You are currently viewing a snapshot of taken on April 21, 2008. Most of this content is highly out of date (some pages haven't been updated since the project began in 1998) and exists for historical purposes only. If there are any pages on this archive site that you think should be added back to, please file a bug.

Build Instructions for NSS 3.1.1

Main technical contact: Ian McGreer
Manager: Wan-Teh Chang

Warning: This document is out of date. Please look in the latest NSS release notes for the link to the current NSS build instructions.

The instructions that follow describe how to build the standalone NSS libraries (including a new implementation of RSA) without the BSAFE library. These instructions have been tested on Unix and Windows. They will be updated as testing proceeds on other platforms.

Note that these instructions now use the CVS tag for NSS 3.1.1. This release includes the fix for the prime number generation bug in NSS 3.1. For details, see NSS 3.1.1 Release Notes.

To build NSS with the RSA BSAFE Crypto-C library, first follow the instructions at Build Instructions for NSS Using RSA BSAFE Crypto-C, then continue with the instructions on this page.

Important: Before you build NSS, you should be familiar with the Mozilla CVS system; see source code via CVS for details.

NSPR Note: NSS 3.1.1 is compatible with NSPR 4.0.1 or higher. We recommend using NSPR 4.1, as shown in the build instructions below. However, it's possible to use other NSPR tags, such as NSPRPUB_RELEASE_4_0_1 or NSPRPUB_CLIENT_BRANCH.

Unix Build Instructions
Windows Build Instructions
Basic Tests

Unix Build Instructions

The following procedure performs a debug build using the GNU C compiler (gcc). See the notes that follow on how to generate an optimized build or choose a native compiler.

To build NSS and the necessary components from Mozilla on Unix/Linux without pulling and configuring the entire Mozilla source tree, follow these steps:

Note: Before building NSS 3.1, make sure that the MOZILLA_CLIENT environment variable is not defined.

  1. setenv CVSROOT

  2. cvs login
    At the password prompt, type anonymous

  3. cvs co -r NSS_3_1_1_RTM mozilla/

  4. cd mozilla

    This step pulls NSPR and dbm (the modules that NSS requires).

  6. ./configure --without-gtk --without-libIDL --without-x --enable-modules=dbm
    For Linux only:
    ./configure --without-gtk --without-libIDL --without-x --enable-modules=dbm --disable-elf-dynstr-gc

    If you get an error after this step, try again with the additional option --disable-pedantic.

  7. gmake
    Builds NSPR and dbm.

  8. cd ..

  9. cvs co -r NSS_3_1_1_RTM mozilla/security
    Pulls the NSS module with the CVS tag for the NSS 3.1.1 release.

  10. setenv NS_USE_GCC 1
    setenv NO_MDUPDATE 1

    This specifies GCC as the compiler. This step can be skipped on Linux.

  11. cd mozilla/security/coreconf

  12. gmake
    Builds nsinstall, which is used by the NSS build system.

  13. cd ../nss

  14. gmake moz_import
    Tells NSS where to find the NSPR and dbm header files and libraries.

  15. gmake
    Builds NSS.

Generating an Optimized Build

The above procedure generates a debug build (the default). To perform an optimized build, modify the procedure as follows:
  • In step 6, add these options to the configure script command line:

    --disable-debug --enable-optimize

  • Before step 11, do this:

    setenv BUILD_OPT 1

Choosing a Compiler

By default, mozilla's configure script uses the GNU C compiler (gcc) while NSS uses the native C amd C++ compilers.

If you use gcc, you don't need to do anything to mozilla's configure script, but you need to set the following two environment variables for NSS (as shown in step 10 above):

    setenv NS_USE_GCC 1
    setenv NO_MDUPDATE 1

If you use the native compilers, you don't need to do anything with NSS, but you need to tell mozilla's configure script the names of the native compilers.

