Security
NSS loads p11-kit modules by default
Fedora provides a mechanism to configure PKCS#11 modules system wide, allowing crypto libraries (GnuTLS and OpenSSL) to use PKCS#11 modules in a consistent manner.
Until now, NSS applications haven’t benefited from it as NSS uses a different configuration mechanism which requires users to register PKCS#11 modules in NSS databases.
Fedora 29 makes this manual procedure unnecessary by registering the p11-kit-proxy module (system PKCS#11 module aggregator) in NSS databases with the default configuration.
This allows NSS applciations to use PKCS#11 modules the same as other crypto libraries, enabling consistency in PKCS#11 driver registration across the system.
Consequently, users will see improvements in smart card and hardware security module (HSM) use in Fedora.
Want to help? Learn how to contribute to Fedora Docs ›