates and then exports them into separate DER binary files. This allows the certificates to be fed to another application that supports <filename>.p12</filename> files. Each certificate is written to a sequentially-number file, beginning with <filename>file0001.der</filename> and continuing through <filename>file000N.der</filename>, incrementing the number for every certificate:</para>
+-<programlisting># pk12util -l test.p12 -r
++ <programlisting>pk12util -l test.p12 -r
+ Enter password for PKCS12 file:
+ Key(shrouded):
+ Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
+@@ -297,7 +298,8 @@ Key(shrouded):
+ Iteration Count: 1 (0x1)
+ Certificate Friendly Name: Thawte Personal Freemail Issuing CA - Thawte Consulting
+
+-Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID</programlisting>
++Certificate Friendly Name: Thawte Freemail Member's Thawte Consulting (Pty) Ltd. ID
++ </programlisting>
+ </refsection>
+
+ <refsection id="encryption">
+@@ -309,86 +311,48 @@ Certificate Friendly Name: Thawte Fre
+
+ <varlistentry>
+ <term>Symmetric CBC ciphers for PKCS#5 V2</term>
+- <listitem><para>DES_CBC</para>
+- <itemizedlist>
+- <listitem>
+- <para>RC2-CBC</para>
+- </listitem>
+- <listitem>
+- <para>RC5-CBCPad</para>
+- </listitem>
+- <listitem>
+- <para>DES-EDE3-CBC (the default for key encryption)</para>
+- </listitem>
+- <listitem>
+- <para>AES-128-CBC</para>
+- </listitem>
+- <listitem>
+- <para>AES-192-CBC</para>
+- </listitem>
+- <listitem>
+- <para>AES-256-CBC</para>
+- </listitem>
+- <listitem>
+- <para>CAMELLIA-128-CBC</para>
+- </listitem>
+- <listitem>
+- <para>CAMELLIA-192-CBC</para>
+- </listitem>
+- <listitem>
+- <para>CAMELLIA-256-CBC</para></listitem>
+- </itemizedlist>
+- </listitem>
++ <listitem>
++ <itemizedlist>
++ <listitem><para>DES-CBC</para></listitem>
++ <listitem><para>RC2-CBC</para></listitem>
++ <listitem><para>RC5-CBCPad</para></listitem>
++ <listitem><para>DES-EDE3-CBC (the default for key encryption)</para></listitem>
++ <listitem><para>AES-128-CBC</para></listitem>
++ <listitem><para>AES-192-CBC</para></listitem>
++ <listitem><para>AES-256-CBC</para></listitem>
++ <listitem><para>CAMELLIA-128-CBC</para></listitem>
++ <listitem><para>CAMELLIA-192-CBC</para></listitem>
++ <listitem><para>CAMELLIA-256-CBC</para></listitem>
++ </itemizedlist>
++ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term>PKCS#12 PBE ciphers</term>
+- <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para>
+- <itemizedlist>
+- <listitem>
+- <para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para>
+- </listitem>
+- <listitem>
+- <para>PKCS #12 PBE with Sha1 and Triple DES CBC</para>
+- </listitem>
+- <listitem>
+- <para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para>
+- </listitem>
+- <listitem>
+- <para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para>
+- </listitem>
+- <listitem>
+- <para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para>
+- </listitem>
+- <listitem>
+- <para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para>
+- </listitem>
+- <listitem>
+- <para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para>
+- </listitem>
+- <listitem>
+- <para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para>
+- </listitem>
+- <listitem>
+- <para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para>
+- </listitem>
+- <listitem>
+- <para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem>
+- </itemizedlist>
+- </listitem>
+- </varlistentry>
+-
+- <varlistentry>
+- <term>PKCS#5 PBE ciphers</term>
+- <listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para>
+- <itemizedlist>
+- <listitem>
+- <para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para>
+- </listitem>
+- <listitem>
+- <para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem>
+- </itemizedlist>
+- </listitem>
++ <listitem>
++ <itemizedlist>
