Network Security Services (NSS) and PKCS#11

Let’s clear first a big mess. In this post I’m going to talk about dev-libs/nss or, as the title suggests, Network Security Services which is the framework developed by Netscape first, and Mozilla Project now, for implementing a number of security layers, including (especially) SSL. This should not be confused with many others similar acronym, especially with the Name Service Switch which is the interface that allows your applications to resolve hosts and users against database they aren’t designed to use in the first place.

In my previous posts about smartcard-related software components – first and second – I started posting an UML components diagram that was not very detailed but generally readable. With time, and with the need to clarify my own understanding of the whole situation, the diagram is getting more complex, more detailed, but arguably less readable.

In the current iteration of the diagram, a number of software projects are exploded in multiple components, like I originally did with the lone OpenCryptoki project (which I should have been writing about but I hadn’t had enough time to finish cleaning off yet). In particular, I split the NSS component in two sub-components: libnss3 (which provides the actual API for the applications to use), and libnssckbi that provides access to the underlying NSS database. This is important because it shows how the NSS framework actually communicates with itself through the use of the standard PKCS#11 interface.

Anyway, back to NSS proper. To handle multiple PKCS#11 providers – which is what you want to do if you intend to use a hardware token, or a virtual one for testing – you need to register them with NSS itself. If you’re a Firefox user, you can do that from its settings windows, but if you’re a Chromium user, you’re mostly out of luck for what concerns GUI: the official way to deal with certificates et simila with Chromium is to use the NSS command-line utilities available with the utils USE flag for dev-libs/nss.

First of all, by default Mozilla, Evolution and Chromium, and the command-line utilities use three different paths to find their database: one depending on the Mozilla profile, ~/.pki/nssdb and .netscape respectively. Even more importantly, by default the first and last will use an “old” version of the db, based on the Berkeley DB interface, while the other two will use a more modern, SQLite-based database. This is troublesome.

Thankfully, the Mozilla Wiki has an article on setting up a shared database for NSS which you might want to do to make sure that you use the same set of certificates between Firefox, Chromium, Evolution and the command-line utilities. What it comes to be is just a bunch of symlinks. Read the article yourself for the instructions; on the other hand I have to note you to do this as well:

~ % ln -s .pki/nssdb .netscape

This way the nss utilities will use the correct database as well. Remember that you have to logout and log back in to tell the utilities and Firefox to use the SQL database.

Unfortunately I haven’t been able to get a token to work in this environment; from one side I’m afraid I might have busted the one Eva sent me (sigh! but at least it served the purpose of getting most of this running); from the other, Scute does not allow to upload an arbitrary certificate, but only to generate a CSR, which I obviously can’t get signed by StartSSL (which is my current certificate provider). Since I’m getting paranoid about security (even more so since I’ll probably be leaving my servers in an office when I’m not around), I’ll probably be buying an Aladdin token from StartSSL though (which also means I’ll be testing out their middleware). At that point I’ll give you more details about the whole thing.

Stash your cache away

While I’m now spending a week out of my home (I’m at my sister’s family place, while she’s at the beach), I still be working, and writing blog posts, and maybe taking care of some smaller issues in Gentoo. I’m just a bit hindered becaues while I type on the keyboard I often click something away with the trackpad; I didn’t think about getting a standalone keyboard. I guess if somebody would want to send my way an Apple bluetooth keyboard I wouldn’t be saying no.

While finally setting up a weekly backup of my /home directory, yesterday, I noticed quite a few issues with the way software makes use of it. The first thing of course was to find the right software to do the job; I opted for a simple rsync in cron, after all I don’t care much about having incremental multiple backups a-la Time Machine, having a single weekly copy of my basic data is good enough.

The second problem was that, some time ago, I found that having a 4GB USB flash drive was enough if I wanted to copy the home, but when I looked at it yesterday, I found it being well over 5GB. How did that happen? Some baobab later, I find the problems. From one side, my medical records, (over 500 pages) scanned with a hi-grade all-in-one laser printer (no, not by me at home), are too big. They might have been scanned as colour documents (they are photocopies, so that’s not really right) or they might be at huge resolution, I have to check that, since having over half a gig of just printed records is a bit too much for me (I also have another full CD of CT scan data).

The second problem is that a lot of software misuses my home by writing down cache and temporary files in it rather than in the proper locations. Let me explain: if you need to create a temporary file or socket to communicate between different software in the same host, rather than writing it to my home, you should probably use TMPDIR (like a lot of software, fortunately, does). The same goes if you write cache data, and yes I’m referring to you, Evolution and Firefox, but also to Adobe Flash, Sun JDK and IcedTea.

Indeed, the FreeDesktop specifications already provide an XDG_CACHE_DIR variable that can be used to change the place where cache data should be saved, defaulting to ~/.cache, and in my system set to /var/cache/users/flame. This way, all the (greedy) cache systems would be able to write as much data as they want, without either wasting my space on the backup flash, or forcing me to write them to two disks (/var/cache is in a sort-of throwaway disk).

For now I resolved by making some symlinks, hoping they keep stable, and creating a ~/.backup-ignore file, akin to .gitignore with the paths to the stuff that I don’t want backed up. The only problem I really have is with evolution because that one has so many subdirectories and I can’t really understand what I should backup and what not.

Oh and there are a few more problems there: the first is that a lot of software over the past two years migrated from just the home to ~/.config but the old files were kept around (nautilus is an example) and a few directories contained very very old and dusty session data that wasn’t cleared up properly.

Providing too many configuration options to tell where the stuff is, can definitely lead to bad problems, but using the right environment variable to decide where stuff should go and where it should be looked up at, can definitely solve lots of your problems!

Google and software mediocrity

I haven’t commented very much, if at all, on most of the new Google projects, which include Chrome, Chromium and Chrome OS; today since I’m currently waiting on a few long-running tasks to complete, I’d like to spend my two eurocents on it.

You can already guess from the title of this post that I’m really sceptical about Google entering the operating system marked; the reason for that is that I haven’t really seen anything in Google strategy that would leave us expecting a very good product from them in this area. While Google is certainly good in providing search services, and GMail is also my email provider of choice, there are quite a few shortcomings that I see in their software and that does not make me count on Chrome OS being any more good that Windows XP is.

First, let’s just say that Google Chrome is not the first software that Google released for the desktop; there has been quite a few other projects before, like for instance Google Talk. Since I have a personal beef with this, I’d like to go on a bit about it. When Google launched their own Instant Message service for the masses, through GMail and a desktop, called Google Talk and base on the XMPP protocol, there has been quite some talk around because, while using the same protocol we know as Jabber, it didn’t connect to the Server-to-Server Jabber network that allows for multiple Jabber servers’ users to communicate; with time this S2S support was added and now a GTalk user can talk with any Jabber user, so as a service, it’s really not bad at all, and you can use any Jabber client to connect to GTalk.

The Windows client, though, seems to be pretty much abandoned, I haven’t seen updates in a while (although I might not have noticed in the past month or two), it lacks quite a few features like merging of multiple usernames in a single contact and stuff like that. Now, at the same time as releasing the Windows client, or about the same time, Google released specifics for their extensions that allow audio (and video?) chat over XMPP-negotiated connection, and a library (libjingle) for other clients to implement this protocol.

The library, unfortunately, ended up having lots of shortcomings, and most projects decided to import and modify it, then it was forked, at least once but I think even twice, cut down and up and so much mangled that it doesn’t probably look anywhere like the original one from Google. And yet, the number of clients that do support GTalk audio/video extension is… I have no idea, Empathy does support it if I recall correctly, but last time I tried, it didn’t really work that well. As far as I know, libpurple, that is used by both Pidgin and Adium, and which would cover clients for all the major operating systems (free or not) does not seem to support them.

Now, why do I consider GTalk a mediocre software does not limit itself to the software that Google provides, it’s a matter of how they played their cards. It seems to me that instead of trying to push themselves as the service provider, they wanted to push themselves as a software provider as well, and the result is that beside Empathy (which is far from an usable client in my opinion), there is no software that seems to be implementing their service properly. They could have implemented, or paid to implement or something like that, their extensions in libpurple and that would have given them an edge; they could have worked with Apple (considering they are working with them closely already) so that iChat could work with GTalk’s audio and video extensions (instead iChat AV from Leopard uses a different protocol that only works between Macs), and so on.

What about Google Chrome? Well when it was announced and released I was blocked in hospital so I lost most of the hype done in the first days; when I finally went to test it, almost a month later, I was surprised at how pointless it seemed to me. Why? Because for what I can see it does not render text as good as Firefox or Safari on Windows, it’s probably faster than them, but then again most people don’t care (at least in Italy, Internet connections are so slow you don’t notice), and there is one important problem: the Google bias of the browser.

I think lots of people criticised the way Microsoft originally treated Internet Explorer and their Internet services before. to the point that now Microsoft allows you to set Google as provider for search in the default install. Well, I don’t see Chrome as anything much different: it’s a browser that is tailored to suit Google’s services, and of course the development of it will suit that too. Will it ever get an advertising block feature, like is available for Firefox, Konqueror and Safari? Probably not because Google takes a good share of revenue out of Internet-based advertising. Will it ever get a delicious extension? Probably not because that’s a Yahoo! service nowadays, and Google has its own alternative.

