NSS environment variables

Note

Note: NSS Environment Variables are subject to be changed and/or removed from NSS.

Run-Time Environment Variables

These environment variables affect the RUN TIME behavior of NSS shared libraries. There is a separate set of environment variables that affect how NSS is built, documented below.

Variable

Type

Description

Introduced in version

NSRANDCOUNT

Integer (byte count)

Sets the maximum number of bytes to read from the file named in the environment variable NSRANDFILE (see below).  Makes NSRANDFILE usable with /dev/urandom.

3.12.3

NSRANDFILE

String (file name)

Uses this file to seed the Pseudo Random Number Generator.

Before 3.0

NSS_ALLO W_WEAK_SIGNATURE_ALG

Boolean (any non-empty value to enable)

Enables the use of MD2 and MD4 inside signatures. This was allowed by default before NSS 3.12.3.

3.12.3

NSS _DEBUG_PKCS11_MODULE

String (module name)

Name the PKCS#11 module to be traced. mozilla _projects_nss_nss_tech _notes_nss_tech_note2

3.6

` NSS_DEFAULT_DB_TYPE`

String (“dbm”, “sql”, or “extern”)

Determines the default Database type to open if the app does not specify. NSS_Shared_D B

3.12

NSS_DIS ABLE_ARENA_FREE_LIST

String (any non-empty value)

Define this variable to get accurate leak allocation stacks when using leak reporting software. : ref:mozilla_projects_ nss_memory_allocation

3.4

NSS_DISABLE_UNLOAD

String (any non-empty value)

Disable unloading of dynamically loaded NSS shared libraries during shutdown. Necessary on some platforms to get correct function names when using leak reporting software.

3.11.8

NSS_ENABLE_AUDIT

Boolean (1 to enable)

Enable auditing of activities of the NSS cryptographic module in FIPS mode. Audit Data

3.11.2

NS S_ENABLE_PKIX_VERIFY

Boolean (any non-empty value to enable)

Use libPKIX, rather than the old cert library, to verify certificates.

3.12

NSS_FIPS

String (” fips”,”true”,”on”,”1”)

Will start NSS in FIPS mode.

3.12.5

`` NSS_HASH_ALG_SUPPORT``

String

Specifies agorithms allowed to be used in certain applications, such as in signatures on certificates and CRLs. See documentation at this link.

3.12.3

NSS_OUTPUT_FILE

String (filename)

Output file path name for the mozilla_ projects_nss_nss_tech_ notes_nss_tech_note2. Default is stdout.

3.7

NSS_SDB_USE_CACHE

String (“no”,”yes”,”auto”)

Controls whether NSS uses a local cache of SQL database contents. Default is “auto”. See the source for more information.

3.12

NS S_SSL_CBC_RANDOM_IV

String (“0”, “1”)

Controls the workaround for the BEAST attack on SSL 3.0 and TLS 1.0. “0” disables it, “1” enables it. It is also known as 1/n-1 record splitting. Default is “1”.

NSS_SSL_ ENABLE_RENEGOTIATION

String ([0|n|N], [1|u|U], [2|r|R], [3|t|T])

(Definition for NSS 3.12.6 and above) Sets how TLS renegotiation is handled

  • [1|u|U]: SSL_RE

NEGOTIATE_UNRESTRICTED

Server and client are allowed to renegotiate without any restrictions.
This setting was the default prior 3.12.5 and makes products vulnerable.
  • [0|n|N]:

SSL_RENEGOTIATE_NEVER

Never allow renegotiation - That was the default for 3.12.5 release.

  • [3|t|T]: SSL_RE

NEGOTIATE_TRANSITIONAL

Disallows unsafe renegotiation in server sockets only, but allows clients to continue to renegotiate with vulnerable servers. This value should only be used during the transition period when few servers have been upgraded.

  • [2|r|R]: SSL_RE

NEGOTIATE_REQUIRES_XTN

(default)

Only allows renegotiation if the peer’s hello bears the TLS renegotiation_info extension.
This is the safe renegotiation.

3.12.5 Modified in 3.12.6

NSS_SSL_REQU IRE_SAFE_NEGOTIATION

Boolean (1 to enable)

It controls whether safe renegotiation indication is required for initial handshake. In other words a connection will be dropped at initial handshake if a server or client do not support safe renegotiation. The default setting for this option is FALSE.

3.12.5

NSS_SSL_SERVER _CACHE_MUTEX_TIMEOUT

Integer (seconds)

Timeout time to detect dead or hung process in multi-process SSL server. Default is 30 seconds.

3.4

NSS_STRICT_NOFORK

String (“1”, “DISABLED”, or any other non-empty value)

It is an error to try to use a PKCS#11 crypto module in a process before it has been initialized in that process, even if the module was initialized in the parent process. Beginning in NSS 3.12.3, Softoken will detect this error. This environment variable controls Softoken’s response to that error.

  • If set to “1” or unset, Softoken will trigger an assertion failure in debug builds, and will report an error in non-DEBUG builds.

  • If set  to “DISABLED”, Softoken will ignore forks, and behave as it did in older versions.

  • If set to any other non-empty value, Softoken will report an error in both DEBUG and non-DEBUG builds.

3.12.3

` NSS_STRICT_SHUTDOWN`

String (any non-empty value)

will trigger an assertion failure in debug builds when a program tries to shutdown NSS before freeing all the resources it acquired from NSS while NSS was initialized.

3.5

NSS_TRACE_OCSP

Boolean (any value to enable)

Enables OCSP tracing. The trace information is written to the file pointed by NSPR_LOG_FILE (default stderr). See NSS trac ing

3.12

NSS_USE_ DECODED_CKA_EC_POINT

Boolean (any value to enable)

Tells NSS to send EC key points across the PKCS#11 interface in the non-standard unencoded format that was used by default before NSS 3.12.3.