++ <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC4</para></listitem>
++ <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC4</para></listitem>
++ <listitem><para>PKCS #12 PBE with Sha1 and Triple DES CBC</para></listitem>
++ <listitem><para>PKCS #12 PBE with Sha1 and 128 Bit RC2 CBC</para></listitem>
++ <listitem><para>PKCS #12 PBE with Sha1 and 40 Bit RC2 CBC</para></listitem>
++ <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC4</para></listitem>
++ <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC4 (the default for non-FIPS mode)</para></listitem>
++ <listitem><para>PKCS12 V2 PBE with SHA1 and 3KEY Triple DES-cbc</para></listitem>
++ <listitem><para>PKCS12 V2 PBE with SHA1 and 2KEY Triple DES-cbc</para></listitem>
++ <listitem><para>PKCS12 V2 PBE with SHA1 and 128 Bit RC2 CBC</para></listitem>
++ <listitem><para>PKCS12 V2 PBE with SHA1 and 40 Bit RC2 CBC</para></listitem>
++ </itemizedlist>
++ </listitem>
++ </varlistentry>
++ <varlistentry><term>PKCS#5 PBE ciphers</term>
++ <listitem>
++ <itemizedlist>
++ <listitem><para>PKCS #5 Password Based Encryption with MD2 and DES CBC</para></listitem>
++ <listitem><para>PKCS #5 Password Based Encryption with MD5 and DES CBC</para></listitem>
++ <listitem><para>PKCS #5 Password Based Encryption with SHA1 and DES CBC</para></listitem>
++ </itemizedlist>
++ </listitem>
+ </varlistentry>
+ </variablelist>
+ <para>With PKCS#12, the crypto provider may be the soft token module or an external hardware module. If the cryptographic module does not support the requested algorithm, then the next best fit will be selected (usually the default). If no suitable replacement for the desired algorithm can be found, the tool returns the error <emphasis>no security module can perform the requested operation</emphasis>.</para>
+diff -up ./nss/doc/signtool.xml.cleanup ./nss/doc/signtool.xml
+--- ./nss/doc/signtool.xml.cleanup 2013-11-09 09:23:30.000000000 -0800
++++ ./nss/doc/signtool.xml 2014-05-12 08:12:18.989951466 -0700
+@@ -27,36 +27,37 @@
+ <refsynopsisdiv>
+ <cmdsynopsis>
+ <command>signtool</command>
+- <arg>-k keyName</arg>
++ <arg>[-b basename]</arg>
++ <arg>[-c Compression Level] </arg>
++ <arg>[-d cert-dir] </arg>
++ <arg>[-e extension] </arg>
++ <arg>[-f filename] </arg>
++ <arg>[-i installer script] </arg>
+ <arg>[-h]</arg>
+ <arg>[-H]</arg>
+- <arg>[-l]</arg>
+- <arg>[-L]</arg>
+- <arg>[-M]</arg>
+ <arg>[-v]</arg>
+ <arg>[-w]</arg>
+ <arg>[-G nickname]</arg>
++ <arg>[-J]</arg>
++ <arg>[-j directory] </arg>
++ <arg>-k keyName</arg>
+ <arg>[--keysize | -s size]</arg>
+- <arg>[-b basename]</arg>
+- <arg>[-c Compression Level] </arg>
+- <arg>[-d cert-dir] </arg>
+- <arg>[-i installer script] </arg>
++ <arg>[-l]</arg>
++ <arg>[-L]</arg>
++ <arg>[-M]</arg>
+ <arg>[-m metafile] </arg>
+- <arg>[-x name] </arg>
+- <arg>[-f filename] </arg>
+- <arg>[-t|--token tokenname] </arg>
+- <arg>[-e extension] </arg>
++ <arg>[--norecurse] </arg>
++ <arg>[-O] </arg>
+ <arg>[-o] </arg>
++ <arg>[--outfile] </arg>
++ <arg>[-p password] </arg>
++ <arg>[-t|--token tokenname] </arg>
+ <arg>[-z] </arg>
+ <arg>[-X] </arg>
+- <arg>[--outfile] </arg>
++ <arg>[-x name] </arg>
+ <arg>[--verbose value] </arg>
+- <arg>[--norecurse] </arg>
+ <arg>[--leavearc] </arg>
+- <arg>[-j directory] </arg>
+ <arg>[-Z jarfile] </arg>
+- <arg>[-O] </arg>
+- <arg>[-p password] </arg>
+ <arg>directory-tree</arg>
+ <arg>archive</arg>
+ <!-- this isn't the ideal formatting, since docbook can handle reqiored/optional formatting automatically, but let's make it explicit -->
+@@ -97,7 +98,7 @@
+ </varlistentry>
+ <varlistentry>
+ <term>-c#</term>
+- <listitem><para>
++ <listitem><para>
+ Specifies the compression level for the -J or -Z option. The symbol # represents a number from 0 to 9, where 0 means no compression and 9 means maximum compression. The higher the level of compression, the smaller the output but the longer the operation takes.
