Security
NSS loads p11-kit modules by default
Fedora provides a mechanism to configure PKCS#11 modules system wide,
allowing crypto libraries (GnuTLS and OpenSSL) to use PKCS#11 modules in a
consistent manner. Until now, NSS applications haven’t benefited from it as
NSS uses a different configuration mechanism which requires users to
register PKCS#11 modules in NSS databases. Fedora 29 makes this manual
procedure unnecessary by registering the p11-kit-proxy
module (system
PKCS#11 module aggregator) in NSS databases with the default configuration.
This allows NSS applciations to use PKCS#11 modules the same as other crypto
libraries, enabling consistency in PKCS#11 driver registration across the
system. Consequently, users will see improvements in smart card and
hardware security module (HSM) use in Fedora.
Want to help? Learn how to contribute to Fedora Docs ›