A general question about libnss3

[Ruchi Lohani]

Hi,

 

Can anybody tell me something about the various nss packages that are there in ubuntu (hardy).

I see libnss3-0d

          libnss3-1d

          libnss3-1d-dbg

          libnss3-dev

etc.

 

I have the following in my /usr/lib

lrwxrwxrwx 1 root root      13 2008-07-17 16:47 libnss3.so -> libnss3.so.1d

lrwxrwxrwx 1 root root      13 2008-07-17 16:47 libnss3.so.0d -> libnss3.so.1d

-rw-r--r-- 1 root root 1156684 2008-05-29 02:52 libnss3.so.1d

lrwxrwxrwx 1 root root      23 2008-07-07 16:00 libnss_compat.so -> /lib/libnss_compat.so.2

-rw-r--r-- 1 root root   18876 2008-01-18 03:44 libnss_db-2.2.3.so

lrwxrwxrwx 1 root root      14 2008-07-17 16:47 libnss_db.so -> libnss_db.so.2

lrwxrwxrwx 1 root root      18 2008-07-17 16:47 libnss_db.so.2 -> libnss_db-2.2.3.so

lrwxrwxrwx 1 root root      20 2008-07-07 16:00 libnss_dns.so -> /lib/libnss_dns.so.2

-rw-r--r-- 1 root root    8452 2007-05-18 05:57 libnss_extrausers.so.2

lrwxrwxrwx 1 root root      22 2008-07-07 16:00 libnss_files.so -> /lib/libnss_files.so.2

lrwxrwxrwx 1 root root      23 2008-07-07 16:00 libnss_hesiod.so -> /lib/libnss_hesiod.so.2

-rw-r--r-- 1 root root   33652 2008-02-01 21:08 libnss_ldap.so.2

lrwxrwxrwx 1 root root      24 2008-07-07 16:00 libnss_nisplus.so -> /lib/libnss_nisplus.so.2

lrwxrwxrwx 1 root root      20 2008-07-07 16:00 libnss_nis.so -> /lib/libnss_nis.so.2

lrwxrwxrwx 1 root root      17 2008-07-17 16:47 libnssutil3.so -> libnssutil3.so.1d

lrwxrwxrwx 1 root root      17 2008-07-17 16:47 libnssutil3.so.0d -> libnssutil3.so.1d

 

Whereas my other Linux box which has Suse 10 on it has only libnss3.so, libnspr4.so and all.

 

What are libnss3.so.[0d,1d] etc?

 

Thanks

 

 

 

 

[Ruchi Lohani]

Hi,

It gives the version as NSS 3.12.0.2.

The problem I am facing is when I build my program on ubuntu linking to
nss and nspr it works fine on Ubuntu but when I try to use the same
library built on Ubuntu on Suse its unable to resolve the symbols and I
get the following messages
When I do 'ld' on the library.

ld: warning: libssl3.so.1d, needed by **** not found (try using -rpath
or -rpath-link)
ld: warning: libnss3.so.1d, needed by **** not found (try using -rpath
or -rpath-link)
ld: warning: libnspr4.so.0d, needed by **** not found (try using -rpath
or -rpath-link)

and then the messages like
: undefined reference to `NSS_InitReadWrite@NSS_3.2'
: undefined reference to `CERT_GetDefaultCertDB@NSS_3.2'
: undefined reference to `SSL_ForceHandshake@NSS_3.2'
: undefined reference to `PR_Initialized'
: undefined reference to `SSL_OptionSet@NSS_3.2'

Thanks

-----Original Message-----
From: dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org
[mailto:dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org] On
Behalf Of Kai Engert
Sent: Friday, July 18, 2008 10:14 AM
To: mozilla's crypto code discussion list
Subject: Re: A general question about libnss3

I don't understand why Ubuntu uses versioning of the .so files, it
should not be necessary.
The newest NSS libs should work fine with software that expects the
older versions, because of NSS' promise that it should always be
possible to replace old binaries with newer NSS binaries.