+
+ If the -c# option is not used with either the -J or the -Z option, the default compression value used by both the -J and -Z options is 6.
+@@ -124,10 +125,36 @@ The Unix version of signtool assumes ~/.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
++ <term>-G nickname</term>
++ <listitem><para>
++ Generates a new private-public key pair and corresponding object-signing certificate with the given nickname.
++
++The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.
++
++Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects.
++
++The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token.
++ </para></listitem>
++ </varlistentry>
++ <varlistentry>
+ <term>-i scriptname</term>
+- <listitem><para>
+- Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script.
+-</para></listitem>
++ <listitem><para>
++Specifies the name of an installer script for SmartUpdate. This script installs files from the JAR archive in the local system after SmartUpdate has validated the digital signature. For more details, see the description of -m that follows. The -i option provides a straightforward way to provide this information if you don't need to specify any metadata other than an installer script.
++ </para></listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>-J</term>
++ <listitem>
++ <para>
++Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once.
++
++The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option.
++
++If the -c# option is not used with the -J option, the default compression value is 6.
++
++Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages.
++ </para>
++ </listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>-j directory</term>
+@@ -148,18 +175,6 @@ It's also possible to use the -k option
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+- <term>-G nickname</term>
+- <listitem><para>
+- Generates a new private-public key pair and corresponding object-signing certificate with the given nickname.
+-
+-The newly generated keys and certificate are installed into the key and certificate databases in the directory specified by the -d option. With the NT version of Netscape Signing Tool, you must use the -d option with the -G option. With the Unix version of Netscape Signing Tool, omitting the -d option causes the tool to install the keys and certificate in the Communicator key and certificate databases. If you are installing the keys and certificate in the Communicator databases, you must exit Communicator before using this option; otherwise, you risk corrupting the databases. In all cases, the certificate is also output to a file named x509.cacert, which has the MIME-type application/x-x509-ca-cert.
+-
+-Unlike certificates normally used to sign finished code to be distributed over a network, a test certificate created with -G is not signed by a recognized certificate authority. Instead, it is self-signed. In addition, a single test signing certificate functions as both an object-signing certificate and a CA. When you are using it to sign objects, it behaves like an object-signing certificate. When it is imported into browser software such as Communicator, it behaves like an object-signing CA and cannot be used to sign objects.
+-
+-The -G option is available in Netscape Signing Tool 1.0 and later versions only. By default, it produces only RSA certificates with 1024-byte keys in the internal token. However, you can use the -s option specify the required key size and the -t option to specify the token. For more information about the use of the -G option, see "Generating Test Object-Signing Certificates""Generating Test Object-Signing Certificates" on page 1241.
+-</para></listitem>
+- </varlistentry>
+- <varlistentry>
+ <term>-l</term>
+ <listitem><para>
+ Lists signing certificates, including issuing CAs. If any of your certificates are expired or invalid, the list will so specify. This option can be used with the -k option to list detailed information about a particular signing certificate.
