On Wed, Jul 8, 2020 at 2:36 AM Daiki Ueno wrote:
>
> Martin Thomson writes:
>
> > I think that we considered this when we first landed this code, but
> > deferred adding any callbacks until it was clear what the right answer
> > was. As you say, you get
Daiki might have some ideas about how to approach this.
I think that we considered this when we first landed this code, but
deferred adding any callbacks until it was clear what the right answer
was. As you say, you get the callback, but you might not if the
request is rejected.
On Tue, Jul 7,
On Fri, Jun 12, 2020 at 1:16 AM Robert Relyea wrote:
>
> On 6/10/20 10:48 PM, Martin Thomson wrote:
> > Is there an automated check we can run that will help us remember to
> > do this properly in future? I really don't like having to remember
> > this sort of thing.
Is there an automated check we can run that will help us remember to
do this properly in future? I really don't like having to remember
this sort of thing.
On Thu, Jun 11, 2020 at 3:52 AM Robert Relyea wrote:
>
> On 6/1/20 5:18 PM, JC Jones wrote:
> > The NSS team released Network Security
You shouldn't need to start the mozilla-build shell from within a VS
shell. Our build uses vswhere and the registry to find the necessary
pieces. That might be where things are going awry.
From looking at your output, you might want to check this path:
"/c/apps/MVS15/VC/Tools/MSVC/14.10.25017
Moved to dev-tech-crypto.
NSS has some limited certificate validation code, but you have to roll it
in. You can take a look at either tstclnt or firefox code to see how to put
something together. The firefox code is much more complex.
On Mon, 14 Oct. 2019, 12:37 R.Wieser, wrote:
> Hello all,
>
Hi Paul,
I don't want to answer specific questions here, but I did want to address
the higher level point.
Integrating all the pieces for a new cipher suite is a major project. I
strongly suggest that you work on doing this in pieces. If you intend to
present a single patch that adds all the
https://bugzilla.mozilla.org/show_bug.cgi?id=1561510 is where we should
keep discussing this.
On Wed, Jun 26, 2019 at 4:19 PM Martin Thomson wrote:
> OK, this looks like I hit a problem in my system (which I only use
> rarely). I am now hitting your issue.
>
> This is a failure in
s are at the end of the string. Maybe
it is because the version of make we now have on mac quotes the arguments
(as it should). The fix is simple enough; I'll get something in review soon.
On Wed, Jun 26, 2019 at 3:30 PM John Jiang wrote:
> Hi Martin,
> Thanks for your reply!
>
> On Wed, Ju
I had trouble myself, but it turns out that even if you are all up to date,
XCode isn't upgraded. The error I get is the result of XCode being out of
date.
Confirm by looking for a config.log in the NSPR directory. If it contains
a message like the one below, the outdated XCode is the problem.
On Thu, May 16, 2019 at 2:03 PM Miklos Vajna wrote:
> Is it possible to use this static mode when building via the provided
> Makefile?
>
No. We're gradually phasing out support for Makefiles. They are very hard
to maintain.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
+Dustin Mitchell who might have some insight into this.
On Tue, Mar 19, 2019 at 6:03 AM Robert Relyea wrote:
> I've been trying to get an nss-try builds with nss-tools for a couple of
> days now, but it looks like both nss-try and nss are not properly
> running any tests. Is there an outage,
We routinely run similar checks on our builds and track the changes that
libabigail reports. We require that ABI changes, even of the benign sort
you found are reviewed and accepted. The set of expected changes between
releases is found here:
You need to build a debug build with -DDEBUG. Disabling optimization is a
different thing.
The default build with build.sh or make nss_build_all should be fine.
On Sat, 5 Jan. 2019, 11:40 John Jiang I had read that page. In fact, SSLDEBUG and SSLTRACE were used in my last
> try.
> My NSS was
Try exporting SSLTRACE=100.
That might be too much detail, but lower numbers are still useful. I find
that 20-ish gets some fairly useful logging.
On Thu, Jan 3, 2019 at 6:12 PM John Jiang wrote:
> Can NSS tools, like selfserv and tstclnt, output debug info?
> My NSS binary is built with
On Fri, Dec 7, 2018 at 12:26 PM Paul Smith wrote:
> Another thing that I didn't bring up: I need to implement this in other
> languages (at least Java and Python), so clients can connect to the
> service. So I need to consider availability in other crypto libraries
> like Python ssl and javax
Hi Paul,
I think NSS has all you need here. Including TLS 1.3 should you
prefer that. Unfortunately, we can't say that we have a PAKE, so I
appreciate that you aren't able to just drop that in. In the
meantime,,,
On Fri, Dec 7, 2018 at 9:18 AM Paul Smith wrote:
> I have a session key from
The current process is a bit broken. See
https://bugzilla.mozilla.org/show_bug.cgi?id=1434943 for more. Some
people report success with the patch there, but it's not completely
ready.
On Tue, Aug 14, 2018 at 6:00 AM Will Barnz wrote:
>
> I'm trying to build NSS 3.38. I've downloaded and
This was a feature we supported, but we have an open item to restore
full PSS support for TLS after some changes in TLS 1.3 reassigned the
meaning of the codepoints. (It's been a few months, and a low
priority item, but it is still on my todo list). Getting selfserv and
tstclnt to use those keys
In the gecko tree, there is a file called TAG-INFO that lists the exact NSS
revision.
On Fri, May 18, 2018 at 7:21 AM Jonathan Wilson wrote:
> I have an NSS source tree (that is, the contents of security\nss as seen
in
> a Gecko source tree), how can I figure out what
That looks like you haven't got a c++ compiler that supports c++11. You
can disable building the tests with NSS_DISABLE_GTESTS.
On Fri, May 18, 2018 at 3:30 AM Usha Nayak wrote:
> Hi Wan-Teh
> Thanks for replying and appreciate your help.
> Modifying the file as you
Yes, aside from the version number the two versions are identical.
On Mon, 14 May 2018, 21:51 Kai Engert, wrote:
> On 14.05.2018 13:24, Kai Engert wrote:
> > On 14.05.2018 11:11, Kurt Roeckx wrote:
> >> On 2018-05-08 22:49, Kai Engert wrote:
> >>> Notable changes:
> >>> * The TLS
These sound like simple bugs. Most are probably good first bugs for
someone looking to contribute.
On Thu, Feb 8, 2018 at 6:13 PM, John Jiang wrote:
> Hi,
> Using NSS 3.35.
>
> It looks tstclnt always send SNI extension, even though no option "-a".
> As for selfserv, I
We do this probing in NSS because we can't guarantee that the softoken
implementation matches the libssl implementation version. Yeah,
strange world we live in, right?
The probe is a little ugly, because there isn't a straight function
you can call that says "this algorithm is supported":
This
See SSL_AlertReceivedCallback().
On 20 Dec. 2017 6:22 am, "Johann 'Myrkraverk' Oskarsson"
wrote:
> Hi,
>
> Is it really impossible to verify if the server sent close_notify in a
> normal NSS client application?
>
> In both cases, PR_Read() returns zero with no error
I think that Alex and Kurt partially answered your questions.
On Wed, Oct 18, 2017 at 8:27 PM, Gregory Szorc wrote:
> I'm very naive about how TLS libraries are implemented and how the TLS
> handshake works.
The basic design is that the client decides what to offer and then
This should be defined in ecl-exp.h, which is transitively included
from ec.c via blapi.h and blapit.h.
On Thu, Sep 28, 2017 at 10:10 AM, Captain Wiggum wrote:
> I build nss and nss-softokn on a regular basis and follow periodic updates.
> I am seeing this new error with
The NSS team has released Network Security Services (NSS) 3.29.2
No new functionality is introduced in this release.
This is a patch release to fix an issue with TLS session tickets.
The full release notes are available at
On Sat, Feb 18, 2017 at 8:59 AM, Jeremy Rowley
wrote:
> It's still permitted in the policy.
>
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs
> /policy/#inclusion
Yes, well... The policy says P-512, which doesn't actually exist.
The
On Thu, Feb 16, 2017 at 4:22 AM, Gervase Markham wrote:
> Did things break when we disabled it?
