Emaldonado (talk | contribs) m (moved Test Days to NSS Test Day) |
Emaldonado (talk | contribs) |
||
(5 intermediate revisions by 2 users not shown) | |||
Line 22: | Line 22: | ||
* Rawhide Fully updated | * Rawhide Fully updated | ||
* NSS | * The latest version of NSS | ||
* | * curl | ||
* crypto-utils | |||
* firefox | |||
* krb5-workstation | |||
* mod_nss | * mod_nss | ||
* nss_compat_ossl | * nss_compat_ossl | ||
* | * openldap-clients | ||
* openswan | |||
* pidgin | |||
* thunderbird | |||
=== How to test? === | === How to test? === | ||
Line 33: | Line 39: | ||
* Areas to target with exploratory testing | * Areas to target with exploratory testing | ||
Updating to NSS 3. | Updating to NSS 3.13.1 from a prior version of NSS/Fedora | ||
Enabling system NSS | Enabling system NSS | ||
Openswan Pluto | Openswan Pluto | ||
Line 89: | Line 95: | ||
Restoring your system to the old databases: | Restoring your system to the old databases: | ||
Simply unset the NSS_DEFAULT_DB_TYPE variable and all your applications will fall back to their former dbm style | Simply unset the NSS_DEFAULT_DB_TYPE variable and all your applications will fall back to their former dbm style database | ||
Test 2: Testing out enablement FIPS mode. | |||
Note: We actually testing nss-softokn here. | |||
You can enable FIPS mode in Firefox, Thunderbird, or durectly using modutil. | |||
Test 2a: Enable FIPS mode in Firefox | |||
2a-1 - Launch Firefox | |||
2a-2 - Open the menu Edit->Preferences | |||
2a-3 - In the Security tab click on the "Use Saved Password | |||
2a-2 - Open the menu Edit->Preferences | |||
2a-3 - In the Encrypton tab click on the "Security Devices" button | |||
2a-4 - When the Device Manager window show up click on the "Enable FIPS" button | |||
2a-5 - Click OK | |||
This operation should succeed | |||
2a-6 - Click Close | |||
2a-6 - Shutdown and relaunch Firefox | |||
2a-7 - You will be prompted for a password | |||
That password prompt indicates that fips mode has been turned on | |||
Test 2b: Enable FIPS mode in Thunderbird | |||
The steps for Firefox apply to Thunderbird | |||
Test 2c: Enable FIPS mode via the nss command line tools | |||
2c-1: In a convenient place create a brand new database | |||
rm -rf /tmp/nssdb4testing | |||
mkdir -p /tmp/nssdb4testing | |||
certutil -d sql:/tmp/nssdb4testing -N | |||
Enter a password when prompted (optional) | |||
2c-2: Turn FIPS mode on: modutil -dbdir sql:tmp/nssdb4testing -fips true -force | |||
Enter the password when prompted | |||
It should display FIPS mode enabled. | |||
2c-3: Double-check: modutil -dbdir sql:tmp/nssdb4testing -chkfips true | |||
It should display FIPS mode enabled | |||
2c-4: Disable FIPS: modutil -dbdir sql:/tmp/nssdb4testing -fips false -force | |||
There should be no promp and it sould display: FIPS mode disabled. | |||
In the steps above we explicitly used the "sql:" prefix to ensure that an sqlite-based shared database is used. Repeat the steps above using the "dbm:" prefix to test the legacy database. | |||
=== Test Results === | === Test Results === | ||
Line 114: | Line 159: | ||
|} | |} | ||
[[Category:Test Days]] | [[Category:Proposed Test Days]] |
Latest revision as of 16:47, 9 January 2012
DATE | TIME | WHERE |
2009-10-29 | From 12:00 to 21:00 UTC (8am -> 5pm EDT) | #fedora-test-day (webirc) |
What to test?
Today's installment of Fedora Test Day will focus on NSS
Who's available
The following cast of characters will be available testing, workarounds, bug fixes, and general discussion ...
- Development - User:emaldonado, User:rrelyea
- Quality Assurance - User:amacerek, User:avagarwa, User:TBD
Prerequisite for Test Day
List any prerequisite needs for the test event. A fresh system, virtualized guest, a blank DVD ... a desire to break software?
- Rawhide Fully updated
- The latest version of NSS
- curl
- crypto-utils
- firefox
- krb5-workstation
- mod_nss
- nss_compat_ossl
- openldap-clients
- openswan
- pidgin
- thunderbird
How to test?
High level details on how a contributor can get involved. This can include (but not limited to):
- Areas to target with exploratory testing
Updating to NSS 3.13.1 from a prior version of NSS/Fedora Enabling system NSS Openswan Pluto crypto-utils certificate management tools for Apache
- A list of pre-defined test cases to execute TBD
- How to report back results
Test Cases
Testing out system NSS.
Part 1: enabling system NSS
In Fedora 12, system NSS is available, but not enabled. The following steps will enable system NSS.
1) As root run
certutil -K -X -d sql:/etc/pki/nssdb (this will create sql db's from the local dbm database).
