Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2
On 01/13/2015 09:18 AM, Christina Fu wrote: jss-4.2.6-35 can be found on koji for various supported fedora platforms. For rhel it's the same version number. Christina Are there any outside available builds, like windows? bob On 01/13/2015 09:09 AM, Robert Relyea wrote: Christina, which version of JSS has TLS 1.1 and 1.2 support enabled? Bob On 01/12/2015 02:10 PM, deepr...@gmail.com wrote: Folks, Sorry for the totally newbie question but I've hunted high and low. I am supporting some Java code that uses JSS4, NSS to provide SSL Server side services. In response to Poodle I've been looking this code and was able to Enable TLS explicitly and disable SSL to mitigate that in it's most basic form. However I was hoping to be able to add at least TLS 1.1 if not 1.2 support. I cannot find how this is done or if possible. I've build the latest NSS code base which seemingly supports these protocols, and build JSS around it but can't seem to get a TLS 1.1/1.2 connection. The JSS source code also doesn't show any of the SHA256 ciphers etc that imply TLS 1.2..so I've come the conclusion that I cannot use JSS to execute TLS 1.1/1.2 server side connections. Hopefully I'm wrong, or stupid but not both. Can anyone confirm, deny or otherwise point me in the right direction on this topic. Thank you Colin smime.p7s Description: S/MIME Cryptographic Signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2
On Mon, Jan 12, 2015 at 11:10 PM, deepr...@gmail.com wrote: Folks, Sorry for the totally newbie question but I've hunted high and low. I am supporting some Java code that uses JSS4, NSS to provide SSL Server side services. In response to Poodle I've been looking this code and was able to Enable TLS explicitly and disable SSL to mitigate that in it's most basic form. However I was hoping to be able to add at least TLS 1.1 if not 1.2 support. Java 8 enabled by default TLS 1.1 and TLS 1.2 on Java's control panel This raised dome problems tieh the protocol negotation with our legacy OAS servers. Seems Oracle didnt honor cypherHonors :P I cannot find how this is done or if possible. I've build the latest NSS code base which seemingly supports these protocols, and build JSS around it but can't seem to get a TLS 1.1/1.2 connection. The JSS source code also doesn't show any of the SHA256 ciphers etc that imply TLS 1.2..so I've come the conclusion that I cannot use JSS to execute TLS 1.1/1.2 server side connections. Probably im confused but you could try: - disabling everything but TLS1.1/1.2 and see if that works - protocol are supported but not used or are not supported at all - using -Djdk.tls.client.protocols=TLSv1,... - create a custom sslFactory and enjoy -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
On Tue, 2015-01-13 at 12:25 -0500, John Dennis wrote: On 01/13/2015 09:58 AM, Robert Daniels wrote: I also need to serialize private keys in the same fashion. Any hints greatly appreciated. By design NSS prohibits access to private keys therefore you cannot serialize private keys. The correct thing to do in most cases is to serialise them to a PKCS#11 URI so that you can refer to them later. It depends what the original use case actually was, though. -- dwmw2 smime.p7s Description: S/MIME cryptographic signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2
Christina, which version of JSS has TLS 1.1 and 1.2 support enabled? Bob On 01/12/2015 02:10 PM, deepr...@gmail.com wrote: Folks, Sorry for the totally newbie question but I've hunted high and low. I am supporting some Java code that uses JSS4, NSS to provide SSL Server side services. In response to Poodle I've been looking this code and was able to Enable TLS explicitly and disable SSL to mitigate that in it's most basic form. However I was hoping to be able to add at least TLS 1.1 if not 1.2 support. I cannot find how this is done or if possible. I've build the latest NSS code base which seemingly supports these protocols, and build JSS around it but can't seem to get a TLS 1.1/1.2 connection. The JSS source code also doesn't show any of the SHA256 ciphers etc that imply TLS 1.2..so I've come the conclusion that I cannot use JSS to execute TLS 1.1/1.2 server side connections. Hopefully I'm wrong, or stupid but not both. Can anyone confirm, deny or otherwise point me in the right direction on this topic. Thank you Colin smime.p7s Description: S/MIME Cryptographic Signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
Thats your mistake: Using softokn+slot=2 will access your personal/installed certificates, not CA/trusted ones. Perhaps slot 1 will do, but I have never tried. On Tue, Jan 13, 2015 at 5:19 PM, Opa114 opa...@gmail.com wrote: i mean the Server and CA not only own Certificates -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
