Re: NSS v3.52 and TLSv1.3's Post-Handshake Authentication -- completion notification?

On Wed, Jul 8, 2020 at 2:36 AM Daiki Ueno wrote: > > Martin Thomson writes: > > > I think that we considered this when we first landed this code, but > > deferred adding any callbacks until it was clear what the right answer > > was. As you say, you get

Re: NSS v3.52 and TLSv1.3's Post-Handshake Authentication -- completion notification?

Daiki might have some ideas about how to approach this. I think that we considered this when we first landed this code, but deferred adding any callbacks until it was clear what the right answer was. As you say, you get the callback, but you might not if the request is rejected. On Tue, Jul 7,

Re: [ANNOUNCE] NSS 3.53 release

On Fri, Jun 12, 2020 at 1:16 AM Robert Relyea wrote: > > On 6/10/20 10:48 PM, Martin Thomson wrote: > > Is there an automated check we can run that will help us remember to > > do this properly in future? I really don't like having to remember > > this sort of thing.

Re: [ANNOUNCE] NSS 3.53 release

Is there an automated check we can run that will help us remember to do this properly in future? I really don't like having to remember this sort of thing. On Thu, Jun 11, 2020 at 3:52 AM Robert Relyea wrote: > > On 6/1/20 5:18 PM, JC Jones wrote: > > The NSS team released Network Security

Re: NSS 3.47.1 build fail on windows

You shouldn't need to start the mozilla-build shell from within a VS shell. Our build uses vswhere and the registry to find the necessary pieces. That might be where things are going awry. From looking at your output, you might want to check this path: "/c/apps/MVS15/VC/Tools/MSVC/14.10.25017

Re: NSS3 (v3.14) on XP (FF52) - where to post questions about its API ?

Moved to dev-tech-crypto. NSS has some limited certificate validation code, but you have to roll it in. You can take a look at either tstclnt or firefox code to see how to put something together. The firefox code is much more complex. On Mon, 14 Oct. 2019, 12:37 R.Wieser, wrote: > Hello all, >

Re: WIP: TLS with GOST ciphersuites in NSS

Hi Paul, I don't want to answer specific questions here, but I did want to address the higher level point. Integrating all the pieces for a new cipher suite is a major project. I strongly suggest that you work on doing this in pieces. If you intend to present a single patch that adds all the

Re: Failed building NSS 3.44 on MacOSX

https://bugzilla.mozilla.org/show_bug.cgi?id=1561510 is where we should keep discussing this. On Wed, Jun 26, 2019 at 4:19 PM Martin Thomson wrote: > OK, this looks like I hit a problem in my system (which I only use > rarely). I am now hitting your issue. > > This is a failure in

Re: Failed building NSS 3.44 on MacOSX

s are at the end of the string. Maybe it is because the version of make we now have on mac quotes the arguments (as it should). The fix is simple enough; I'll get something in review soon. On Wed, Jun 26, 2019 at 3:30 PM John Jiang wrote: > Hi Martin, > Thanks for your reply! > > On Wed, Ju

Re: Failed building NSS 3.44 on MacOSX

I had trouble myself, but it turns out that even if you are all up to date, XCode isn't upgraded. The error I get is the result of XCode being out of date. Confirm by looking for a config.log in the NSPR directory. If it contains a message like the one below, the outdated XCode is the problem.

Re: [ANNOUNCE] NSS 3.44 Release

On Thu, May 16, 2019 at 2:03 PM Miklos Vajna wrote: > Is it possible to use this static mode when building via the provided > Makefile? > No. We're gradually phasing out support for Makefiles. They are very hard to maintain. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Re: Is there some problem with treeherder?

+Dustin Mitchell who might have some insight into this. On Tue, Mar 19, 2019 at 6:03 AM Robert Relyea wrote: > I've been trying to get an nss-try builds with nss-tools for a couple of > days now, but it looks like both nss-try and nss are not properly > running any tests. Is there an outage,

Re: Possible ABI break when updating from NSS 3.39 to 3.41

We routinely run similar checks on our builds and track the changes that libabigail reports. We require that ABI changes, even of the benign sort you found are reviewed and accepted. The set of expected changes between releases is found here:

Re: Debug info on NSS tools

You need to build a debug build with -DDEBUG. Disabling optimization is a different thing. The default build with build.sh or make nss_build_all should be fine. On Sat, 5 Jan. 2019, 11:40 John Jiang I had read that page. In fact, SSLDEBUG and SSLTRACE were used in my last > try. > My NSS was

Re: Debug info on NSS tools

Try exporting SSLTRACE=100. That might be too much detail, but lower numbers are still useful. I find that 20-ish gets some fairly useful logging. On Thu, Jan 3, 2019 at 6:12 PM John Jiang wrote: > Can NSS tools, like selfserv and tstclnt, output debug info? > My NSS binary is built with

Re: Using AES256 cipher directly...?

