Skip to content

Building Mozilla NSS

Jump to bottom
Jesse Nicholson edited this page Apr 2, 2016 · 2 revisions

The Mozilla NSS project contains tools such as certutil which this project requires for transparently installing and removing its root Certificate Authority certificates into discovered installations of Firefox.

Firefox contains its own managed list of trusted Certificate Authorities, because Firefox by nature does not trust the certificate stores of your device. There is good reason for this, because you can actually install a trusted CA on Windows, for example, without requiring administrator privileges or even prompting the user. This is all an attacker needs to establish a Man In The Middle attack and begin intercepting your encrypted communications.

Mozilla's authority stores are protected through obscurity, forcing the use of the NSS Tools (certutil) to automatically install custom CA's in a way that the browser will accept. So we package this executable and its required libraries for this purpose.

The build process is a pain because it requires the use of yet another tool, MozillaBuild. That link will download the latest version. Being that it's basically a self-extracting archive, setup simply requires you to choose an installation location for extraction. Choose some place without spaces in the path, just to avoid headaches down the road.

If you really want to create both a 32 and 64 bit distribution of NSS Tools, you'll have to follow the same process as you did with openSSL, copying the root sources directory contents into folders named x86 and x64. This guide will focus on creating a 32 bit distribution only, as it's not really necessary to build a separate 64 bit version because certutil is invoked as a separate process. No linking is going on at all.

First, download NSS with NSPR and extract it wherever is easiest for you to work with. Note that after compilation, you'll need to copy out the dist folder to HTTPFILTERINGENGINE_BASE_DIR\deps\nss but for now, it may be easier to place it on a shorter path.

There are no provided scripts for building NSS Tools, so you'll have to follow these steps exactly.

  1. Navigate to the MozillaBuild directory and run the appropriate batch file to setup your environment. For building the 32 bit version, we'll launch start-shell-msvc2015.bat.
  2. From within the opened cygwin console, navigate to /DRIVE_LETTER/NSS_NPPR_EXTRACTED_DIR This directory should contain two folders, one called nss and one called nspr, both of which directly contain their respective sources.
  3. To configure the build environment to build for windows, run the command export OS_TARGET="WIN95". I know we're not targeting a fossil of an OS, but this is the chosen variable name to represent all windows builds.
  4. Since we're building a release build, type and execute export BUILD_OPT="1".
  5. Now you need to change the HOME variable to point to /DRIVE/NSS_NPPR_EXTRACTED_DIR. Since you've already navigated to this directory in the shell (or you should be), simply run export HOME="$(pwd)", which will be expanded correctly to the current path.
  6. Type and execute env to verify that the previous commands set the correct values.
  7. Type and execute cd nss to change to the nss directory.
  8. Type and execute make nss_build_all.
  9. Go get a coffee, maybe a pizza, or even grab a nap depending on your hardware.

Note again that if you want to build 64 bit binaries, you need to run start-shell-msvc2015-x64.bat instead and somewhere before step 6, you should type and execute export USE_64="1".

If everything worked as it should have, you'll have a new folder called dist located next to the nss and nspr folders in NSS_NPPR_EXTRACTED_DIR. If you built for 32 bit, rename the folder dist/WIN954.0_OPT.OBJ to x86 or if you build 64 bit, rename it to x64. Then, move this directory to HTTPFILTERINGENGINE_BASE_DIR\deps\nss\msvc, so you wind up with HTTPFILTERINGENGINE_BASE_DIR\deps\nss\msvc\x86.

If you don't want to also compile a 64 bit version, copy and rename HTTPFILTERINGENGINE_BASE_DIR\deps\nss\msvc\x86 to HTTPFILTERINGENGINE_BASE_DIR\deps\nss\msvc\x64. If you'd prefer not to duplicate files, open the MSVC project file for HttpFilteringEngine and edit the Post Build Commands to simply copy from the HTTPFILTERINGENGINE_BASE_DIR\deps\nss\msvc\x86 only for all targets.

Next, let's build http-parser.

Clone this wiki locally