Am Dienstag, 13. Januar 2015 19:04:28 UTC+1 schrieb helpcrypto helpcrypto: Thats your mistake: Using softokn+slot=2 will access your personal/installed certificates, not CA/trusted ones. Perhaps slot 1 will do, but I have never tried. On Tue, Jan 13, 2015 at 5:19 PM, Opa114 opa...@gmail.com wrote: i mean the Server and CA not only own Certificates -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto i tried slot = 1. same output. 0 Certs found. is there any documnetation what parameters the arguments could have. like certPrefix and KeyPrefix and Slot. Firefox has the following Certificate-Tabs in his Manager: - Personal - People - Server - Trusted CA - Other i have to access all of these. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
On 01/13/2015 09:58 AM, Robert Daniels wrote: I also need to serialize private keys in the same fashion. Any hints greatly appreciated. By design NSS prohibits access to private keys therefore you cannot serialize private keys. However, you can export a cert/key pair in PKCS12 format. See nss.pkcs12_export. There isn't an example python program for pkcs12 but there is a unit test, see test/test_pkcs12.py. Because it's a unit test it's not a simple straight forward example but it does illustrate using other command line tools which are used to verify the pkcs12 operation. OpenSSL does permit extracting a key from a PKCS12 file, so once you've extracted the key/cert to a .p12 file you can use OpenSSL to get the key. Note, there is no need to use python-nss to extract a cert/key from a NSS database, you can use the pk12util command line utility directly. FWIW the pkcs12 implementation in python-nss pretty much mirrors what pk12util is doing using essentially the same NSS entry points. -- John -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
On Tue, Jan 13, 2015 at 7:18 PM, Opa114 opa...@gmail.com wrote: Am Dienstag, 13. Januar 2015 19:04:28 UTC+1 schrieb helpcrypto helpcrypto: Thats your mistake: Using softokn+slot=2 will access your personal/installed certificates, not CA/trusted ones. Perhaps slot 1 will do, but I have never tried. On Tue, Jan 13, 2015 at 5:19 PM, Opa114 opa...@gmail.com wrote: i mean the Server and CA not only own Certificates -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto i tried slot = 1. same output. 0 Certs found. is there any documnetation what parameters the arguments could have. like certPrefix and KeyPrefix and Slot. http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html#NSS Firefox has the following Certificate-Tabs in his Manager: - Personal This is what I use - People (personal without related private key) - Server - Trusted CA I access these using cerutil - Other i have to access all of these. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
the link to Oracle Docu did not contain detailed information to all the arguments. yes, Personal works. a way without certutil os not possible? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
Hi Again Matthias Copy softkn+dependencies to %temp%, load libraries in Java using System.load (also in order!) and then try to use sunpkcs11 with the following config: String config = name = NSS\r\n + library = + path + \r\n + attributes = compatibility\r\n + showInfo = false\r\n + allowSingleThreadedModules = true\r\n + slot = 2\r\n + nssArgs = \configdir=' + profile.replace(\\, /) + ' secmod='secmod.db' certPrefix='' keyPrefix='' flags=readOnly\\r\n; path is where softkn3 is located profile is the path where .db files are located. This should work. In the event of problems, check: http://docs.oracle.com/javase/7/docs/technotes/guides/security/p11guide.html There are a lot of resources on google too. Good luck ;) On Mon, Jan 12, 2015 at 7:58 PM, Opa114 opa...@gmail.com wrote: Am Montag, 12. Januar 2015 18:51:51 UTC+1 schrieb helpcrypto helpcrypto: This is the dependency lack ;) This is what I have, probably some have changed: String[] nssDeps = { //WARNING: Order MATTERS! System.mapLibraryName(msvcr100), System.mapLibraryName(msvcp100), System.mapLibraryName(mozglue), System.mapLibraryName(nss3), System.mapLibraryName(mozutils), System.mapLibraryName(mozcrt19), System.mapLibraryName(nspr4), System.mapLibraryName(plds4), System.mapLibraryName(plc4), System.mapLibraryName(nssutil3), System.mapLibraryName(mozsqlite3), System.mapLibraryName(sqlite3), System.mapLibraryName(nssdbm3), System.mapLibraryName(freebl3) }; On Mon, Jan 12, 2015 at 5:55 PM, Opa114 opa...@gmail.com wrote: i tried it but get another error: Caused by: java.io.IOException: modul not found - C:/Users/Matthias/AppData/Local/Temp/softokn3.dll but the file is in this folder. Where is the problem? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto i've done this. loadedall the named librariesfrom you above. and now i get this error: CKR_DEVICE_ERROR Caused by: sun.security.pkcs11.wrapper.PKCS11Exception: CKR_DEVICE_ERROR at sun.security.pkcs11.wrapper.PKCS11.C_Initialize(Native Method) at sun.security.pkcs11.wrapper.PKCS11$SynchronizedPKCS11.C_Initialize(PKCS11.java:1545) at sun.security.pkcs11.wrapper.PKCS11.getInstance(PKCS11.java:157) at sun.security.pkcs11.SunPKCS11.init(SunPKCS11.java:330) ... 2 more -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
