Ashok Subash wrote: > Firefox 3.6 :( Beware that you will not get any more security updates for the Firefox 3.6 codebase from Mozilla soon. (We are still sometimes finding security bugs in Firefox 3.6 that won't ever be fixed in 3.6.x, only in Firefox 12+).
> Currently due to footprint issue we want to remove NSS from the > build and integrate a 3rd party ssl library (optimized for this > embedded platform) for browsing "https" sites. Have you tried reducing the size of NSS by using a custom build of NSS? See bug 611781. By working on bug 611781 and the bugs blocking it, and cutting out some Firefox features (e.g. certificate import/export and other features that depend on libsmime, ECC support), you could probably reduce the amount of NSS needed for a working Firefox by 50% or so, with very few code changes to NSS or to Gecko. Try this experiment: On Windows, remove the calls to CERT_PKIXVerifyCert in Gecko so that GetIsExtendedValidation always returns false (i.e. disable the EV UI in Gecko), remove as many entries in lib/nss/nss.def as possible, so that its export list matches the imports from Firefox (especially remove CERT_PKIXVerifyCert, and use dumbpin /imports on the Firefox DLLs to find out which other NSS functions they use), remove the features that require "#include smime", stop linking to libsmime, and build NSS with link-time optimization (as explained in one of my comments in bug 611781). Just these simple changes will reduce the size of NSS required by Gecko substantially. (I am sure there is a way of doing this experiment on Linux, but I don't know how). With another round of changes, I think NSS could become somewhat reasonably sized. And, this is all work that Mozilla would be very supportive of. Assuming your platform is Linux-based and you are using openssl, I would consider replacing your other crypto library (openssl?) with NSS, and remove the dependency on openssl. Red Hat has done a lot of work to make this possible for most important Linux applications. Doing all of the above may help you meet your size targets. > As i understand we need to replace NSS interfaces used for SSL from > PSM (Platform Security Manager) with SSL interfaces of 3rd party > library. I joined Mozilla at the end of the Firefox 4.0 work, so I know almost nothing about Gecko 1.9.x. I would think that you would have an easier time embedding later versions of Firefox, since they are better designed for embedding (because of our mobile versions of Firefox). > PSM related documentation is pretty outdated in my opinion. Any > pointers to how to approach this problem and road blocks I'll face > will be of immense help. Especially very recently, Firefox is pretty tightly tied to NSS and probably becoming increasingly tied to it. I won't help people work replacing NSS on Firefox 3.6 for a secret (NDA'd) project. But, I am more than eager to help with work that would also benefit modern Firefox. - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