+@@ -168,18 +183,6 @@ The -l option is available in Netscape S
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+- <term>-J</term>
+- <listitem><para>
+- Signs a directory of HTML files containing JavaScript and creates as many archive files as are specified in the HTML tags. Even if signtool creates more than one archive file, you need to supply the key database password only once.
+-
+-The -J option is available only in Netscape Signing Tool 1.0 and later versions. The -J option cannot be used at the same time as the -Z option.
+-
+-If the -c# option is not used with the -J option, the default compression value is 6.
+-
+-Note that versions 1.1 and later of Netscape Signing Tool correctly recognizes the CODEBASE attribute, allows paths to be expressed for the CLASS and SRC attributes instead of filenames only, processes LINK tags and parses HTML correctly, and offers clearer error messages.
+-</para></listitem>
+- </varlistentry>
+- <varlistentry>
+ <term>-L</term>
+ <listitem><para>
+ Lists the certificates in your database. An asterisk appears to the left of the nickname for any certificate that can be used to sign objects with signtool.
+diff -up ./nss/doc/signver.xml.cleanup ./nss/doc/signver.xml
+--- ./nss/doc/signver.xml.cleanup 2013-11-09 09:23:30.000000000 -0800
++++ ./nss/doc/signver.xml 2014-05-12 07:53:59.770220149 -0700
+@@ -163,7 +163,7 @@ Using the SQLite databases must be manua
+ <para>To set the shared database type as the default type for the tools, set the <envar>NSS_DEFAULT_DB_TYPE</envar> environment variable to <envar>sql</envar>:</para>
+ <programlisting>export NSS_DEFAULT_DB_TYPE="sql"</programlisting>
+
+-<para>This line can be set added to the <filename>~/.bashrc</filename> file to make the change permanent.</para>
++<para>This line can be added to the <filename>~/.bashrc</filename> file to make the change permanent for the user.</para>
+
+ <para>Most applications do not use the shared database by default, but they can be configured to use them. For example, this how-to article covers how to configure Firefox and Thunderbird to use the new shared NSS databases:</para>
+ <itemizedlist>
+diff -up ./nss/doc/ssltap.xml.cleanup ./nss/doc/ssltap.xml
+--- ./nss/doc/ssltap.xml.cleanup 2013-11-09 09:23:30.000000000 -0800
++++ ./nss/doc/ssltap.xml 2014-05-12 07:53:59.771220154 -0700
+@@ -26,8 +26,8 @@
+
+ <refsynopsisdiv>
+ <cmdsynopsis>
+- <command>libssltap</command>
+- <arg choice="opt">-vhfsxl</arg>
++ <command>ssltap</command>
++ <arg choice="opt">-fhlsvx</arg>
+ <arg choice="opt">-p port</arg>
+ <arg choice="opt">hostname:port</arg>
+ </cmdsynopsis>
+@@ -48,8 +48,10 @@
+ <title>Options</title>
+ <variablelist>
+ <varlistentry>
+- <term>-v </term>
+- <listitem><para>Print a version string for the tool.</para></listitem>
++ <term>-f </term>
++ <listitem><para>
++Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser.
++ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term>-h </term>
+@@ -58,34 +60,6 @@ Turn on hex/ASCII printing. Instead of o
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+- <term>-f </term>
+- <listitem><para>
+-Turn on fancy printing. Output is printed in colored HTML. Data sent from the client to the server is in blue; the server's reply is in red. When used with looping mode, the different connections are separated with horizontal lines. You can use this option to upload the output into a browser.
+- </para></listitem>
+- </varlistentry>
+- <varlistentry><term>-s </term>
+- <listitem>
+- <para>
+-Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures.
+- </para>
+- <para>
+-If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate.
+- </para>
+- <para>
+-If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output.
+- </para>
+- </listitem>
+- </varlistentry>
+- <varlistentry>
+- <term>-x </term>
+- <listitem>
+- <para>
+-Turn on hex/ASCII printing of undecoded data inside parsed SSL records. Used only with the -s option.