I also need to serialize private keys in the same fashion. Any hints greatly appreciated. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
thanks again. i have compared my code woth your peace of code you posted and i have the same. But i still get the Error: CKR_DEVICE_ERROR i loaded the dll's in your posted order. i copied the dll's to C:\users\myname\AppData\Local\Temp Folder. the Mozilla Profile folder is right, too. so don't know where the problem is. i read so many documents on the internet, but i found no one which handles CKR_DEVICE_ERROR in any good and deep way. Could it be a problem with the dll-Files? From where did you get the dll's and wich version have they? (maybe you could send them to me?) do you think it could be a try to use JSS? but you wrote that JSS sucks. i only have to access the keystore and to read out the certificates and to delete the certificates and maybe show the private/public keys from some certificates. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
Am Dienstag, 13. Januar 2015 12:14:28 UTC+1 schrieb helpcrypto helpcrypto: On Tue, Jan 13, 2015 at 12:00 PM, Opa114 opa...@gmail.com wrote: thanks again. i have compared my code woth your peace of code you posted and i have the same. But i still get the Error: CKR_DEVICE_ERROR CKR_DEVICE_ERROR is an error on the cryptoki itself, as stated by PKCS#11 standard. I have found several times this error when using buggy smartcards, but IIRC, never with softkn i loaded the dll's in your posted order. i copied the dll's to C:\users\myname\AppData\Local\Temp Folder. the Mozilla Profile folder is right, too. so don't know where the problem is. Hope you copied before loading them on the new location ;) yes i did :) i read so many documents on the internet, but i found no one which handles CKR_DEVICE_ERROR in any good and deep way. Could it be a problem with the dll-Files? From where did you get the dll's and wich version have they? (maybe you could send them to me?) Don't think so. These dll are in the firefox folder. As far as i can understand, theres no sense to send my dlls to you...they shall be the same okay. but in my Firefox intallation folder are not all the dll's you listed. i know the nspr4.dll is from the NSPR Build. But the edll for example are not on my folder by default: mozutils.dl Send me a self-contained fully executable hello world/main/test.java and i can run it against my system, trying to find whats happening. I think is better to work with your simple use-case/code, instead of sending you my complex code (lot of classes involved) here ist my little peace of test-code :) http://pastebin.com/e5CCahxN http://pastebin.com/kAsyG5Ai This are my two classes which you need to test it. do you think it could be a try to use JSS? but you wrote that JSS sucks. I dont recommend you that. If you surrender after first fall, you'll never win. okay :) i only have to access the keystore and to read out the certificates and to delete the certificates and maybe show the private/public keys from some certificates. If you aren't going to sign/decrypt..., I suggest you using certutil. yeah but i do't want to run any command line util in background. and maybe this option come in future, so it is better to do the thing right at the beginning If this start to become a personal conversation, maybe is better to happen off-list. i don't think it's to personal. maybe other people have the same question or problems :) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
On Tue, Jan 13, 2015 at 12:00 PM, Opa114 opa...@gmail.com wrote: thanks again. i have compared my code woth your peace of code you posted and i have the same. But i still get the Error: CKR_DEVICE_ERROR CKR_DEVICE_ERROR is an error on the cryptoki itself, as stated by PKCS#11 standard. I have found several times this error when using buggy smartcards, but IIRC, never with softkn i loaded the dll's in your posted order. i copied the dll's to C:\users\myname\AppData\Local\Temp Folder. the Mozilla Profile folder is right, too. so don't know where the problem is. Hope you copied before loading them on the new location ;) i read so many documents on the internet, but i found no one which handles CKR_DEVICE_ERROR in any good and deep way. Could it be a problem with the dll-Files? From where did you get the dll's and wich version have they? (maybe you could send them to me?) Don't think so. These dll are in the firefox folder. As far as i can understand, theres no sense to send my dlls to you...they shall be the same Send me a self-contained fully executable hello world/main/test.java and i can run it against my system, trying to find whats happening. I think is better to work with your simple use-case/code, instead of sending you my complex code (lot of classes involved) do you think it could be a try to use JSS? but you wrote that JSS sucks. I dont recommend you that. If you surrender after first fall, you'll never win. i only have to access the keystore and to read out the certificates and to delete the certificates and maybe show the private/public keys from some certificates. If you aren't going to sign/decrypt..., I suggest you using certutil. If this start to become a personal conversation, maybe is better to happen off-list. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
