Shared security Db in FF-3.5?
Andrei Korostelev
Does Firefox 3.5 already support multi-process shared secrurity
database or it is still single-process?
Andrei
Nelson Bolyard
> Does Firefox 3.5 already support multi-process shared secrurity
> database or it is still single-process?
By default, it is still the old single-process cert8 and key3 DBs,
as before.
However, FF 3.5 has the code to support shared-access cert9 and key4 DBs,
based on sqlite3. You can force FF 3.5 to use that by setting an
environment variable.
> Is non-shared security Db still the case with upcoming Firefox 3.5?
The old non-shared security DBs are still the default in FF 3.5.
> Is SecurityDb in Firefox 3 multiuser?
Multi-user is a different matter than multi-process.
FF 3.5's new cert9 and key3 DB are multi-process capable,
but I would NOT describe them as multi-user.
They are a pair, and the private keys in the key DB are, of course,
private to each individual user. So, each user needs his/her own
key DB, and since they are a pair, this implies that each user needs
his/her own cert DB too. But with cert9.db, all that user's processes
can share a common pair of DBs.
Andrei Korostelev
Thank you. Are there plans to make this shared Db default, say, in FF
4?
Jean-Marc Desperrier
> By default, it is still the old single-process cert8 and key3 DBs,
> as before.
>
> However, FF 3.5 has the code to support shared-access cert9 and key4 DBs,
> based on sqlite3. You can force FF 3.5 to use that by setting an
> environment variable.
My understanding is that is you start FF *once* with the setting enabled
for the new db format, the base will be converted, and then it will use
the new format every time after that point, without any special setting.
Maybe even you could externally convert the base, and Fx will use the
new format the next time it starts ?
An annoying limitation is that the certificate file *must* be in the
profile directory, there's no way to set an absolute path, so it's still
hard to use it as a multi-application db.
Nelson Bolyard
> Nelson Bolyard wrote:
>> By default, it is still the old single-process cert8 and key3 DBs,
>> as before.
>>
>> However, FF 3.5 has the code to support shared-access cert9 and key4 DBs,
>> based on sqlite3. You can force FF 3.5 to use that by setting an
>> environment variable.
>
> My understanding is that is you start FF *once* with the setting enabled
> for the new db format, the base will be converted, and then it will use
> the new format every time after that point, without any special setting.
That's how conversions were done in the past, but that's not how the
conversion in NSS 3.12 works. In NSS 3.12, you must tell NSS every time
it is initialized whether it is using old (Berkeley, default) or new
(Sqlite3) DBs. This may be done in any of (at least) 3 different ways,
including an environment variable, a directory name prefix, or a
programmatic function call (IIRC).
> Maybe even you could externally convert the base, and Fx will use the
> new format the next time it starts ?
You could indeed do an external conversion. the certutil program will
happily do it. But you must still tell the programs to use the new DB,
or the programs will use the old one.
> An annoying limitation is that the certificate file *must* be in the
> profile directory, there's no way to set an absolute path, so it's still
> hard to use it as a multi-application db.
hmm. I think that is a Firefox limitation, not an NSS limitation.
But I could be wrong about that.
Jean-Marc Desperrier
> [...] In NSS 3.12, you must tell NSS every time
> it is initialized whether it is using old (Berkeley, default) or new
> (Sqlite3) DBs. This may be done in any of (at least) 3 different ways,
> including an environment variable, a directory name prefix, or a
> programmatic function call (IIRC).
Oh, too bad. I think it would be better then if Firefox were to
programmatic set it to use sqlite3 when the sqlite3 file exists.
>> An annoying limitation is that the certificate file*must* be in the
>> profile directory, there's no way to set an absolute path, so it's still
>> hard to use it as a multi-application db.
> hmm. I think that is a Firefox limitation, not an NSS limitation.
> But I could be wrong about that.
Yes, it is a Firefox limitation. I think there's already a bug open
about that.
Wan-Teh Chang
>
> Thank you. Are there plans to make this shared Db default, say, in FF
> 4?
Yes, there are, and now is a good time in the Firefox
development cycle to start that work. But it seems that the
right people to do that are bogged down by their other
important work (such as FIPS validation).
The Linux version of the Chromium browser uses NSS and
is using the NSS shared databases. It creates them in
the ~/.pki/nssdb directory, following the NSS team's proposal
at https://wiki.mozilla.org/NSS_Shared_DB_And_LINUX
Wan-Teh
aero...@gmail.com
On Sun, Jul 5, 2009 at 10:22 PM, Nelson Bolyard<NOnels...@nobolyardspam.me> wrote:
> However, FF 3.5 has the code to support shared-access cert9 and key4 DBs,
> based on sqlite3. You can force FF 3.5 to use that by setting an
> environment variable.
>
>> Is non-shared security Db still the case with upcoming Firefox 3.5?
>
> The old non-shared security DBs are still the default in FF 3.5.
What is the environment variable?
Thanks,
-Kyle H
Wan-Teh Chang
> What is the environment variable?
Set the environment variable NSS_DEFAULT_DB_TYPE to sql.
All environment variables used by NSS are documented at
https://developer.mozilla.org/en/NSS_reference/NSS_environment_variables
Wan-Teh