Try to grep the .so files for string NSS, it should reveal the version
number strings.

strings libnss3.so | grep -w NSS

Kai

[Justin Dolske]

Kai Engert wrote:
> Ubuntu has apparently chosen to use non-standard library names,
> therefore you can't use your binary produced on Ubuntu on a system that
> uses standard library names.

Similar problems have bitten Labs' Weave extension. See bugs 442679,
442788, 442257.

Justin

[Nelson B Bolyard]

Ruchi Lohani wrote, On 2008-07-18 11:06:

> It gives the version as NSS 3.12.0.2.
>
> The problem I am facing is when I build my program on ubuntu linking to
> nss and nspr it works fine on Ubuntu but when I try to use the same
> library built on Ubuntu on Suse its unable to resolve the symbols and I
> get the following messages
> When I do 'ld' on the library.
>
> ld: warning: libssl3.so.1d, needed by **** not found

> ld: warning: libnss3.so.1d, needed by **** not found

> ld: warning: libnspr4.so.0d, needed by **** not found
>

> and then the messages like
> : undefined reference to `NSS_InitReadWrite@NSS_3.2'
> : undefined reference to `CERT_GetDefaultCertDB@NSS_3.2'
> : undefined reference to `SSL_ForceHandshake@NSS_3.2'
> : undefined reference to `PR_Initialized'
> : undefined reference to `SSL_OptionSet@NSS_3.2'

The problems that you have observed and reported clearly indicate that
the NSS libraries you're using have been altered in ways that make them,
and programs linked with them, incompatible with NSS (and programs that
use it) on other platforms (other Linux distros).

When one sees changes of this magnitude, one wonders what other changes
have been made to NSS, and one recalls the utterly disastrous changes
that were made by tinkering with OpenSSL.

My advice is: don't use crypto libraries that have been altered from the
version that was QAed and released by the upstream team where the package
originates. Even if you have to build and distribute your own copy,
that's more advisable, in my opinion, than relying on a version with
alterations of unknown magnitude, and/or with dubious value. I intend
for that advice to apply to all crypto libraries, and not only to NSS.

[Wan-Teh Chang]

NSS also stands for "Name Service Switch". Fortunately, our convention
of inserting the major version "3" in our shared library names avoid most
naming conflicts with Name Service Switch's libraries (and OpenSSL's
SSL library).

So you can eliminate anything that doesn't match the pattern lib*3.so*
from your list. We're now left with:

lrwxrwxrwx 1 root root 13 2008-07-17 16:47 libnss3.so -> libnss3.so.1d

lrwxrwxrwx 1 root root 13 2008-07-17 16:47 libnss3.so.0d -> libnss3.so.1d

-rw-r--r-- 1 root root 1156684 2008-05-29 02:52 libnss3.so.1d

lrwxrwxrwx 1 root root 17 2008-07-17 16:47 libnssutil3.so ->
libnssutil3.so.1d

lrwxrwxrwx 1 root root 17 2008-07-17 16:47 libnssutil3.so.0d ->
libnssutil3.so.1d

I don't know what "0d" and "1d" stand for, but many Unix platforms and Linux
have the convention of adding the major (and minor) version number as suffix
after the ".so". So "0d" and "1d" might mean some additional version numbers
that Ubuntu assigned to their NSS builds. But as you can see from the
directory listing, they set up symbolic links so that you can just use
libnss3.so
and libnssutil3.so as you do on your SUSE box.

Finally, regarding the nss packages:

libnss3-0d
libnss3-1d
libnss3-1d-dbg
libnss3-dev

The libnss3-dev package is a developer package that gives you the header
files. It is equivalent to what's usually called an SDK.

The other packages, I guess, are the runtime package that contains only
the .so's. I guess libnss3-1d-dbg is a debug build.

Wan-Teh

[Ruchi Lohani]

Found this in Ubuntu bugs
https://bugs.launchpad.net/ubuntu/+source/libnss-db/+bug/238500

Even though there are symlinks for each library but the SONAME differs
for all on Ubuntu and any other
Linux distribution. On Ubuntu
objdump -p /usr/lib/libnss3.so | grep SONAME
gives libnss3.so.1d where as on Suse (or probably many other Linux) its
libnss3.so, so the problem
that I face is obvious, though it works the opposite way (Building on
Suse and running it on Ubuntu).

I don't know whom to blame :-) I guess probably not use ubuntu for
building.

Thanks
Ruchi

-----Original Message-----
From: dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org
[mailto:dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org] On
Behalf Of Wan-Teh Chang
Sent: Friday, July 18, 2008 10:24 AM
To: mozilla's crypto code discussion list
Subject: Re: A general question about libnss3

libnss3-0d
libnss3-1d
libnss3-1d-dbg
libnss3-dev

Wan-Teh
_______________________________________________
dev-tech-crypto mailing list
dev-tec...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

[Wan-Teh Chang]

On Wed, Jul 23, 2008 at 5:30 PM, Ruchi Lohani <rlo...@adobe.com> wrote:
> Found this in Ubuntu bugs
> https://bugs.launchpad.net/ubuntu/+source/libnss-db/+bug/238500
>
> Even though there are symlinks for each library but the SONAME differs
> for all on Ubuntu and any other
> Linux distribution. On Ubuntu
> objdump -p /usr/lib/libnss3.so | grep SONAME
> gives libnss3.so.1d where as on Suse (or probably many other Linux) its
> libnss3.so, so the problem
> that I face is obvious, though it works the opposite way (Building on
> Suse and running it on Ubuntu).
>
> I don't know whom to blame :-) I guess probably not use ubuntu for
> building.

Re: the SONAME issue

NSS's SONAME naming convention is:

libfoo<major-version>.so

The standard SONAME naming convention on Solaris and Linux is:

libfoo.so.<major-version>

It is true that NSS's naming convention is nonstandard, but it is
essentially the same as the standard convention. For backward
compatibility we can't change our naming convention.

So, a SONAME like libnss3.so.1d is like:

libfoo<major-version>.so.<made-up-major-version>

The "1d" major version that they made up is extraneous.
It makes the SONAME comply to the standard naming
convention superficially, but doesn't accomplish anything else.
Moreover, it prevents people from using binaries embedded
with this SONAME on other Linux distributions.

Wan-Teh

(Note: Our naming convention was defined in 1997 or 1998. I didn't
know about the standard naming convention back then. Perhaps
I was ignorant, or perhaps the standard naming convention didn't
exist then.)

[Ruchi Lohani]

So can I manually download the NSS and NSPR source from
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_R
TM/src/nss-3.12-with-nspr-4.7.tar.gz
and then compile it on Ubuntu? Will it solve the build problem to allow
me build it on Ubuntu and use
it on multiple Linux distros?

Thanks
Ruchi

-----Original Message-----
From: dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org
[mailto:dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org] On
Behalf Of Kai Engert
Sent: Friday, July 18, 2008 11:11 AM
To: mozilla's crypto code discussion list
Subject: Re: A general question about libnss3

Ubuntu has apparently chosen to use non-standard library names,
therefore you can't use your binary produced on Ubuntu on a system that
uses standard library names.

Recompile.

Kai

Ruchi Lohani wrote:
> Hi,

>
> It gives the version as NSS 3.12.0.2.
>
> The problem I am facing is when I build my program on ubuntu linking
> to nss and nspr it works fine on Ubuntu but when I try to use the same

> library built on Ubuntu on Suse its unable to resolve the symbols and
> I get the following messages When I do 'ld' on the library.
>

> ld: warning: libssl3.so.1d, needed by **** not found (try using -rpath

> or -rpath-link)
> ld: warning: libnss3.so.1d, needed by **** not found (try using -rpath

> or -rpath-link)
> ld: warning: libnspr4.so.0d, needed by **** not found (try using
> -rpath or -rpath-link)
>

> and then the messages like
> : undefined reference to `NSS_InitReadWrite@NSS_3.2'
> : undefined reference to `CERT_GetDefaultCertDB@NSS_3.2'
> : undefined reference to `SSL_ForceHandshake@NSS_3.2'
> : undefined reference to `PR_Initialized'
> : undefined reference to `SSL_OptionSet@NSS_3.2'
>

> Thanks

>
> -----Original Message-----
> From: dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org
> [mailto:dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org]
> On Behalf Of Kai Engert
> Sent: Friday, July 18, 2008 10:14 AM
> To: mozilla's crypto code discussion list
> Subject: Re: A general question about libnss3
>

> Ruchi Lohani wrote:
>
>> Hi,
>>
>>
>>
>> Can anybody tell me something about the various nss packages that are

>> there in ubuntu (hardy).
>>
>> I see libnss3-0d
>>
>> libnss3-1d
>>
>> libnss3-1d-dbg
>>
>> libnss3-dev
>>
>> etc.
>>
>>
>>
>> I have the following in my /usr/lib
>>

>> lrwxrwxrwx 1 root root 13 2008-07-17 16:47 libnss3.so ->
>> libnss3.so.1d
>>
>> lrwxrwxrwx 1 root root 13 2008-07-17 16:47 libnss3.so.0d ->
>> libnss3.so.1d
>>
>> -rw-r--r-- 1 root root 1156684 2008-05-29 02:52 libnss3.so.1d
>>

>> lrwxrwxrwx 1 root root 23 2008-07-07 16:00 libnss_compat.so ->
>> /lib/libnss_compat.so.2
>>
>> -rw-r--r-- 1 root root 18876 2008-01-18 03:44 libnss_db-2.2.3.so
>>
>> lrwxrwxrwx 1 root root 14 2008-07-17 16:47 libnss_db.so ->
>> libnss_db.so.2
>>
>> lrwxrwxrwx 1 root root 18 2008-07-17 16:47 libnss_db.so.2 ->
>> libnss_db-2.2.3.so
>>
>> lrwxrwxrwx 1 root root 20 2008-07-07 16:00 libnss_dns.so ->
>> /lib/libnss_dns.so.2
>>
>> -rw-r--r-- 1 root root 8452 2007-05-18 05:57
libnss_extrausers.so.2
>>
>> lrwxrwxrwx 1 root root 22 2008-07-07 16:00 libnss_files.so ->
>> /lib/libnss_files.so.2
>>
>> lrwxrwxrwx 1 root root 23 2008-07-07 16:00 libnss_hesiod.so ->
>> /lib/libnss_hesiod.so.2
>>
>> -rw-r--r-- 1 root root 33652 2008-02-01 21:08 libnss_ldap.so.2
>>
>> lrwxrwxrwx 1 root root 24 2008-07-07 16:00 libnss_nisplus.so ->
>> /lib/libnss_nisplus.so.2
>>
>> lrwxrwxrwx 1 root root 20 2008-07-07 16:00 libnss_nis.so ->
>> /lib/libnss_nis.so.2
>>

>> lrwxrwxrwx 1 root root 17 2008-07-17 16:47 libnssutil3.so ->
>> libnssutil3.so.1d
>>
>> lrwxrwxrwx 1 root root 17 2008-07-17 16:47 libnssutil3.so.0d ->
>> libnssutil3.so.1d
>>
>>
>>

>> Whereas my other Linux box which has Suse 10 on it has only
>> libnss3.so, libnspr4.so and all.
>>
>> What are libnss3.so.[0d,1d] etc?
>>
>>
>
> I don't understand why Ubuntu uses versioning of the .so files, it
> should not be necessary.
> The newest NSS libs should work fine with software that expects the
> older versions, because of NSS' promise that it should always be
> possible to replace old binaries with newer NSS binaries.
>
> Try to grep the .so files for string NSS, it should reveal the version

> number strings.
>
> strings libnss3.so | grep -w NSS
>
> Kai
>

[Wan-Teh Chang]

On Mon, Aug 18, 2008 at 11:05 AM, Ruchi Lohani <rlo...@adobe.com> wrote:
> So can I manually download the NSS and NSPR source from
> https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_R
> TM/src/nss-3.12-with-nspr-4.7.tar.gz
> and then compile it on Ubuntu? Will it solve the build problem to allow
> me build it on Ubuntu and use
> it on multiple Linux distros?

