Seeking help with Mozilla/NSS compilation

[D3||||!$]

Hi!!!

I am new to SSL programming: currently trying to "play" with it... :-)

I'm having some problems with compiling the sample client-server
source code given on the Mozilla/NSS official site.

I went through the code but found that it has been written using the
NSPR source files. I had both, the NSS+NSPR source package as well as
the binaries of the same. To make the things "idiot-proof", I put all
the .C/.CPP/.hs in a single large include folder and then including
it. I also included the libs, dlls & chks contained in the lib folder
of the NSS binaries package. I finally ended up with some 40+ linker
errors in the both, client_test.obj & server_test.obj & sslsamples.obj
files. This makes me suspect that I've not/erroneously included some
of the files necessary for compilation...

Could you please tell me which files are required for the proper
compilation of the project?

Also, if you could tell me which files are required to be included for
developing SSl applications(since before initializing NSS, NSPR has to
be iniatilized..), I'll be extremely glad.

Another thing which I wanted to enquire was that some of the files
were .C while others were .CPP so what should I compile the source as:
as C code or as CPP code?

ps: I'm using VC++ 2005 express edition.

Warm Regards,
D3|\||\|!$

[Wan-Teh Chang]

You should compile the source as C code.

NSPR and NSS use GNU makefiles. The build instructions
for NSS (including building NSPR) are at
http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html.

The most difficult part is to install the prerequisite GNU make and
Unix utilities on your Windows machine. Fortunately Ben Smedberg's
"MozillaBuild" package makes this real easy:
http://developer.mozilla.org/en/docs/Windows_Build_Prerequisites#MozillaBuild

So install MozillaBuild and run the start-msvc8.bat batch file.
It'll start up a command shell running "bash". In bash, the
command to set an environment variable "FOO" to 1 is

export FOO=1

There is an alternative: use our binary distributions:
https://ftp.mozilla.org/pub/mozilla.org/nspr/releases/v4.6.4/msvc6.0/WIN954.0_OPT.OBJ/nspr-4.6.4.zip
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_11_4_RTM/msvc6.0/WIN954.0_OPT.OBJ/nss-3.11.4.zip

They were built using VC++ 6.0, but should work with VC++ 2005.

Even if you don't use the binary distributions, they still provide
a piece of useful information -- they only include the headers
and libraries that you need to develop an SSL app with NSS/NSPR.
You can also get this info from the build tree.

NSPR headers you need are in mozilla/dist/WIN954.0_OPT.OBJ/include,
except all the headers in mozilla/dist/WIN954.0_OPT.OBJ/include/md and
the header mozilla/dist/WIN954.0_OPT.OBJ/include/private/primpl.h.

NSS headers you need are in mozilla/dist/public/nss

The libraries you need:
Import libraries: nspr4.lib, plc4.lib, plds4.lib, nss3.lib, smime3.lib, ssl3.lib
DLLs: nspr4.dll, plc4.dll, plds4.dll, nss3.dll, softokn3.dll,
softokn3.chk, freebl3.dll, freebl3.chk, smime3.dll, ssl3.dll

Note: the binary data files softokn3.chk and freebl3.chk are
needed for using NSS in the FIPS mode.

Wan-Teh

[David Stutzman]

Wan-Teh Chang wrote:
> http://developer.mozilla.org/en/docs/Windows_Build_Prerequisites#MozillaBuild

First off, thanks for posting all that info Wan-Teh. I look forward to
being able to build NSS/NSPR on windows.

I downloaded MozillaBuildSetup-1.1.exe and the disc images for Visual
C++ 2005 Express Edition and the Windows Platform SDK, *then* I scrolled
up and saw the compatibility chart. The chart doesn't mention NSS
versions so will I be able to compile NSS 3.11 using VC8 or do I need an
older version?

Thanks,
Dave

[Nelson B]

e.kabarie wrote:
> Could you please tell me which files are required for the proper
> compilation of the project?

I gather you're trying to build the code as an MSVC "project", rather
than using the makefiles that come with NSPR. We don't support that.

Once built, the NSPR headers and shared libraries can be used in other
MSVC projects, but I advise against trying to build NSPR itself as an
MSVC project.

> Another thing which I wanted to enquire was that some of the files
> were .C while others were .CPP so what should I compile the source as:
> as C code or as CPP code?

There are "dead" source files in NSS and NSPR, files that don't actually
get built. When I build NSPR on windows, no .cpp files get built, so I
gather they're dead.

> ps: I'm using VC++ 2005 express edition.

Me too.

--
Nelson B

[Nelson B]

NSS builds with MSVC 5, 6, 7, 8, and "Express 2005" (which is a subset of
MSVC 8). If you use MSVC8 or Express 2005, I strongly recommend that you
get and use Service Pack 1 for it. (Other service packs are recommended
for the older versions, too. I don't have that information handy just now.)

--
Nelson B

[David Stutzman]

I can report success using VC8 (Visual C++ 2005 Express Edition),
5.2.3790.2075.51.PlatformSDK_Svr2003R2_rtm.img and
MozillaBuildSetup-1.1.exe running on WinXP SP2.

One snag that had me scratching my head was the make command.
Wan-Teh links to
http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html
which the last step says to run "gmake nss_build_all". gmake is not
present in the environment but using just "make" works fine.

I actually grabbed a build of the netscape wintools first and popped
gmake into the bin folder and it started but I hit an error with CL very
early on....so this is just a heads up for anyone else out there.

I grabbed the newer Platform SDK from
http://www.microsoft.com/downloads/info.aspx?na=40&p=4&SrcDisplayLang=en&SrcCategoryId=&SrcFamilyId=a55b6b43-e24f-4ea3-a93e-40c0ec4f68e5&u=http%3a%2f%2fwww.microsoft.com%2fdownloads%2fdetails.aspx%3fFamilyId%3dE15438AC-60BE-41BD-AA14-7F1E0F19CA0D%26displaylang%3den

Dave

[Wan-Teh Chang]

That page is a Mozilla (Firefox) build page, which is why the compatibility
chart on it doesn't mention NSS. NSS doesn't have C++ code, therefore
we're much less sensitive to complier versions.

Regarding gmake vs. make: what we intend to convey is that you need
to use GNU make if the system has both the traditional Unix make and
GNU make installed. It is better to make gmake a copy or symbolic
link of make, because the NSS test scripts assume that the name
of GNU make is "gmake". You'll run into this issue if you run the
NSS test suite. If you only need to build NSS, you can use 'make'
instead of 'gmake' in the build instructions.

Wan-Teh

[Nelson B]

David Stutzman wrote:
> I can report success using VC8 (Visual C++ 2005 Express Edition),
> 5.2.3790.2075.51.PlatformSDK_Svr2003R2_rtm.img and
> MozillaBuildSetup-1.1.exe running on WinXP SP2.
>
> One snag that had me scratching my head was the make command.
> Wan-Teh links to
> http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html
> which the last step says to run "gmake nss_build_all". gmake is not
> present in the environment but using just "make" works fine.

On some systems there are two (or more) separate make programs.
The GNU version is named gmake, and some other version is named make.

On other systems, there is only GNU make and it is named make, not gmake.
On those systems, I recommend that you create a copy (or link or symlink)
of make, named gmake, so that gmake commands will work on those systems,
and will just invoke make. This will save you a lot of headache over time.

--
Nelson B

[D3||||!$]

Thanks for the help you rendered.

Now that the client has been compiled, I'm running into problems with
passing the hostname to the client.exe. Please tell me the exact
format for passing the hostname as whatever hostname I'm passing, it
is not being accepted by the client. I want to test the client-server:
so how do I pass the hostname?

Also, I found that the dlls which are given in the NSS/NSPR packages
are not sufficient: while running the client-server or the other exes
given in the NSS/lib folder, it first crashes asking for files such as
libplc4.dll, libnspr4.dll and libplds4.dll. I was initially bewildered
but then I just pasted renamed copies of the dlls with similar
names(such as I naming nspr4.dll to libnspr.dll) along with the
original ones and the applications executed seamlessly... Can anyone
explain the reason for this?

Warm Regards,
D3|\||\|!$

[Wan-Teh Chang]

On 10/20/07, D3||||!$ <e.ka...@gmail.com> wrote:
>
> Now that the client has been compiled, I'm running into problems with
> passing the hostname to the client.exe. Please tell me the exact
> format for passing the hostname as whatever hostname I'm passing, it
> is not being accepted by the client. I want to test the client-server:
> so how do I pass the hostname?

According to the usage message of client.exe:
http://lxr.mozilla.org/security/source/security/nss/cmd/SSLsample/client.c#79

you should pass the host name as the last command-line argument.
The hostname can be either a DNS name or an IP address. But
you also need to specify the port number using the -p option, e.g.,
-p 443 or -p 8443. Otherwise you'll get the usage message.

By the way, you should use selfserv as the sample server and tstclnt or
strsclnt as the sample client because the code in SSLsample is
a little out of date.

> Also, I found that the dlls which are given in the NSS/NSPR packages
> are not sufficient: while running the client-server or the other exes
> given in the NSS/lib folder, it first crashes asking for files such as
> libplc4.dll, libnspr4.dll and libplds4.dll. I was initially bewildered
> but then I just pasted renamed copies of the dlls with similar
> names(such as I naming nspr4.dll to libnspr.dll) along with the
> original ones and the applications executed seamlessly... Can anyone
> explain the reason for this?

This means you built NSS without setting the environment variable
OS_TARGET to WIN95. If you use the MozillaBuild command shell
(which is "bash"), use this command:

export OS_TARGET=WIN95

You only need to set this environment when building NSS and NSPR.
When you build your own application, you don't need to set this
environment variable.

Wan-Teh

[D3||||!$]

Thanks for the help you rendered: the tstclnt.exe is taking the
hostname input just fine...

But now I have problems with server authentication: I tried many hit-&-
trial approaches to obtain a successful connection but for one reason
or the other, the client is not recognising the issuer CA(self-signed
and added to the client DB with certutil -t "CTU, CTU, CTU") as
trusted.

I created three DB directories: one for each, the client, the server &
the CA. The DBs, keys, and the certificates requests as well as the
finished certificates of each one was put into its respective
directory. Also, when I created the Self-signed CA certificate using
the -S argument with certutil.exe, it got added to the DB fine but was
not visible in its directory due to which I could not add it to the
client & the server databases. I fixed this problem by creating a
secondary CA cert from the Self signed "root" cert and adding it to
both the other databases...But again it could not recognize the CA
cert... :-((

Then I generated all the certs in a common directory. Again, no
success...

Kindly help.

Also please tell the importance of the -1234567 arguments in the
certutil tool.

Can I somehow add the root CA cert in the client-server DBs without
having to create the secondary CA cert??

Warm Regards,
D3|\||\|!$