3.12.3

NSS_US E_SHEXP_IN_CERT_NAME

Boolean (any value to enable)

Tells NSS to allow shell-style wildcard patterns in certificates to match SSL server host names. This behavior was the default before NSS 3.12.3.

3.12.3

PKIX_OBJECT_LEA K_TEST_ABORT_ON_LEAK

String (any non-empty value)

Debug variable for PKIX leak checking. Note: The code must be built with PKIX_OBJECT_LEAK_TEST defined to use this functionality.

3.12

SOCKETTRACE

Boolean (1 to enable)

Controls tracing of socket activity by libPKIX. Messages sent and received will be timestamped and dumped (to stdout) in standard hex-dump format.

3.12

SQLITE _FORCE_PROXY_LOCKING

Boolean (1 to enable)

1 means force always use proxy, 0 means never use proxy, NULL means use proxy for non-local files only.

3.12.6

SSLBYPASS

Boolean (1 to enable)

Uses PKCS#11 bypass for performance improvement. Do not set this variable if FIPS is enabled.

3.11

SSLDEBUG

Integer

Debug level Note: The code must be built with DEBUG defined to use this functionality.

Before 3.0

SSLDEBUGFILE

String (file name)

File where debug or trace information is written. If not set, the debug or trace information is written to stderr.

Note: SSLDEBUG or SSLTRACE have to be set to use this functionality.

3.12

SSLFORCELOCKS

Boolean (1 to enable)

Forces NSS to use locks for protection. Overrides the effect of SSL_NO_LOCKS (see ssl.h).

3.11

SSLKEYLOGFILE

String (file name)

Key log file. If set, NSS logs RSA pre-master secrets to this file. This allows packet sniffers to decrypt TLS connections. See mozilla_project s_nss_key_log_format.

3.12.6

SSLTRACE

Integer

Tracing level Note: The code must be built with TRACE defined to use this functionality.

Before 3.0

Build-Time Environment Variables

These environment variables affect the build (compilation) of NSS.

Note

Note: This section is a work in progress and is not yet complete.

Variable

Type

Description

Introduced in version

BUILD_OPT

Boolean (1 to enable)

Do an optimized (not DEBUG) build. Default is to do a DEBUG build.

Before 3.0

MOZ_DEBUG_SYMBOLS

Boolean (1 to enable)

Needed on Windows to build with versions of MSVC (such as VC8 and VC9) that do not understand /PDB:NONE

3.11

MOZ_DEBUG_FLAGS

String

When MOZ_DEBUG_SYMBOLS is set, you may use MOZ_DEBUG_FLAGS to specify alternative compiler flags to produce symbolic debugging information in a particular format.

3.12.8

NSDISTMODE

String

On operating systems other than Windows, this controls whether copies, absolute symlinks, or relative symlinks of the output files should be published to mozilla/dist. The possible values are:

  • copy: copies of files are published

  • absolute_symlink: symlinks whose targets are absolute pathnames are published

If not specified, default to relative symlinks (symlinks whose targets are relative pathnames). On Windows, copies of files are always published.

Before 3.0

NS_USE_GCC

Boolean (1 to enable)

On systems where GCC is not the default compiler, this tells NSS to build with gcc.

Before 3.0

`N SS_ALLOW_SSLKEYLOGFILE

org/nss/search?q=NSS_A LLOW_SSLKEYLOGFILE>`__

Boolean (1 to enable)

Enable NSS support in optimized builds for logging SSL/TLS key material to a logfile if the SSLKEYLOGFILE environment variable. As of NSS 3.24 this is disabled by default.

3.24

NSS_BUI LD_CONTINUE_ON_ERROR

Boolean (1 to enable)

Continue building NSS source directories when a build error occurs.

3.12.4

N SS_USE_SYSTEM_SQLITE

Boolean (1 to enable)

Use the system installed sqlite library instead of the in-tree version.

3.12.6

NSS_DISA BLE_ECC (deprecated)

Boolean (1 to disable)

Disable Elliptic Curve Cryptography features. As of NSS 3.16, ECC features are enabled by default. As of NSS 3.33 this variable has no effect.

3.16

NSS_ENA BLE_ECC (deprecated)

Boolean (1 to enable)

Enable building of code that uses Elliptic Curve Cryptography. Unused as of NSS 3.16; see NSS_DISABLE_ECC.

Before 3.16; since 3.11.

`NSS_FOR CE_FIPS <https://dxr .mozilla.org/nss/searc h?q=NSS_FORCE_FIPS>`__

Boolean
(1 to enable)

Allows enabling FIPS mode using NSS_FIPS

3.24

OS_TARGET

String (target OS)

For cross-compilation environments only, when the target OS is not the default for the system on which the build is performed. Values understood: WIN95

Before 3.0

USE_64

Boolean (1 to enable)

On platforms that has separate 32-bit and 64-bit ABIs, NSS builds for the 32-bit ABI by default. This tells NSS to build for the 64-bit ABI.

Before 3.0

USE_DEBUG_RTL

Boolean (1 to enable)

On Windows, MSVC has options to build with a normal Run Time Library or a debug Run Time Library. This tells NSS to build with the Debug Run Time Library.

Before 3.0

USE_PTHREADS

Boolean (1 to enable)

On platforms where POSIX threads are available, but are not the OS’es preferred threads library, this tells NSS and NSPR to build using pthreads.

Before 3.0

`` NSS_NO_PKCS11_BYPASS``

String (1 to enable)

Disables at compile-time the NS ssl code to bypass the pkcs11 layer. When set the SSLBYPASS run-time variable won’t take effect

Before 3.15