Re: Does selfserv have a memory leak?
Julien Pierre wrote: HTTP/1.1 is a full-duplex protocol when chunked-encoding is used in both directions to stream. Weel, Pipelining also make it full-duplex, I think. ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: CERT advisory CA-2003-26: Vulnerability in SSL
Julien, Could you refresh my memory about FIPS mode? How do you turn it on in NSS (what API call) and if not on, what does that entail for an NSS app? Also this softokn3.chk file: What is it for exactly, and does it need to be in a special location? I assume it's related to the softoken library which provides a software implementation of a PKCS#11 module. -- POC ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: CERT advisory CA-2003-26: Vulnerability in SSL
POC wrote on 1/27/2004, 12:37 PM:
Also this softokn3.chk file: What is it for exactly, and does it need
to be in a special location? I assume it's related to the softoken
library which provides a software implementation of a PKCS#11 module.
The softokn3.chk file contains a checksum for
softokn3.dll. When in FIPS mode, softokn3.dll
is required to compute its checksum and compare
it with the value in softokn3.chk.
softokn3.chk must be installed in the same
directory as softokn3.dll.
On Unix platforms, this file is called
libsoftokn3.chk.
On 32-bit Solaris SPARC and 32-bit HP-UX
PA-RISC, you also need two additional .chk
files: libfreebl_pure32_3.chk and
libfreebl_hybrid_3.chk, which match the
libfreebl_pure32_3.{so,sl} and
libfreebl_hybrid_3.{so,sl} shared libraries
on these two platforms.
Wan-Teh
___
mozilla-crypto mailing list
[EMAIL PROTECTED]
http://mail.mozilla.org/listinfo/mozilla-crypto
NSS 3.9 vs NSS 3.8, and spacing in strings in CERTCertificate cert objects
Hello, I'm looking at NSS 3.9 and one difference I noticed with previous version NSS 3.8: The cert object I get back from PK11_FindCertFromNickname() is a struct of type CERTCertificate. When I get the cert subject name using cert-subjectName, I noticed that, with NSS 3.9, the DN string does NOT have spaces between the DN sub-components (eg, CN=joetester,OU=Testing,O=testCorp,C=US). The DN returned in NSS3.8 did however have spaces (eg, CN=joetester, OU=Testing, O=testCorp, C=US). This is casuing me a little bit of a headache with my NSS app when trying to identify a certificate by comparing the cert subject name with a fixed know string... Has there been a know change with spacing in the cert strings returned by functions like PK11_FindCertFromNickname()? (I have a feeling that the CERTCertificate struct is private and I should not rely on strings like cert-subjectName...) -- POC ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: CERT advisory CA-2003-26: Vulnerability in SSL
POC wrote: Julien, Could you refresh my memory about FIPS mode? How do you turn it on in NSS (what API call) and if not on, what does that entail for an NSS app? FIPS mode is a higher security mode of operation. You will get a lot more token password prompts, and private keys cannot travel accross tokens even wrapped, among other things. To enable/disable it, please see the code in the modutil tool in pk11.c, specifically the FipsMode function. Also this softokn3.chk file: What is it for exactly, and does it need to be in a special location? I assume it's related to the softoken library which provides a software implementation of a PKCS#11 module. As Wan-Teh pointed out, the file should live at the same location as the softokn3 DLL/so file. On Solaris there are extra libfreebl*.chk files. ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: CERT advisory CA-2003-26: Vulnerability in SSL
Julien Pierre wrote: Nelson, If your application uses FIPS mode, you need an additional softokn3.chk file, not just the NSS DLLs . Otherwise you won't be able to turn on FIPS mode (a feature Mozilla actually supports). This file first appeared in NSS 3.8 - it did not exist in 3.7 . Thank you for reminding me of that that, Julien. I tend to forget about FIPS mode. :( ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: Does selfserv have a memory leak?
Julien Pierre wrote: One minor correction, HTTP is not always half-duplex. HTTP/1.1 is a full-duplex protocol when chunked-encoding is used in both directions to stream. Ie. a client can POST variable-length data with chunked-encoding, and a server can respond with variable-length data with chunked-encoding. This allows HTTP to be used for things like tunneling, video applications, etc. Thanks for that info. I didn't know about chunked encoding. Netscape Enterprise Server/iPlanet Web Server/Sun ONE Web Server 6.x support this feature. That doesn't surprise me. The implementors of those products were very thorough. (Good job!) /Nelson ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
Re: NSS 3.9 vs NSS 3.8, and spacing in strings in CERTCertificate cert objects
POC wrote: I'm looking at NSS 3.9 and one difference I noticed with previous version NSS 3.8: The cert object I get back from PK11_FindCertFromNickname() is a struct of type CERTCertificate. When I get the cert subject name using cert-subjectName, I noticed that, with NSS 3.9, the DN string does NOT have spaces between the DN sub-components (eg, CN=joetester,OU=Testing,O=testCorp,C=US). The DN returned in NSS3.8 did however have spaces (eg, CN=joetester, OU=Testing, O=testCorp, C=US). THere were a number of bugs with the cert name strings produced by NSS prior to 3.9. The strings produced by older versions of NSS did not always fully conform to the relevant RFCs. For example, when a name contains multiple attributes in a single RDN, those attributes are supposed to be separated by +, rather than ,. A comma should separate RDNs, and a plus should separate attributes within an RDN. But older NSS used comma to separate all attributes, making it impssible to determine when an RDN contained multiple attributes. The presence of the spaces between attributes was another aspect that did not strictly conform. This lack of conformance was causing interoperability issues with other implementations of cert code. The strings produced by NSS 3.9 are much more conformant. But in order to achieve that conformance, it was necessary for the code to produce different strings than it did before. This is casuing me a little bit of a headache with my NSS app when trying to identify a certificate by comparing the cert subject name with a fixed know string... Understood. Perhaps