NSS environment variables

Note: NSS Environment Variables are subject to be changed and/or removed from NSS.

Run-Time Environment Variables

These environment variables affect the RUN TIME behavior of NSS shared libraries. There is a separate set of environment variables that affect how NSS is built, documented below.

Variable Type Description Introduced in version
NSRANDCOUNT Integer
(byte count)		 Sets the maximum number of bytes to read from the file named in the environment variable NSRANDFILE (see below). Makes NSRANDFILE usable with /dev/urandom. 3.12.3
NSRANDFILE String
(file name)		 Uses this file to seed the Pseudo Random Number Generator. Before 3.0
NSS_ALLOW_WEAK_SIGNATURE_ALG Boolean
(any non-empty value to enable)		 Enables the use of MD2 and MD4 inside signatures. This was allowed by default before NSS 3.12.3. 3.12.3
NSS_DEBUG_PKCS11_MODULE String
(module name)		 Name the PKCS#11 module to be traced. PKCS #11 Module Logger 3.6
NSS_DEFAULT_DB_TYPE String
("dbm", "sql", or "extern")		 Determines the default Database type to open if the app does not specify. NSS_Shared_DB 3.12
NSS_DISABLE_ARENA_FREE_LIST String
(any non-empty value)		 Define this variable to get accurate leak allocation stacks when using leak reporting software. NSS_Memory_allocation 3.4
NSS_DISABLE_UNLOAD String
(any non-empty value)		 Disable unloading of dynamically loaded NSS shared libraries during shutdown. Necessary on some platforms to get correct function names when using leak reporting software. 3.11.8
NSS_ENABLE_AUDIT Boolean
(1 to enable)		 Enable auditing of activities of the NSS cryptographic module in FIPS mode. Audit Data 3.11.2
NSS_ENABLE_PKIX_VERIFY Boolean
(any non-empty value to enable)		 Use libPKIX, rather than the old cert library, to verify certificates. 3.12
NSS_FIPS String
("fips","true","on","1")		 Will start NSS in FIPS mode. 3.12.5
NSS_HASH_ALG_SUPPORT String Specifies agorithms allowed to be used in certain applications, such as in signatures on certificates and CRLs. See documentation at this link. 3.12.3
NSS_OUTPUT_FILE String
(filename)		 Output file path name for the PKCS #11 Module Logger. Default is stdout. 3.7
NSS_SDB_USE_CACHE String
("no","yes","auto")		 Controls whether NSS uses a local cache of SQL database contents. Default is "auto". See the source for more information. 3.12
NSS_SSL_CBC_RANDOM_IV String ("0", "1") Controls the workaround for the BEAST attack on SSL 3.0 and TLS 1.0. "0" disables it, "1" enables it. It is also known as 1/n-1 record splitting. Default is "1".
NSS_SSL_ENABLE_RENEGOTIATION String
([0|n|N],
[1|u|U],
[2|r|R],
[3|t|T])		 (Definition for NSS 3.12.6 and above)
Sets how TLS renegotiation is handled
  • [1|u|U]: SSL_RENEGOTIATE_UNRESTRICTED

Server and client are allowed to renegotiate without any restrictions.
This setting was the default prior 3.12.5 and makes products vulnerable.

  • [0|n|N]: SSL_RENEGOTIATE_NEVER

Never allow renegotiation - That was the default for 3.12.5 release.

  • [3|t|T]: SSL_RENEGOTIATE_TRANSITIONAL

Disallows unsafe renegotiation in server sockets only, but allows clients to continue to renegotiate with vulnerable servers. This value should only be used during the transition period when few servers have been upgraded.

  • [2|r|R]: SSL_RENEGOTIATE_REQUIRES_XTN (default)

Only allows renegotiation if the peer's hello bears the TLS renegotiation_info extension.
This is the safe renegotiation.

 3.12.5
Modified in 3.12.6
NSS_SSL_REQUIRE_SAFE_NEGOTIATION Boolean
(1 to enable)		 It controls whether safe renegotiation indication is required for initial handshake. In other words a connection will be dropped at initial handshake if a server or client do not support safe renegotiation. The default setting for this option is FALSE. 3.12.5
NSS_SSL_SERVER_CACHE_MUTEX_TIMEOUT Integer
(seconds)		 Timeout time to detect dead or hung process in multi-process SSL server. Default is 30 seconds. 3.4
NSS_STRICT_NOFORK String
("1",
"DISABLED",
or any other non-empty value)		 It is an error to try to use a PKCS#11 crypto module in a process before it has been initialized in that process, even if the module was initialized in the parent process. Beginning in NSS 3.12.3, Softoken will detect this error. This environment variable controls Softoken's response to that error.
  • If set to to "1" or unset, Softoken will trigger an assertion failure in debug builds, and will report an error in non-DEBUG builds.
  • If set to "DISABLED", Softoken will ignore forks, and behave as it did in older versions.
  • If set to any other non-empty value, Softoken will report an error in both DEBUG and non-DEBUG builds.
 3.12.3
NSS_STRICT_SHUTDOWN String
(any non-empty value)		 will trigger an assertion failure in debug builds when a program tries to shutdown NSS before freeing all the resources it acquired from NSS while NSS was initialized. 3.5
NSS_TRACE_OCSP Boolean
(any value to enable)		 Enables OCSP tracing.
The trace information is written to the file pointed by NSPR_LOG_FILE (default stderr). See NSS tracing		 3.12
NSS_USE_DECODED_CKA_EC_POINT Boolean
(any value to enable)		 Tells NSS to send EC key points across the PKCS#11 interface in the non-standard unencoded format that was used by default before NSS 3.12.3. 3.12.3
NSS_USE_SHEXP_IN_CERT_NAME Boolean
(any value to enable)		 Tells NSS to allow shell-style wildcard patterns in certificates to match SSL server host names. This behavior was the default before NSS 3.12.3. 3.12.3
PKIX_OBJECT_LEAK_TEST_ABORT_ON_LEAK String
(any non-empty value)		 Debug variable for PKIX leak checking. Note: The code must be built with PKIX_OBJECT_LEAK_TEST defined to use this functionality. 3.12
SOCKETTRACE Boolean
(1 to enable)		 Controls tracing of socket activity by libPKIX. Messages sent and received will be timestamped and dumped (to stdout) in standard hex-dump format. 3.12
SQLITE_FORCE_PROXY_LOCKING Boolean
(1 to enable)		 1 means force always use proxy, 0 means never use proxy, NULL means use proxy for non-local files only. 3.12.6
SSLBYPASS Boolean
(1 to enable)		 Uses PKCS#11 bypass for performance improvement.
Do not set this variable if FIPS is enabled.		 3.11
SSLDEBUG Integer Debug level
Note: The code must be built with DEBUG defined to use this functionality.		 Before 3.0
SSLDEBUGFILE String
(file name)		 File where debug or trace information is written.

