On 12/04/2014 02:00 PM, David Woodhouse wrote:
firefox loads libnssckbi.so only if not other 'Root Certs Module' has been loaded. the pk11-kit module is a Root Certs Module, so if it's been loaded, then libnssckbi.so isn't.On Thu, 2014-12-04 at 10:33 -0800, Robert Relyea wrote:That one. libnssckbi.so is what provides the default trust roots. It's *always* supposed to be loaded in an NSS system. You shouldn't need to add it manually. I don't.Huh? that is not true. libnssckbi.so is loaded by nssysinit, or by the application or by someone explicitly loading it into the pkcs11.txt/secmod.db. It is not loaded automatically by every nss application.OK... but applications such as firefox which actually want trust to work should be loading it, right?
Sort of, It's not the same name, it's a different module, but it has the same attributes.Yes, there are some applications which use NSS only for private crypto purposes and don't need the trust roots, but Patrik seemed to be suggesting that in RHEL, even Firefox wasn't loading libnssckbi.so until he manually added it to pkcs11.txt/secmod.db.I believe the p11-kit does some magic to get it loaded for mozilla and the root store. Kai worked with stef to get that working, kai do you recall how that hooks in?I thought we really were just replacing libnssckbi.so with our own. Which is fine as long as it's actually being loaded.
bob
smime.p7s
Description: S/MIME Cryptographic Signature
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