that's why NSS never uses that method to compare two cert names. :) NSS compares the DER-encoded names using SECITEM_ItemsAreEqual. The DER form is also in the CERTCertificate struct. Has there been a know change with spacing in the cert strings returned by functions like PK11_FindCertFromNickname()? (I have a feeling that the CERTCertificate struct is private If we ever produce an NSS 4.0, its cert struct will be private, but the CERTCertificate in NSS 3.x is public. We go do some pains to preserve binary compatibiltiy of this structure from release to release, because we know that code outside of NSS uses it (although it could be argued that we did not succeed with respect to these strings). Code outside of NSS shared libraries should treat it as const (read only). and I should not rely on strings like cert-subjectName...) Yes, that's true. Here's another aspect of that issue for consideration. The standard says that two attributes should compare as equal if they only differ in whitespace. For example, CN=Fred Flintstone and CN=Fred Flintstone and CN= Fred Flinstone should all match, if they are encoded as printable strings (as they typically are, at least historically). So, one way for you to approach this problemis to write a much more involved comparison function that ignores whitespace. I'm intentionally glossing over some details here. If you want the full story, read RFC 2253 and 3280. -- POC ___ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
$$$$$ Show your parents that the Internet DOES pay off!!! $$$$$$
MAKE MONEY!!! MAKE THOUSANDS!!! I found this on a bulletin board and decided to try it: I don't care about the useless pre-fabricated crap this message usually says. All I say is, it works. Continue pre-fab crap. WELL GUESS WHAT!!! Within seven days, I started getting money in the mail!! I was shocked!! I figured it would end soon, but the money just kept coming in. In my first week, I made about $25.00. By the end of the second week I had made a total of more than $1000.00!! In the third week I had more than $10,000.00 and it's still growing!! This is now my fourth week and I have made a total of $42,000.00 and it's still coming rapidly. It's certainly worth $6.00 and six stamps, and I have spent more than that on the lottery without ever winning!!! Let me tell you how this works and most important, why it works.. also make sure you print this out NOW, so you can get the information off of it, as you will need it. I promise you that if you follow the directions exactly that you will start making more money than you thought possible by doing something so easy!! Suggestion: Read this entire message carefully!! (Print it out or download it) Follow the simple directions and watch the money come in!! It's easy. It's legal. And, your investment is only $6.00 (Plus postage) !!! IMPORTANT: This is not a rip-off, it is decent; it's legal; and it is virtually no risk - it really works!! If all the following instructions are adhered to, you will receive extraordinary dividends. PLEASE NOTE: Please follow the directions EXACTLY, and $50,000 or more can be yours in 20 to 60 days. This program remains successful because of the honesty and integrity of the participants. Please continue its success by carefully adhering to the instructions. You will now become apart of the Mail Order business. You are in the business of developing Mailing Lists. Many large corporations are happy to pay big bucks for quality lists. However, the money made from the mailing lists is secondary to income which is made from people like you and me asking to be included in that list. Here are the four easy steps to success. STEP ONE: Get six separate pieces of paper and write the following on each piece of paper PLEASE PUT ME ON YOUR MAILING LIST. Now get 6 U.S. $1.00 bills and place ONE inside of EACH of the six pieces of paper so the bill will not be seen through the envelope (to prevent thievery). Next, place one paper in each of the six envelopes and seal them. You now should have six sealed envelopes, each with a piece of paper stating the above phrase, your name and address, and a $1.00 bill. What you are doing is creating a service. THIS IS ABSOLUTELY LEGAL! You are requesting a legitimate service and you are paying for it!! Like most of us I was a little skeptical and little worried about the legal aspects of it all. So I checked it out with the U.S. Post Office (1-800-238-5355) and they confirmed that it is indeed legal!! Mail the six envelopes to the following addresses: J.J. Maxey 355 N. Manila Ave. Fresno, CA 93727 USA Kyle Pate P.o. Box 2046 Great Falls, MT 59403-2046 USA G.H.L. 1600 N Thorntree Rd Muncie, IN 47304-9710 USA G. Skillen 32 Ebor Drive Tates Avenue Belfast, BT12 6NR Northern Ireland M. Motut 2377 Anora Dr. Abbotsford, BC v2s 5p3 Canada T. Wallace 8915 E. Carlton Ave. Mesa, AZ 85208-2399 USA STEP TWO:Now take the #1 name off the list that you see above, move the other names up (six becomes 5, 5 becomes 4, and etc.) and add YOUR NAME as number 6 on the list. STEP THREE: Change anything you need to but try to keep this article as close to original as possible. Now post your amended article to at least 200 news groups. : (I think there are close to 24,000 groups) All you need is 200, but remember, the more you post, the more money you make!! This is perfectly legal!! If you have any doubts, refer to Title 18 Sec. 1302 1341 of the Postal Lottery laws. Keep a copy of these steps for yourself and whenever you need money, you can use it again, and again. PLEASE REMEMBER that this program remains successful because of the honesty and integrity of the participants and by their carefully adhering to directions. Look at it this way. If you were of integrity, the program will continue and the money that so many others have received will come your way. NOTE: You may want to retain every name and address sent to you, either on a computer or hard copy and keep the notes people send you. This VERIFIES that you are truly providing a service. (Also, it might be a good idea to wrap the $1 bill in dark paper to reduce the risk of mail theft). So, as each post is downloaded and the directions carefully followed, all members will be reimbursed for their participation as a List Developer with one dollar each. Your name will move up the list geometrically so that when your name reaches the #1 position you will be receiving thousands of dollars in CASH!!!