On Fri, Dec 7, 2018 at 12:26 PM Paul Smith wrote: > Another thing that I didn't bring up: I need to implement this in other > languages (at least Java and Python), so clients can connect to the > service. So I need to consider availability in other crypto libraries > like Python ssl and javax

Re: Using AES256 cipher directly...?

Hi Paul, I think NSS has all you need here. Including TLS 1.3 should you prefer that. Unfortunately, we can't say that we have a PAKE, so I appreciate that you aren't able to just drop that in. In the meantime,,, On Fri, Dec 7, 2018 at 9:18 AM Paul Smith wrote: > I have a session key from

Re: Tyring to buld NSS 3.38 - Win10 x64

The current process is a bit broken. See https://bugzilla.mozilla.org/show_bug.cgi?id=1434943 for more. Some people report success with the patch there, but it's not completely ready. On Tue, Aug 14, 2018 at 6:00 AM Will Barnz wrote: > > I'm trying to build NSS 3.38. I've downloaded and

Re: How do selfserv and tstclnt specify RSASSA-PSS certificate?

This was a feature we supported, but we have an open item to restore full PSS support for TLS after some changes in TLS 1.3 reassigned the meaning of the codepoints. (It's been a few months, and a low priority item, but it is still on my todo list). Getting selfserv and tstclnt to use those keys

Re: Identifying the NSS version/tag from a n NSS source tree?

In the gecko tree, there is a file called TAG-INFO that lists the exact NSS revision. On Fri, May 18, 2018 at 7:21 AM Jonathan Wilson wrote: > I have an NSS source tree (that is, the contents of security\nss as seen in > a Gecko source tree), how can I figure out what

Re: Building NSS 3.32.1 on Solaris

That looks like you haven't got a c++ compiler that supports c++11. You can disable building the tests with NSS_DISABLE_GTESTS. On Fri, May 18, 2018 at 3:30 AM Usha Nayak wrote: > Hi Wan-Teh > Thanks for replying and appreciate your help. > Modifying the file as you

Re: [ANNOUNCE] NSS 3.37 Release

Yes, aside from the version number the two versions are identical. On Mon, 14 May 2018, 21:51 Kai Engert, wrote: > On 14.05.2018 13:24, Kai Engert wrote: > > On 14.05.2018 11:11, Kurt Roeckx wrote: > >> On 2018-05-08 22:49, Kai Engert wrote: > >>> Notable changes: > >>> * The TLS

Re: selfserv and tstclnt on SNI

These sound like simple bugs. Most are probably good first bugs for someone looking to contribute. On Thu, Feb 8, 2018 at 6:13 PM, John Jiang wrote: > Hi, > Using NSS 3.35. > > It looks tstclnt always send SNI extension, even though no option "-a". > As for selfserv, I

Re: how do I test if NSS supports an algorithm at build time?

We do this probing in NSS because we can't guarantee that the softoken implementation matches the libssl implementation version. Yeah, strange world we live in, right? The probe is a little ugly, because there isn't a straight function you can call that says "this algorithm is supported": This

Re: NSS: Unable to verify close_notify in client code?

See SSL_AlertReceivedCallback(). On 20 Dec. 2017 6:22 am, "Johann 'Myrkraverk' Oskarsson" wrote: > Hi, > > Is it really impossible to verify if the server sent close_notify in a > normal NSS client application? > > In both cases, PR_Read() returns zero with no error

Re: Security implications for TLS validation post handshake

I think that Alex and Kurt partially answered your questions. On Wed, Oct 18, 2017 at 8:27 PM, Gregory Szorc wrote: > I'm very naive about how TLS libraries are implemented and how the TLS > handshake works. The basic design is that the client decides what to offer and then

Re: error: nss-softokn, ec.c, ECCurve25519 undeclared

This should be defined in ecl-exp.h, which is transitively included from ec.c via blapi.h and blapit.h. On Thu, Sep 28, 2017 at 10:10 AM, Captain Wiggum wrote: > I build nss and nss-softokn on a regular basis and follow periodic updates. > I am seeing this new error with

[ANNOUNCE] NSS 3.29.2 Release

The NSS team has released Network Security Services (NSS) 3.29.2 No new functionality is introduced in this release. This is a patch release to fix an issue with TLS session tickets. The full release notes are available at

Re: xmlsec / ECDSA problem

On Sat, Feb 18, 2017 at 8:59 AM, Jeremy Rowley wrote: > It's still permitted in the policy. > > https://www.mozilla.org/en-US/about/governance/policies/security-group/certs > /policy/#inclusion Yes, well... The policy says P-512, which doesn't actually exist. The

Re: xmlsec / ECDSA problem

On Thu, Feb 16, 2017 at 4:22 AM, Gervase Markham wrote: > Did things break when we disabled it? A few things. It lasted less than a day in Nightly before we got multiple bug reports. > Do we know why Chrome decided not to support it? Two NIST curves is enough? That's my

Re: xmlsec / ECDSA problem

On Thu, Feb 16, 2017 at 3:44 AM, Gervase Markham wrote: > There seemed to be some confusion recently in m.d.s.policy about whether > NSS, and then Firefox, supported P-521 for server auth certs. Can > someeone clear it up for me and tell me what the situation is? :-) Sure.