For example, suppose the native C compiler is called cc and the native C++ compiler is called CC. You need to override the CC and CXX variables by replacing step 6 above with this:

    env CC=cc CXX=CC ./configure --without-gtk --without-libIDL --without-x --enable-modules=dbm

That is, the line in step 6 should be prepended with env CC=cc CXX=CC.

Windows Build Instructions

The Windows build procedure requires the following tools: To build NSS and the necessary components from Mozilla on Windows, make sure you have the tools listed above installed in your system, and follow these steps:

Note: Before building NSS 3.1, make sure that the MOZILLA_CLIENT environment variable is not defined.

  1. Set up the environment variables as described in the section "Set Up the Build Environment" of Building Mozilla on Microsoft Windows 32-bit platforms.

  2. Set CVSROOT.

  3. Log into CVS.
    cvs login
    At the password prompt, type anonymous

  4. Set the environment variables that control the kind of build:

    • set OS_TARGET=WIN95

    • NSS and the Mozilla dbm have different build options for indicating whether you want to generate a debug or optimized build. Therefore, the outcome depends on the way you combine several variables.

      In the following table, RTL stands for the C run-time library of MSVC, "debug RTL" corresponds to the /MDd compiler option, and "release RTL" corresponds to the /MD compiler option. To achieve the result shown in the left column, you must set the environment variables as shown in both the other columns of the same row.

      Build type Mozillas dbm NSS
      Debug, debug RTL set MOZ_DEBUG=1 set USE_DEBUG_RTL=1
      Debug, release RTL set MOZ_DEBUG=1
      set MOZ_NO_DEBUG_RTL=1
      Optimized (release RTL) None set BUILD_OPT=1

  5. Pull the following files (mozilla/config contains shared makefiles, mozilla/nsprpub is a module that dbm depends on, and mozilla/dbm is the dbm module itself):

    cvs co -r NSS_3_1_1_RTM mozilla/config
    cvs co -r NSPRPUB_RELEASE_4_1 mozilla/nsprpub
    cvs co -r NSS_3_1_1_RTM mozilla/dbm

  6. Build NSPR and then dbm:

    cd mozilla\nsprpub
    nmake /f
    cd ..\dbm
    nmake /f

  7. Pull the NSS module with the CVS tag for the NSS 3.1.1 release:

    cd ..\..
    cvs co -r NSS_3_1_1_RTM mozilla/security

  8. cd mozilla\security\nss
    Note: It's not necessary to build nsinstall on Windows.

  9. gmake moz_import
    Tells NSS where to find the NSPR and dbm header files and libraries.

  10. gmake
    Builds NSS.

Basic Tests

Once you have successfully built NSS, follow these steps to test the core functionality of the certutil tool and the setup and use of a basic SSL connection:
  1. Build NSS as described above and make sure that mozilla/dist/$(OBJDIR)/lib is in your shared library search path, which is specified by the LD_LIBRARY_PATH environment variable on most Unix platforms, by SHLIB_PATH on HP-UX, by LIBPATH on AIX, and by PATH on Windows.

  2. cd mozilla/security/nss/cmd/SSLsample

  3. gmake

  4. To create an SSL server certificate, you will need to include the host and domain names of the host you want to run the server on. For example, if your machine name is, you would set the two variables as follows:

    setenv HOSTNAME myhost (on UNIX this is most likely set already)
    setenv MYDOMAIN

    These variables must be set correctly for your SSL server to work.

  5. sh gencerts
    is a shell script that will generate a CA certificate, an SSL server certificate, and an SSL client certificate.

  6. You are now ready to run the sample SSL server. This is a sample command line:

    server -n SampleSSLServerCert -p 8080 -d SampleCertDBs -w sample -c e -R

  7. You can now connect to the server with client processes. This is a sample command line:

    client -n SampleSSLClientCert -p 8080 -d SampleCertDBs -w sample -c 2
For instructions on running more extensive NSS tests, see NSS Test Suite.