This one is working: http://pastebin.com/qqPf4cvM Regards On Tue, Jan 13, 2015 at 12:29 PM, Opa114 opa...@gmail.com wrote: Am Dienstag, 13. Januar 2015 12:14:28 UTC+1 schrieb helpcrypto helpcrypto: On Tue, Jan 13, 2015 at 12:00 PM, Opa114 opa...@gmail.com wrote: thanks again. i have compared my code woth your peace of code you posted and i have the same. But i still get the Error: CKR_DEVICE_ERROR CKR_DEVICE_ERROR is an error on the cryptoki itself, as stated by PKCS#11 standard. I have found several times this error when using buggy smartcards, but IIRC, never with softkn i loaded the dll's in your posted order. i copied the dll's to C:\users\myname\AppData\Local\Temp Folder. the Mozilla Profile folder is right, too. so don't know where the problem is. Hope you copied before loading them on the new location ;) yes i did :) i read so many documents on the internet, but i found no one which handles CKR_DEVICE_ERROR in any good and deep way. Could it be a problem with the dll-Files? From where did you get the dll's and wich version have they? (maybe you could send them to me?) Don't think so. These dll are in the firefox folder. As far as i can understand, theres no sense to send my dlls to you...they shall be the same okay. but in my Firefox intallation folder are not all the dll's you listed. i know the nspr4.dll is from the NSPR Build. But the edll for example are not on my folder by default: mozutils.dl Send me a self-contained fully executable hello world/main/test.java and i can run it against my system, trying to find whats happening. I think is better to work with your simple use-case/code, instead of sending you my complex code (lot of classes involved) here ist my little peace of test-code :) http://pastebin.com/e5CCahxN http://pastebin.com/kAsyG5Ai This are my two classes which you need to test it. do you think it could be a try to use JSS? but you wrote that JSS sucks. I dont recommend you that. If you surrender after first fall, you'll never win. okay :) i only have to access the keystore and to read out the certificates and to delete the certificates and maybe show the private/public keys from some certificates. If you aren't going to sign/decrypt..., I suggest you using certutil. yeah but i do't want to run any command line util in background. and maybe this option come in future, so it is better to do the thing right at the beginning If this start to become a personal conversation, maybe is better to happen off-list. i don't think it's to personal. maybe other people have the same question or problems :) -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: best practices - python-nss to serialize PEM
Basically what I'm doing is pulling from the nss store, the private key, server cert, and the complete CA cert chain and converting to in-memory PEM. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2
Folks, Sorry for the totally newbie question but I've hunted high and low. I am supporting some Java code that uses JSS4, NSS to provide SSL Server side services. In response to Poodle I've been looking this code and was able to Enable TLS explicitly and disable SSL to mitigate that in it's most basic form. However I was hoping to be able to add at least TLS 1.1 if not 1.2 support. I cannot find how this is done or if possible. I've build the latest NSS code base which seemingly supports these protocols, and build JSS around it but can't seem to get a TLS 1.1/1.2 connection. The JSS source code also doesn't show any of the SHA256 ciphers etc that imply TLS 1.2..so I've come the conclusion that I cannot use JSS to execute TLS 1.1/1.2 server side connections. Hopefully I'm wrong, or stupid but not both. Can anyone confirm, deny or otherwise point me in the right direction on this topic. Thank you Colin -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
i mean the Server and CA not only own Certificates -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Accessing Firefox keystore
i searched a little bit around and looked into the Mozilla dll's and i found out that the Built-In Trusted Root CAs are in the nssckbi.dll, so i changed my code to load this dll in libary in the config instead of the softokn3.dll. Programm runs and got no error, but the Size is zero. Any idea how to solve this? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto