From Fedora Project Wiki
No edit summary
Line 22: Line 22:
=HOWTO: Confirm that SSC is being used=
=HOWTO: Confirm that SSC is being used=
This command tells you which module is in use:
This command tells you which module is in use:
  ls -l /etc/alternatives/libnssckbi.so
  ls -l /etc/alternatives/libnssckbi.so*
It will either report /usr/lib/nss/libnssckbi.so (NSS), or it will report /usr/lib/pkcs11/p11-kit-trust.so (p11-kit).
It will either report /usr/lib(64)/nss/libnssckbi.so (NSS), or it will report /usr/lib(64)/pkcs11/p11-kit-trust.so (p11-kit).


On a standard F19 system, it should report: p11-kit
On a standard F19 system, it should report: p11-kit
Line 29: Line 29:
=HOWO: Test Firefox _without_ the new SSC feature=
=HOWO: Test Firefox _without_ the new SSC feature=
If you are triaging an issue, and you would like to test the behaviour of an NSS application (e.g. Firefox) using the classic module provided by NSS, use the following command to switch to the NSS module:
If you are triaging an issue, and you would like to test the behaviour of an NSS application (e.g. Firefox) using the classic module provided by NSS, use the following command to switch to the NSS module:
# on a 32 bit / i386 / i686 system:
  /usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so
  /usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so
# on a 64 bit system:
/usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so
After above command, use
After above command, use
  ls -l /etc/alternatives/libnssckbi.so
  ls -l /etc/alternatives/libnssckbi.so*
and the link should point to the NSS module.
and the link should point to the NSS module.


Once you're ready to again activate the new p11-kit module, use:
Once you're ready to again activate the new p11-kit module, use:
# on a 32 bit / i386 / i686 system:
  /usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so 30
  /usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so 30
# on a 64 bit system:
/usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so 30
then use
then use
  ls -l /etc/alternatives/libnssckbi.so
  ls -l /etc/alternatives/libnssckbi.so
Line 42: Line 51:
=HOWTO: Reset the standard F19 SSC setup=
=HOWTO: Reset the standard F19 SSC setup=
If for some reason, you want to completely reset the alternative modules to the original state, use the following series of commands:
If for some reason, you want to completely reset the alternative modules to the original state, use the following series of commands:
# on a 32 bit / i386 / i686 system:
  /usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so
  /usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so
  /usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/nss/libnssckbi.so
  /usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/nss/libnssckbi.so
  /usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/nss/libnssckbi.so 10
  /usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/nss/libnssckbi.so 10
  /usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so 30
  /usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so 30
  ls -l /etc/alternatives/libnssckbi.so
 
# on a 64 bit system:
/usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so
/usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/nss/libnssckbi.so
/usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/nss/libnssckbi.so 10
/usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so 30
 
# on all systems:
  ls -l /etc/alternatives/libnssckbi.so*
and the link should point to the p11-kit module.
and the link should point to the p11-kit module.

Revision as of 17:56, 27 March 2013

This page is related to the Shared System Certificates (SSC) feature.

Known issues and workarounds are posted here.

32-bit systems: Firefox prints warnings

On a 32 bit / i686 system, Firefox might print the following messages on the console:

p11-kit: 'timet >= 0' not true at when_and_offset_to_time_t
p11-kit: 'timet >= 0' not true at calc_date

These messages are safe to ignore. The issues is tracked in https://bugs.freedesktop.org/show_bug.cgi?id=62825 and will be fixed.

32-bit systems: Firefox crashes

Firefox 32bit on Fedora seems unstable, and crashes frequently when visiting web pages that make use of JavaScript. The crashes are believed to be unrelated to the SSC feature.

p11-kit reporting duplicate certificate

You might see the following warning messages:

p11-kit: duplicate 'StartCom Certification Authority' certificate found in: ca-bundle.trust.crt
p11-kit: duplicate 'Class 3 Public Primary Certification Authority' certificate found in: ca-bundle.trust.crt

These are safe to ignore. The issue has been fixed in package ca-certificates-2012.87-10.0

HOWTO: Confirm that SSC is being used

This command tells you which module is in use:

ls -l /etc/alternatives/libnssckbi.so*

It will either report /usr/lib(64)/nss/libnssckbi.so (NSS), or it will report /usr/lib(64)/pkcs11/p11-kit-trust.so (p11-kit).

On a standard F19 system, it should report: p11-kit

HOWO: Test Firefox _without_ the new SSC feature

If you are triaging an issue, and you would like to test the behaviour of an NSS application (e.g. Firefox) using the classic module provided by NSS, use the following command to switch to the NSS module:

# on a 32 bit / i386 / i686 system:
/usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so
# on a 64 bit system:
/usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so

After above command, use

ls -l /etc/alternatives/libnssckbi.so*

and the link should point to the NSS module.

Once you're ready to again activate the new p11-kit module, use:

# on a 32 bit / i386 / i686 system:
/usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so 30
# on a 64 bit system:
/usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so 30

then use

ls -l /etc/alternatives/libnssckbi.so

and the link should point to the p11-kit module.

HOWTO: Reset the standard F19 SSC setup

If for some reason, you want to completely reset the alternative modules to the original state, use the following series of commands:

# on a 32 bit / i386 / i686 system:
/usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so
/usr/sbin/update-alternatives --remove libnssckbi.so /usr/lib/nss/libnssckbi.so
/usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/nss/libnssckbi.so 10
/usr/sbin/update-alternatives --install /usr/lib/libnssckbi.so libnssckbi.so /usr/lib/pkcs11/p11-kit-trust.so 30
# on a 64 bit system:
/usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so
/usr/sbin/update-alternatives --remove libnssckbi.so.x86_64 /usr/lib64/nss/libnssckbi.so
/usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/nss/libnssckbi.so 10
/usr/sbin/update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/pkcs11/p11-kit-trust.so 30
# on all systems:
ls -l /etc/alternatives/libnssckbi.so*

and the link should point to the p11-kit module.