+-This option uses the same output format as the -h option.
+- </para>
+- </listitem>
+- </varlistentry>
+- <varlistentry>
+ <term>-l prefix</term>
+ <listitem>
+ <para>
+@@ -124,6 +98,28 @@ Turn on looping; that is, continue to ac
+ </para>
+ </listitem>
+ </varlistentry>
++ <varlistentry>
++ <term>-s </term>
++ <listitem>
++ <para>
++Turn on SSL parsing and decoding. The tool does not automatically detect SSL sessions. If you are intercepting an SSL connection, use this option so that the tool can detect and decode SSL structures.
++ </para>
++ <para>
++If the tool detects a certificate chain, it saves the DER-encoded certificates into files in the current directory. The files are named cert.0x, where x is the sequence number of the certificate.
++ </para>
++ <para>
++If the -s option is used with -h, two separate parts are printed for each record: the plain hex/ASCII output, and the parsed SSL output.
++ </para>
++ </listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>-v </term>
++ <listitem><para>Print a version string for the tool.</para></listitem>
++ </varlistentry>
++ <varlistentry>
++ <term>-x </term>
++ <listitem><para>Turn on extra SSL hex dumps.</para></listitem>
++ </varlistentry>
+ </variablelist>
+ </refsection>
+
diff --git a/nss-versus-softoken-tests.patch b/nss-versus-softoken-tests.patch
index e77487d..317fbe6 100644
--- a/nss-versus-softoken-tests.patch
+++ b/nss-versus-softoken-tests.patch
@@ -1,22 +1,26 @@
diff -up nss/tests/all.sh.crypto nss/tests/all.sh
---- nss/tests/all.sh.crypto 2013-05-28 14:43:24.000000000 -0700
-+++ nss/tests/all.sh 2013-06-13 12:14:12.741082184 -0700
-@@ -299,9 +299,10 @@ fi
+--- nss/tests/all.sh.crypto 2013-11-09 09:23:30.000000000 -0800
++++ nss/tests/all.sh 2013-11-27 14:20:57.918671042 -0800
+@@ -299,9 +299,14 @@ fi
# created, we check for modutil to know whether the build
# is complete. If a new file is created after that, the
# following test for modutil should check for that instead.
+# Except when building softoken only where shlibsign is the last one built.
-+export LAST_BUILT=[ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ] && shlibsign || modutil
++if [ ${NSS_BUILD_SOFTOKEN_ONLY} -eq "1" ]; then
++ export LAST_BUILT=shlibsign
++else
++ export LAST_BUILT=modutil
++fi
-if [ ! -f ${DIST}/${OBJDIR}/bin/modutil -a \
- ! -f ${DIST}/${OBJDIR}/bin/modutil.exe ]; then
-+if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_BUILT}${PROG_SUFFIX} -a ]; then
++if [ ! -f ${DIST}/${OBJDIR}/bin/${LAST_BUILT}${PROG_SUFFIX} ]; then
echo "Build Incomplete. Aborting test." >> ${LOGFILE}
html_head "Testing Initialization"
Exit "Checking for build"