A few things. It lasted less than a day in Nightly before we got
multiple bug reports.
> Do we know why Chrome decided not to support it? Two NIST curves is enough?
That's my
On Thu, Feb 16, 2017 at 3:44 AM, Gervase Markham wrote:
> There seemed to be some confusion recently in m.d.s.policy about whether
> NSS, and then Firefox, supported P-521 for server auth certs. Can
> someeone clear it up for me and tell me what the situation is? :-)
Sure.
On Wed, Feb 15, 2017 at 7:59 PM, Miklos Vajna wrote:
> To avoid solving multiple problems at once, probably I'll go for an
> other ECDSA testcase first where the parameter is supported by NSS. :-)
The best supported curve is P-256 (i.e., secp256r1), but P-384
(secp384r1) and
The details of how NSS constructs these values is internal to a given
NSS version and might change in different versions. For instance, the
indices and what they mean are highly likely to change in an upcoming
version.
On Wed, Jan 25, 2017 at 4:11 AM, Maxim Rise wrote:
>
Hi John,
Could you open a bug?
https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS=Libraries
On Thu, Dec 29, 2016 at 5:19 PM, John Jiang wrote:
> Hi,
> I tried to build NSS 3.27.1 [1] on Mac OS X 10.10, but the building ended
> with the following message:
>
You can compile with
make nss_build_all NSS_SSL_ENABLE_ZLIB=
To disable zlib. It's not a feature you want, we just keep it because
some existing users depend on it.
On Thu, Oct 20, 2016 at 11:10 PM, Kai Engert wrote:
> On Thu, 2016-10-20 at 10:13 +, Ding Yangliang wrote:
>>
On Sun, May 22, 2016 at 5:16 PM, RJT wrote:
> `certutil -L -d sql:${HOME}/.pki/nssdb`
That lists the names, then you can dump the details:
`certutil -L -d sql:${HOME}/.pki/nssdb -n `
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
On Mon, May 23, 2016 at 1:55 AM, Trick, Daniel
wrote:
> make BUILD_OPT=1
Try: make BUILD_OPT=1 nss_build_all
You have to build NSPR first, and this does that for you.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
On Wed, May 11, 2016 at 11:08 PM, Hubert Kario wrote:
> I haven't tested it, but I don't think that will stop NSS trusting RSA
> certificates signed by ECC CAs.
There are plenty of things that NSS will still do with ECC if you
disable ECC cipher suites. That's for sure. If
On Fri, May 6, 2016 at 10:12 AM, Peter Bowen wrote:
> Is a reasonable path to implement
> https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-10 and
> treat ECDHE suites as being DHE using a Supported Group? This would
> avoid new cipher suite IDs and accomplish the
On Fri, May 6, 2016 at 9:33 AM, Brian Smith wrote:
> So, I don't think that dropping AES-256 is the right thing to do. Instead,
> the ECDHE-AES-256-GCM cipher suites should be added to Firefox. Note that
> they were just recently added to Google Chrome.
These are also
At the TLS layer, you can disable all suites that require ECC.
On Sat, Apr 30, 2016 at 4:40 AM, Franziskus Kiefer wrote:
> there's no runtime option but you can disable it at compile time with
> NSS_DISABLE_ECC, see [1]
>
> [1]
>
AIUI, support for stapling in NSS is pretty primitive. You are expected to
make the OCSP query yourself and use the API to configure the server.
On Mar 2, 2016 7:42 AM, "Rob Crittenden" wrote:
> I don't see a way to implement OCSP stapling on the server side.
>
>
kLabelPrefixLen, 1, ptr);
> ^
> tls13hkdf.c:142:9: error: assignment makes pointer from integer without a
> cast [-Werror]
> ptr = tls13_EncodeUintX(handshakeHashLen, 1, ptr);
> ^
> cc1: all warnings being treated as errors
>
> Thomas
>
>
>
Hi Thomas,
Do you think that you could push these patches to bugzilla? See
https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS=Libraries
And it would be easier to review this as a single patch, I think,
since all the changes are fairly simple.
On Sat, Jan 30, 2016 at 11:40 PM, Thomas
44 matches
Mail list logo