>> Yes, there are some applications which use NSS only for private crypto >> purposes and don't need the trust roots, but Patrik seemed to be suggesting >> that in RHEL, even Firefox wasn't loading libnssckbi.so until he manually >> added it to pkcs11.txt/secmod.db.
Maybe I should have been clearer from the beginning, it was actually just pam_pkcs11 that didn't automatically picked up my CA, sorry if it got confusing. /Patrik Sent from Nine<http://www.9folders.com/> From: David Woodhouse <dw...@infradead.org> Sent: Dec 4, 2014 11:02 PM To: Robert Relyea Cc: dev-tech-crypto@lists.mozilla.org Subject: Re: libnsssysinit On Thu, 2014-12-04 at 10:33 -0800, Robert Relyea wrote: > > > That one. libnssckbi.so is what provides the default trust roots. It's > > *always* supposed to be loaded in an NSS system. You shouldn't need to > > add it manually. I don't. > Huh? that is not true. libnssckbi.so is loaded by nssysinit, or by the > application or by someone explicitly loading it into the > pkcs11.txt/secmod.db. It is not loaded automatically by every nss > application. OK... but applications such as firefox which actually want trust to work should be loading it, right? Yes, there are some applications which use NSS only for private crypto purposes and don't need the trust roots, but Patrik seemed to be suggesting that in RHEL, even Firefox wasn't loading libnssckbi.so until he manually added it to pkcs11.txt/secmod.db. > I believe the p11-kit does some magic to get it loaded for mozilla and > the root store. Kai worked with stef to get that working, kai do you > recall how that hooks in? I thought we really were just replacing libnssckbi.so with our own. Which is fine as long as it's actually being loaded. -- dwmw2 -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