diff -up nss/tests/cipher/cipher.sh.crypto nss/tests/cipher/cipher.sh
---- nss/tests/cipher/cipher.sh.crypto 2013-05-28 14:43:24.000000000 -0700
-+++ nss/tests/cipher/cipher.sh 2013-06-13 11:58:00.956064976 -0700
+--- nss/tests/cipher/cipher.sh.crypto 2013-11-09 09:23:30.000000000 -0800
++++ nss/tests/cipher/cipher.sh 2013-11-27 14:18:29.817581578 -0800
@@ -129,6 +129,16 @@ if [ ! -x ${DIST}/${OBJDIR}/bin/bltest${
return 0
fi
diff --git a/nss.spec b/nss.spec
index 22f6203..97fd054 100644
--- a/nss.spec
+++ b/nss.spec
@@ -19,7 +19,7 @@
Summary: Network Security Services
Name: nss
Version: 3.16.1
-Release: 2%{?dist}
+Release: 2.1%{?dist}.ssl2disabled.1
License: MPLv2.0
URL: http://www.mozilla.org/projects/security/pki/nss/
Group: System Environment/Libraries
@@ -94,6 +94,11 @@ Patch49: nss-skip-bltest-and-fipstest.patch
# Once the buildroot aha been bootstrapped the patch may be removed but it doesn't hurt to keep it.
Patch50: iquote.patch
+Patch51: disable-sslv2-libssl.patch
+Patch52: disable-sslv2-tests.patch
+# Upstream: https://bugzilla.mozilla.org/show_bug.cgi?id=1007126
+Patch70: manfixes.patch
+
%description
Network Security Services (NSS) is a set of libraries designed to
support cross-platform development of security-enabled client and
@@ -181,6 +186,9 @@ low level services.
%patch48 -p0 -b .crypto
%patch49 -p0 -b .skipthem
%patch50 -p0 -b .iquote
+%patch51 -p0 -b .disableSSL2
+%patch52 -p0 -b .disableSSL2
+%patch70 -p0 -b .cleanup
#########################################################
# Higher-level libraries and test tools need access to
@@ -201,6 +209,10 @@ done
%build
+if [ ${DISABLE_SSL2:-0} -eq 1 ]; then
+export NSS_NO_SSL2=1
+fi
+
NSS_NO_PKCS11_BYPASS=1
export NSS_NO_PKCS11_BYPASS
@@ -289,7 +301,7 @@ pushd ./nss
%{__make} clean_docs build_docs
popd
-# and copy them to the dist directory
+# and copy them to the dist directory for %%install to find them
%{__mkdir_p} ./dist/docs/nroff
%{__cp} ./nss/doc/nroff/* ./dist/docs/nroff
@@ -353,12 +365,18 @@ done
%check
-if [ $DISABLETEST -eq 1 ]; then
+if [ ${DISABLETEST:-0} -eq 1 ]; then
echo "testing disabled"
exit 0
fi
# Begin -- copied from the build section
+
+# inform the ssl test scripts that SSL2 is disabled
+if [ ${DISABLE_SSL2:-0} -eq 1 ]; then
+export NSS_NO_SSL2=1
+fi
+
FREEBL_NO_DEPEND=1
export FREEBL_NO_DEPEND
@@ -441,7 +459,7 @@ killall $RANDSERV || :
TEST_FAILURES=$(grep -c FAILED ./tests_results/security/localhost.1/output.log) || GREP_EXIT_STATUS=$?
if [ ${GREP_EXIT_STATUS:-0} -eq 1 ]; then
echo "okay: test suite detected no failures"
-else
+else
if [ ${GREP_EXIT_STATUS:-0} -eq 0 ]; then
# while a situation in which grep return status is 0 and it doesn't output
# anything shouldn't happen, set the default to something that is
@@ -541,7 +559,7 @@ for f in nss-config setup-nsssysinit; do
done
# Copy the man pages for the nss tools
for f in "%{allTools}"; do
- install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
+ install -c -m 644 ./dist/docs/nroff/${f}.1 $RPM_BUILD_ROOT%{_mandir}/man1/${f}.1
done
# Copy the man pages for the configuration files
for f in pkcs11.txt; do
@@ -751,6 +769,12 @@ fi
%changelog
+* Mon Jun 02 2014 Elio Maldonado <emaldona at redhat.com> - 3.16.1-2.1.ssl2disabled.1
+- rebuilt with ssl2 disabled
+
+* Mon Jun 02 2014 Elio Maldonado <emaldona at redhat.com> - 3.16.1-2.1.ssl2allowed.1
+- Add option to disable SSL2, SSL2 enabled by default
+
* Mon May 12 2014 Jaromir Capik <jcapik at redhat.com> - 3.16.1-2
- Replacing ppc64 and ppc64le with the power64 macro
- Related: Bug 1052545 - Trivial change for ppc64le in nss spec
More information about the scm-commits
mailing list