NSS environment variables

Note

Note: NSS Environment Variables are subject to be changed and/or removed from NSS.

Run-Time Environment Variables

These environment variables affect the RUN TIME behavior of NSS shared libraries. There is a separate set of environment variables that affect how NSS is built, documented below.

Variable	Type	Description	Introduced in version
NSRANDCOUNT	Integer (byte count)	Sets the maximum number of bytes to read from the file named in the environment variable NSRANDFILE (see below). Makes NSRANDFILE usable with /dev/urandom.	3.12.3
NSRANDFILE	String (file name)	Uses this file to seed the Pseudo Random Number Generator.	Before 3.0
NSS_ALLO W_WEAK_SIGNATURE_ALG	Boolean (any non-empty value to enable)	Enables the use of MD2 and MD4 inside signatures. This was allowed by default before NSS 3.12.3.	3.12.3
NSS _DEBUG_PKCS11_MODULE	String (module name)	Name the PKCS#11 module to be traced. mozilla _projects_nss_nss_tech _notes_nss_tech_note2	3.6
` NSS_DEFAULT_DB_TYPE`	String (“dbm”, “sql”, or “extern”)	Determines the default Database type to open if the app does not specify. NSS_Shared_D B	3.12
NSS_DIS ABLE_ARENA_FREE_LIST	String (any non-empty value)	Define this variable to get accurate leak allocation stacks when using leak reporting software. : ref:mozilla_projects_ nss_memory_allocation	3.4
NSS_DISABLE_UNLOAD	String (any non-empty value)	Disable unloading of dynamically loaded NSS shared libraries during shutdown. Necessary on some platforms to get correct function names when using leak reporting software.	3.11.8
NSS_ENABLE_AUDIT	Boolean (1 to enable)	Enable auditing of activities of the NSS cryptographic module in FIPS mode. Audit Data	3.11.2
NS S_ENABLE_PKIX_VERIFY	Boolean (any non-empty value to enable)	Use libPKIX, rather than the old cert library, to verify certificates.	3.12
NSS_FIPS	String (” fips”,”true”,”on”,”1”)	Will start NSS in FIPS mode.	3.12.5
`` NSS_HASH_ALG_SUPPORT``	String	Specifies agorithms allowed to be used in certain applications, such as in signatures on certificates and CRLs. See documentation at this link.	3.12.3
NSS_OUTPUT_FILE	String (filename)	Output file path name for the mozilla_ projects_nss_nss_tech_ notes_nss_tech_note2. Default is stdout.	3.7
NSS_SDB_USE_CACHE	String (“no”,”yes”,”auto”)	Controls whether NSS uses a local cache of SQL database contents. Default is “auto”. See the source for more information.	3.12
NS S_SSL_CBC_RANDOM_IV	String (“0”, “1”)	Controls the workaround for the BEAST attack on SSL 3.0 and TLS 1.0. “0” disables it, “1” enables it. It is also known as 1/n-1 record splitting. Default is “1”.
NSS_SSL_ ENABLE_RENEGOTIATION	String ([0|n|N], [1|u|U], [2|r|R], [3|t|T])	(Definition for NSS 3.12.6 and above) Sets how TLS renegotiation is handled [1|u|U]: SSL_RE NEGOTIATE_UNRESTRICTED Server and client are allowed to renegotiate without any restrictions. This setting was the default prior 3.12.5 and makes products vulnerable. [0|n|N]: SSL_RENEGOTIATE_NEVER Never allow renegotiation - That was the default for 3.12.5 release. [3|t|T]: SSL_RE NEGOTIATE_TRANSITIONAL Disallows unsafe renegotiation in server sockets only, but allows clients to continue to renegotiate with vulnerable servers. This value should only be used during the transition period when few servers have been upgraded. [2|r|R]: SSL_RE NEGOTIATE_REQUIRES_XTN (default) Only allows renegotiation if the peer’s hello bears the TLS renegotiation_info extension. This is the safe renegotiation.	3.12.5 Modified in 3.12.6
NSS_SSL_REQU IRE_SAFE_NEGOTIATION	Boolean (1 to enable)	It controls whether safe renegotiation indication is required for initial handshake. In other words a connection will be dropped at initial handshake if a server or client do not support safe renegotiation. The default setting for this option is FALSE.	3.12.5
NSS_SSL_SERVER _CACHE_MUTEX_TIMEOUT	Integer (seconds)	Timeout time to detect dead or hung process in multi-process SSL server. Default is 30 seconds.	3.4
NSS_STRICT_NOFORK	String (“1”, “DISABLED”, or any other non-empty value)	It is an error to try to use a PKCS#11 crypto module in a process before it has been initialized in that process, even if the module was initialized in the parent process. Beginning in NSS 3.12.3, Softoken will detect this error. This environment variable controls Softoken’s response to that error. If set to “1” or unset, Softoken will trigger an assertion failure in debug builds, and will report an error in non-DEBUG builds. If set to “DISABLED”, Softoken will ignore forks, and behave as it did in older versions. If set to any other non-empty value, Softoken will report an error in both DEBUG and non-DEBUG builds.	3.12.3
` NSS_STRICT_SHUTDOWN`	String (any non-empty value)	will trigger an assertion failure in debug builds when a program tries to shutdown NSS before freeing all the resources it acquired from NSS while NSS was initialized.	3.5
NSS_TRACE_OCSP	Boolean (any value to enable)	Enables OCSP tracing. The trace information is written to the file pointed by NSPR_LOG_FILE (default stderr). See NSS trac ing	3.12
NSS_USE_ DECODED_CKA_EC_POINT	Boolean (any value to enable)	Tells NSS to send EC key points across the PKCS#11 interface in the non-standard unencoded format that was used by default before NSS 3.12.3.	3.12.3
NSS_US E_SHEXP_IN_CERT_NAME	Boolean (any value to enable)	Tells NSS to allow shell-style wildcard patterns in certificates to match SSL server host names. This behavior was the default before NSS 3.12.3.	3.12.3
PKIX_OBJECT_LEA K_TEST_ABORT_ON_LEAK	String (any non-empty value)	Debug variable for PKIX leak checking. Note: The code must be built with PKIX_OBJECT_LEAK_TEST defined to use this functionality.	3.12
SOCKETTRACE	Boolean (1 to enable)	Controls tracing of socket activity by libPKIX. Messages sent and received will be timestamped and dumped (to stdout) in standard hex-dump format.	3.12
SQLITE _FORCE_PROXY_LOCKING	Boolean (1 to enable)	1 means force always use proxy, 0 means never use proxy, NULL means use proxy for non-local files only.	3.12.6
SSLBYPASS	Boolean (1 to enable)	Uses PKCS#11 bypass for performance improvement. Do not set this variable if FIPS is enabled.	3.11
SSLDEBUG	Integer	Debug level Note: The code must be built with DEBUG defined to use this functionality.	Before 3.0
SSLDEBUGFILE	String (file name)	File where debug or trace information is written. If not set, the debug or trace information is written to stderr. Note: SSLDEBUG or SSLTRACE have to be set to use this functionality.	3.12
SSLFORCELOCKS	Boolean (1 to enable)	Forces NSS to use locks for protection. Overrides the effect of SSL_NO_LOCKS (see ssl.h).	3.11
SSLKEYLOGFILE	String (file name)	Key log file. If set, NSS logs RSA pre-master secrets to this file. This allows packet sniffers to decrypt TLS connections. See mozilla_project s_nss_key_log_format.	3.12.6
SSLTRACE	Integer	Tracing level Note: The code must be built with TRACE defined to use this functionality.	Before 3.0