Now, I don’t want to downplay the important technical innovation of Google chrome, even when they are very basic like the idea of splitting the tabs by process; and indeed I think I have read that Mozilla is now working on implementing a similar feature on the next Firefox major change; this is what we actually get out of the project, not Chromium itself.

Then there is Android; I don’t think I can really comment on this, but at least for what I can see, there is not really much going on with Android: nobody asked me yet if I develop for Android, while I got a few requests for Symbian and iPhone development in the past year or so. Android phones does not seem to shine with the non-technical people, and the technical people at least in Italy are unlikely to pay the price you got to pay to get the Android-based HTC phones with Vodafone and TIM.

By contrasting with Nokia, Google fragmented the software area even more. While Google already provided mobile-optimised services on the web, and some Java-based software to access their services with J2ME-compatible phones, they also started providing applications for Nokia’s Symbian-based phones. Unfortunately this software does not shine, with the exception of Google Maps, which works pretty well and integrates itself with Nokia pretty decently; in particular the “main” Google application for Nokia, crashed twice my E75!, I ended up removing it and living without it (the YouTube application sort of works, the GMail application also “sort of” works, but with the new IMAP client is really pointless to me). So we have mediocre software from Google for Nokia phone, and probably no good reason for Google to improve on it.

But there are also things that haven’t been implemented by Google at all, for instance there is no GTalk client for Nokia phones, or a web-based version for mobile phones, which would have been a killer feature! Instead Nokia implemented its own Nokia Chat, which now became Contacts for Ovi, which also uses XMPP, which also has S2S, but which does not allow you to use GTalk accounts requiring you to have two different users: one for computers and one for the mobile phone. And similarly, with just partially-working Google Sync for Nokia phones, in particular with no support for syncing with the Google Calendar, and with a tremendous loss of detail when syncing contacts, Google loses to Nokia’s Ovi sync support as well.

Now, I’m not a market analyst and I really like to stay away from marketing, but I really don’t see Google as a major player for Software development, I’d really have preferred they started improving the integration of their services with Free Software like Evolution (whose Google Calendar integration sucks way too much, and whose IMAP usage of GMail causes two copies of each sent message to be stored on the server, as well as creating a number of folders/labels that shouldn’t be there at all!), rather than having a new “operating system”.

There are more details I’m sceptic about, like hardware support (of which I’ll leave Mathew Garrett to explain since he knows the matter better) and software support, but for those I’ll wait to see when they actually deliver something.

The mailing lists problem

For a while I’ve been using GMane for almost all the mailing list I’m following. This made it much easier to deal with it because it mean that I didn’t have to download a local copy of all the messages and it also allowed me for a much cleaner access to archives. Unfortunately this has a downside, as it requires me to use an NNTP client, which is something that hasn’t been much cool to do lately.

In the last few few months I’ve used gnus as my client, but the problem with that is that it still needs a separate software from Evolution (which is my mail client0, and it had the nasty issue of not saving the read messages when emacs closed unexpectedly, say when X died, and because of a bug, emacs daemon died with it.

Now of course I could use mailing lists like most of the other people in the world do, by receiving them on my mail account, but I’d rather not fill my GMail “All Mail” folder with all the messages coming from mailing list, especially for when I have to access that data from an UMTS connection where I pay the traffic.

What other solutions are there for me? I’m considering the idea of doing what I did when there was a limit of 20MB on an email account from my provider, but no limit on the number of accounts, having one account per mailing list. Now the limit is 1GB but I haven’t been using those accounts in quite a long time. Even if they are available in IMAP when I’m on their connection they are only available through webmail from outside; not like that’s too much of an issue for me, since I need mailing list mostly when I’m not around hospitals or stuff like that, so I could just use that.

For this to work, though, I need a few tools working on IMAP, for instance I’d need a script that could expunge old archives, when the threads haven’t been updated in the last few months; I’ll also need a script that would automatically filter the mailing list as they arrive in Inbox (waiting with the IDLE command), since my provider does not allow me to filter the messages server-side. And such a script will have to run on Yamato since it has to be on their network.

Then there is the problem that Evolution saves its cache in my home directory, which is under RAID6; there is no need for the cache to be on my home, when XDG_CACHE_DIR is pointing to a private subdirectory in /var/cache. This includes the 200MB of SQLite database that is currently using. Does anybody know if there is a way to get Evolution to respect the XDG_CACHE_DIR variable?