Re: xmlsec / ECDSA problem

On Wed, Feb 15, 2017 at 7:59 PM, Miklos Vajna wrote: > To avoid solving multiple problems at once, probably I'll go for an > other ECDSA testcase first where the parameter is supported by NSS. :-) The best supported curve is P-256 (i.e., secp256r1), but P-384 (secp384r1) and

Re: Can wrapped master secret be unwrapped only using fields from sslSessionID structure?

The details of how NSS constructs these values is internal to a given NSS version and might change in different versions. For instance, the indices and what they mean are highly likely to change in an upcoming version. On Wed, Jan 25, 2017 at 4:11 AM, Maxim Rise wrote: >

Re: Building NSS failed on Mac OS X 10.10 with "unknown warning group '-Wvarargs'"

Hi John, Could you open a bug? https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS=Libraries On Thu, Dec 29, 2016 at 5:19 PM, John Jiang wrote: > Hi, > I tried to build NSS 3.27.1 [1] on Mac OS X 10.10, but the building ended > with the following message: >

Re: NSS and NSPR compilation error: ssl3con.c:36:18: fatal error: zlib.h: No such file

You can compile with make nss_build_all NSS_SSL_ENABLE_ZLIB= To disable zlib. It's not a feature you want, we just keep it because some existing users depend on it. On Thu, Oct 20, 2016 at 11:10 PM, Kai Engert wrote: > On Thu, 2016-10-20 at 10:13 +, Ding Yangliang wrote: >>

Re: How to get details of certificate?

On Sun, May 22, 2016 at 5:16 PM, RJT wrote: > `certutil -L -d sql:${HOME}/.pki/nssdb` That lists the names, then you can dump the details: `certutil -L -d sql:${HOME}/.pki/nssdb -n ` -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Re: [ANNOUNCE] NSS 3.24 Release

On Mon, May 23, 2016 at 1:55 AM, Trick, Daniel wrote: > make BUILD_OPT=1 Try: make BUILD_OPT=1 nss_build_all You have to build NSPR first, and this does that for you. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Re: Disabling all uses of elliptical curves

On Wed, May 11, 2016 at 11:08 PM, Hubert Kario wrote: > I haven't tested it, but I don't think that will stop NSS trusting RSA > certificates signed by ECC CAs. There are plenty of things that NSS will still do with ECC if you disable ECC cipher suites. That's for sure. If

Re: Cipher suits, signature algorithms, curves in Firefox

On Fri, May 6, 2016 at 10:12 AM, Peter Bowen wrote: > Is a reasonable path to implement > https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-10 and > treat ECDHE suites as being DHE using a Supported Group? This would > avoid new cipher suite IDs and accomplish the

Re: Cipher suits, signature algorithms, curves in Firefox

On Fri, May 6, 2016 at 9:33 AM, Brian Smith wrote: > So, I don't think that dropping AES-256 is the right thing to do. Instead, > the ECDHE-AES-256-GCM cipher suites should be added to Firefox. Note that > they were just recently added to Google Chrome. These are also

Re: Disabling all uses of elliptical curves

At the TLS layer, you can disable all suites that require ECC. On Sat, Apr 30, 2016 at 4:40 AM, Franziskus Kiefer wrote: > there's no runtime option but you can disable it at compile time with > NSS_DISABLE_ECC, see [1] > > [1] >

Re: server-side OCSP stapling

AIUI, support for stapling in NSS is pretty primitive. You are expected to make the OCSP query yourself and use the API to configure the server. On Mar 2, 2016 7:42 AM, "Rob Crittenden" wrote: > I don't see a way to implement OCSP stapling on the server side. > >

Re: -Werror vs. NetBSD

kLabelPrefixLen, 1, ptr); > ^ > tls13hkdf.c:142:9: error: assignment makes pointer from integer without a > cast [-Werror] > ptr = tls13_EncodeUintX(handshakeHashLen, 1, ptr); > ^ > cc1: all warnings being treated as errors > > Thomas > > >

Re: -Werror vs. NetBSD

Hi Thomas, Do you think that you could push these patches to bugzilla? See https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS=Libraries And it would be easier to review this as a single patch, I think, since all the changes are fairly simple. On Sat, Jan 30, 2016 at 11:40 PM, Thomas