Build-Time Environment Variables

These environment variables affect the build (compilation) of NSS.

Note

Note: This section is a work in progress and is not yet complete.

Variable	Type	Description	Introduced in version
BUILD_OPT	Boolean (1 to enable)	Do an optimized (not DEBUG) build. Default is to do a DEBUG build.	Before 3.0
MOZ_DEBUG_SYMBOLS	Boolean (1 to enable)	Needed on Windows to build with versions of MSVC (such as VC8 and VC9) that do not understand /PDB:NONE	3.11
MOZ_DEBUG_FLAGS	String	When MOZ_DEBUG_SYMBOLS is set, you may use MOZ_DEBUG_FLAGS to specify alternative compiler flags to produce symbolic debugging information in a particular format.	3.12.8
NSDISTMODE	String	On operating systems other than Windows, this controls whether copies, absolute symlinks, or relative symlinks of the output files should be published to mozilla/dist. The possible values are: copy: copies of files are published absolute_symlink: symlinks whose targets are absolute pathnames are published If not specified, default to relative symlinks (symlinks whose targets are relative pathnames). On Windows, copies of files are always published.	Before 3.0
NS_USE_GCC	Boolean (1 to enable)	On systems where GCC is not the default compiler, this tells NSS to build with gcc.	Before 3.0
`N SS_ALLOW_SSLKEYLOGFILE <https://dxr.mozilla. org/nss/search?q=NSS_A LLOW_SSLKEYLOGFILE>`__	Boolean (1 to enable)	Enable NSS support in optimized builds for logging SSL/TLS key material to a logfile if the SSLKEYLOGFILE environment variable. As of NSS 3.24 this is disabled by default.	3.24
NSS_BUI LD_CONTINUE_ON_ERROR	Boolean (1 to enable)	Continue building NSS source directories when a build error occurs.	3.12.4
N SS_USE_SYSTEM_SQLITE	Boolean (1 to enable)	Use the system installed sqlite library instead of the in-tree version.	3.12.6
NSS_DISA BLE_ECC (deprecated)	Boolean (1 to disable)	Disable Elliptic Curve Cryptography features. As of NSS 3.16, ECC features are enabled by default. As of NSS 3.33 this variable has no effect.	3.16
NSS_ENA BLE_ECC (deprecated)	Boolean (1 to enable)	Enable building of code that uses Elliptic Curve Cryptography. Unused as of NSS 3.16; see NSS_DISABLE_ECC.	Before 3.16; since 3.11.
`NSS_FOR CE_FIPS <https://dxr .mozilla.org/nss/searc h?q=NSS_FORCE_FIPS>`__	Boolean (1 to enable)	Allows enabling FIPS mode using NSS_FIPS	3.24
OS_TARGET	String (target OS)	For cross-compilation environments only, when the target OS is not the default for the system on which the build is performed. Values understood: WIN95	Before 3.0
USE_64	Boolean (1 to enable)	On platforms that has separate 32-bit and 64-bit ABIs, NSS builds for the 32-bit ABI by default. This tells NSS to build for the 64-bit ABI.	Before 3.0
USE_DEBUG_RTL	Boolean (1 to enable)	On Windows, MSVC has options to build with a normal Run Time Library or a debug Run Time Library. This tells NSS to build with the Debug Run Time Library.	Before 3.0
USE_PTHREADS	Boolean (1 to enable)	On platforms where POSIX threads are available, but are not the OS’es preferred threads library, this tells NSS and NSPR to build using pthreads.	Before 3.0
`` NSS_NO_PKCS11_BYPASS``	String (1 to enable)	Disables at compile-time the NS ssl code to bypass the pkcs11 layer. When set the SSLBYPASS run-time variable won’t take effect	Before 3.15