If you link with the official NSS 3.12 RTM build, your code will be looking
for the SONAME libnss3.so on startup.

Since Ubuntu's libnss3-1d package installs only /usr/lib/libnss3.so.1d,
your code won't work on an Ubuntu machine with just the libnss3-1d
package. Your code should, however, work on Fedora and openSUSE.

Wan-Teh

[Ruchi Lohani]

It works a little different here.
The binary compiled with libnss3.so (not as symlinks) on the system,
works fine on Ubuntu with libnss3.so.1d and a symlinks as libnss3.so to
libnss3.so.1d (apt-get takes care of making that I suppose). Since the
binary depends on libnss3.so which it finds it as symlinks
(/usr/lib/libnss3.so --> libnss3.so.1d), it works without any numbering
issues.

Thanks
Ruchi

-----Original Message-----
From: dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org
[mailto:dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org] On
Behalf Of Wan-Teh Chang
Sent: Monday, August 18, 2008 1:22 PM
To: mozilla's crypto code discussion list
Subject: Re: A general question about libnss3

Wan-Teh

[Wan-Teh Chang]

On Mon, Aug 18, 2008 at 2:19 PM, Ruchi Lohani <rlo...@adobe.com> wrote:
> It works a little different here.
> The binary compiled with libnss3.so (not as symlinks) on the system,
> works fine on Ubuntu with libnss3.so.1d and a symlinks as libnss3.so to
> libnss3.so.1d (apt-get takes care of making that I suppose). Since the
> binary depends on libnss3.so which it finds it as symlinks
> (/usr/lib/libnss3.so --> libnss3.so.1d), it works without any numbering
> issues.

The issue is which package makes the symlink libnss3.so to
libnss3.so.1d, and whether you require your users to install
that package. If the symlink exists, your code will work.

What is the output of "dpkg -S libnss3.so" on your Ubuntu machine?

Wan-Teh

[Ruchi Lohani]

Sure thing about the symlinks.

dpkg -S libnss3.so gives

libnss3-1d: /usr/lib/libnss3.so
libnss3-1d-dbg: /usr/lib/debug/usr/lib/libnss3.so.1d
libnss3-0d: /usr/lib/libnss3.so.0d
libnss3-1d: /usr/lib/libnss3.so.1d

on my ubuntu (8.04) machine.

-Ruchi

-----Original Message-----
From: dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org
[mailto:dev-tech-crypto-bounces+rlohani=adob...@lists.mozilla.org] On
Behalf Of Wan-Teh Chang
Sent: Monday, August 18, 2008 2:32 PM
To: mozilla's crypto code discussion list
Subject: Re: A general question about libnss3

Wan-Teh

[Wan-Teh Chang]

On Mon, Aug 18, 2008 at 3:08 PM, Ruchi Lohani <rlo...@adobe.com> wrote:
> Sure thing about the symlinks.
>
> dpkg -S libnss3.so gives
>
> libnss3-1d: /usr/lib/libnss3.so
> libnss3-1d-dbg: /usr/lib/debug/usr/lib/libnss3.so.1d
> libnss3-0d: /usr/lib/libnss3.so.0d
> libnss3-1d: /usr/lib/libnss3.so.1d
>
> on my ubuntu (8.04) machine.

This looks good. I get different results on my Ubuntu machines.

On one of them, I have the libnss3.so symlink, but it's installed
by the libnss3-dev package:

$ dpkg -S libnss3.so
firefox-2: /usr/lib/firefox/libnss3.so
libnss3-dev: /usr/lib/libnss3.so
libnss3-1d: /usr/lib/libnss3.so.1d
$ ls -l /usr/lib/libnss3.so
lrwxrwxrwx 1 root root 13 2008-07-11 14:43 /usr/lib/libnss3.so -> libnss3.so.1d

On the other, I don't have the libnss3.so symlink:
$ dpkg -S libnss3.so
firefox-2: /usr/lib/firefox/libnss3.so
libnss3-1d: /usr/lib/libnss3.so.1d

Both of them are Ubuntu 8.04.1 for *x86_64*.

Wan-Teh