2) as root edit /etc/pki/nssdb/pkcs11.txt
2a) stanza with NSS Internal PKCS #11 Module, change: library= to library=libnsssysinit.so 2b) in the same stanza, on the NSS= change the Flags from: Flags=internal,critical to Flags=internal,moduleDBOnly,critical 2c) save your changes (Note, there should be no spaces in the library= line, nor any spaces between the flags.
3) as yourself, in your .bashrc or .cshrc (or whatever shell you use) add:
export NSS_DEFAULT_DB_TYPE=sql [ of cource for csh/tcsh that sould be setenv 'NSS_DEFAULT_DB_TYPE sql' ]
4) as yourself (not as root!!!) 'certutil -N -d sql:/etc/pki/nssdb'. If you supply a password, this password will eventually become your new firefox/thunderbird master password.
Part 2: convince Firefox, Seamonkey, Xulrunner and Thunderbird to use system NSS. Firefox and Thunderbird still use private directories to store their NSS databases. It's possible, however, to convince them to open system NSS. All these steps should be performed as a user. In the future these applications would handle these steps by themselves automatically.
Do each of the following steps in each of the profile directories for which you wish to use system NSS in. Firefox, thunderbird, and seamonkey each have their own directories and can have multiple profiles (if you don't know what a profile is, you probably only have one per application). You can the base of the profile directories for firefox at ~/.mozilla/firefox and thunderbird at ~/.thunderbird. In that base directory there is a file called 'profiles.ini' which lists all the profiles that are known for that application. For each profile there's a line called 'Path=' which points to the actual profile directory. Usually it's a subdirectory under the current directory and has a random 'salted' name like 'quxz7me5.default'. do the following instructions while cd'd to that directory:
1) certutil -K -X -d sql:.
(if you have a master password set, You'll have to provide it here). This will create a new sql database from your old dbm database.
2) certutil --merge -d sql:~/.pki/nssdb --source-dir sql:.
(if you have a password set on sql:~/.pki/nssdb (from step 4 above), You'll have to provide it here. If that password is different from the master password for the profile, you'll also have to supply the profile password. If ~/.pki/nssdb has to password, but the profile database does, ~/.pki/nssdb will inherit that password (which you will then need on future instances of this step). If you want to change that password use 'certutil -N -d sql:~/.pki/nssdb'. Supplying an empty password will remove any password.
2) edit pkcs11.txt
2a) in the 'NSS Internal PKCS #11 Module' stanza. change: parameters=configdir='/home/{you}/.mozilla/firefox/quxy6me8.default' ..... Flags=internal,critical to parameters="configdir='sql:/etc/pki/nssdb' ..... Flags=internal,critical,moduleDBOnly" NOTE: the ... represents a very long string of parameters that should remain the same. Note the addition of the double quotes around the parameters. This tells NSS to use the parameters as given and now rebuild them based on application input. 2b) save pkcs11.txt
3) Make sure you set NSS_DEFAULT_DB_TYPE to sql in your environment before you start FF or TB
Restoring your system to the old databases:
Simply unset the NSS_DEFAULT_DB_TYPE variable and all your applications will fall back to their former dbm style database
Test 2: Testing out enablement FIPS mode. Note: We actually testing nss-softokn here.
You can enable FIPS mode in Firefox, Thunderbird, or durectly using modutil.
Test 2a: Enable FIPS mode in Firefox 2a-1 - Launch Firefox 2a-2 - Open the menu Edit->Preferences 2a-3 - In the Security tab click on the "Use Saved Password 2a-2 - Open the menu Edit->Preferences 2a-3 - In the Encrypton tab click on the "Security Devices" button 2a-4 - When the Device Manager window show up click on the "Enable FIPS" button 2a-5 - Click OK This operation should succeed 2a-6 - Click Close 2a-6 - Shutdown and relaunch Firefox 2a-7 - You will be prompted for a password That password prompt indicates that fips mode has been turned on
Test 2b: Enable FIPS mode in Thunderbird
The steps for Firefox apply to Thunderbird
Test 2c: Enable FIPS mode via the nss command line tools
2c-1: In a convenient place create a brand new database rm -rf /tmp/nssdb4testing mkdir -p /tmp/nssdb4testing certutil -d sql:/tmp/nssdb4testing -N Enter a password when prompted (optional) 2c-2: Turn FIPS mode on: modutil -dbdir sql:tmp/nssdb4testing -fips true -force Enter the password when prompted It should display FIPS mode enabled. 2c-3: Double-check: modutil -dbdir sql:tmp/nssdb4testing -chkfips true It should display FIPS mode enabled 2c-4: Disable FIPS: modutil -dbdir sql:/tmp/nssdb4testing -fips false -force There should be no promp and it sould display: FIPS mode disabled.
In the steps above we explicitly used the "sql:" prefix to ensure that an sqlite-based shared database is used. Repeat the steps above using the "dbm:" prefix to test the legacy database.
Test Results
Construct a table or list to allow testers to post results. Each column should be a test case or configuration, and each row should consist of test results. For example:
User | Smolt Profile | Sample test 1 | Sample test 2 | Sample test 3 | Sample test 4 | References |
---|---|---|---|---|---|---|
User:FasUser | HW | PASS | PASS | FAIL [1] | PASS |