If not set, the debug or trace information is written to stderr.

Note: SSLDEBUG or SSLTRACE have to be set to use this functionality.		 3.12
SSLFORCELOCKS Boolean
(1 to enable)		 Forces NSS to use locks for protection.
Overrides the effect of SSL_NO_LOCKS (see ssl.h).		 3.11
SSLKEYLOGFILE String
(file name)		 Key log file. If set, NSS logs RSA pre-master secrets to this file. This allows packet sniffers to decrypt TLS connections. See documentation. 3.12.6
SSLTRACE Integer Tracing level
Note: The code must be built with TRACE defined to use this functionality.		 Before 3.0

Build-Time Environment Variables

These environment variables affect the build (compilation) of NSS.

Note: This section is a work in progress and is not yet complete.
Variable Type Description Introduced in version
BUILD_OPT Boolean
(1 to enable)		 Do an optimized (not DEBUG) build. Default is to do a DEBUG build. Before 3.0
MOZ_DEBUG_SYMBOLS Boolean
(1 to enable)		 Needed on Windows to build with versions of MSVC (such as VC8 and VC9) that do not understand /PDB:NONE 3.11
MOZ_DEBUG_FLAGS String When MOZ_DEBUG_SYMBOLS is set, you may use MOZ_DEBUG_FLAGS to specify alternative compiler flags to produce symbolic debugging information in a particular format. 3.12.8
NSDISTMODE String

On operating systems other than Windows, this controls whether copies, absolute symlinks, or relative symlinks of the output files should be published to mozilla/dist. The possible values are:

  • copy: copies of files are published
  • absolute_symlink: symlinks whose targets are absolute pathnames are published
If not specified, default to relative symlinks (symlinks whose targets are relative pathnames).
On Windows, copies of files are always published.		 Before 3.0
NS_USE_GCC Boolean
(1 to enable)		 On systems where GCC is not the default compiler, this tells NSS to build with gcc. Before 3.0
NSS_ALLOW_SSLKEYLOGFILE Boolean
(1 to enable)		 Enable NSS support in optimized builds for logging SSL/TLS key material to a logfile if the SSLKEYLOGFILE environment variable. As of NSS 3.24 this is disabled by default. 3.24
NSS_BUILD_CONTINUE_ON_ERROR Boolean
(1 to enable)		 Continue building NSS source directories when a build error occurs. 3.12.4
NSS_USE_SYSTEM_SQLITE Boolean
(1 to enable)		 Use the system installed sqlite library instead of the in-tree version. 3.12.6
NSS_DISABLE_ECC (deprecated) Boolean
(1 to disable)

Disable Elliptic Curve Cryptography features. As of NSS 3.16, ECC features are enabled by default. As of NSS 3.33 this variable has no effect.

 3.16
NSS_ENABLE_ECC (deprecated) Boolean
(1 to enable)		 Enable building of code that uses Elliptic Curve Cryptography. Unused as of NSS 3.16; see NSS_DISABLE_ECC. Before 3.16; since 3.11.
NSS_FORCE_FIPS

Boolean
(1 to enable)

 Allows enabling FIPS mode using NSS_FIPS 3.24
OS_TARGET String
(target OS)		 For cross-compilation environments only, when the target OS is not the default for the system on which the build is performed.
Values understood:
WIN95		 Before 3.0
USE_64 Boolean
(1 to enable)		 On platforms that has separate 32-bit and 64-bit ABIs, NSS builds for the 32-bit ABI by default. This tells NSS to build for the 64-bit ABI. Before 3.0
USE_DEBUG_RTL Boolean
(1 to enable)		 On Windows, MSVC has options to build with a normal Run Time Library or a debug Run Time Library. This tells NSS to build with the Debug Run Time Library. Before 3.0
USE_PTHREADS Boolean
(1 to enable)		 On platforms where POSIX threads are available, but are not the OS'es preferred threads library, this tells NSS and NSPR to build using pthreads. Before 3.0
NSS_NO_PKCS11_BYPASS String
(1 to enable)		 Disables at compile-time the NS ssl code to bypass the pkcs11 layer. When set the SSLBYPASS run-time variable won't take effect Before 3.15