New NSS feature in Glibc's libcrypt

Robert Connolly robert at linuxfromscratch.org
Wed Dec 30 15:57:16 PST 2009


Glibc-2.11's libcrypt has a new optional dependency on Network Security 
Services (NSS) from Mozilla. If NSS is installed, the option in Glibc 
is --enable-nss-crypt. There is a description under the heading "Use NSS in 
libcrypt" at:
http://udrepper.livejournal.com/20948.html

This is pretty much what I wanted from OpenSSL's libcrypto.

When this feature is enabled libcrypt is linked to libfreebl3, and will use 
the md5/sha* library functions from libfreebl3, which would otherwise be 
built into a standalone libcrypt.

The idea is that all packages get their crypto and hash functions from the 
same trusted place (OpenSSL will remain an exception). So trust, and 
vulnerabilities, are centralized and easier to maintain (and in Redhat's 
case, to certify).

This feature is transparent to package maintainers and system administrators. 
Packages can continue to use libcrypt just like before.

robert
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: <http://lists.linuxfromscratch.org/pipermail/hlfs-dev/attachments/20091230/712af4b8/attachment.sig>


More information about the hlfs-dev mailing list