Re: Default Password callback

On 10/1/20 5:37 AM, Daniel Gustafsson wrote: I'm implementing support for NSS into a codebase which already has OpenSSL support, and when looking at the passphrase callbacks I ran into a question. Is my understanding correctl that there is no default password callback like how OpenSSL has a

Re: No Post Quantum this week.

On 9/14/20 10:19 AM, Robert Relyea wrote: Bob has a dental appointment and will be out. See you in 2 weeks. bob Went to the wrong list. You can ignore this. bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

No Post Quantum this week.

Bob has a dental appointment and will be out. See you in 2 weeks. bob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Regarding SQLite in NSS 3.44.4

On 8/7/20 1:27 AM, Rahul S wrote: Hi Team, Hope all are doing good! I would like to get some clarification about the SQLite version in NSS 3.44.4. From release notes of NSS 3.46, i see that the "Bug 1550636 - Upgrade SQLite in NSS to a

Re: [ANNOUNCE] NSS 3.53 release

be the best place to put it? nss/automation? bob On Thu, Jun 11, 2020 at 3:52 AM Robert Relyea wrote: On 6/1/20 5:18 PM, JC Jones wrote: The NSS team released Network Security Services (NSS) 3.53 on 29 May 2020. NSS 3.53 will be a long-term support release, supporting Firefox 78 ESR. Looks like

Re: [ANNOUNCE] NSS 3.53 release

On 6/1/20 5:18 PM, JC Jones wrote: The NSS team released Network Security Services (NSS) 3.53 on 29 May 2020. NSS 3.53 will be a long-term support release, supporting Firefox 78 ESR. Looks like we updated certdata.txt without updating the version number in nssckbi.h. This caused some

Re: Crypto team minutes 202-05-12

Please ignore this, it went to the wrong list. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Crypto team minutes 202-05-12

Date: 2020-05-12 Chair: Ivan Minutes: Bob Participants: Alex, Standa, Jakub, Bob, Daiki, Toshi, Simo, Tomas, Sahana, Hubert, Ondrej, Ivan, Lucie Excused: Nikos Chair and minutes keeper update etherpad, after the meeting the minutes keeper sends minutes and prepares etherpad for next week -

Re: [key4.db] IV size for aes256-CBC

On 04/22/2020 01:21 AM, laurent.cl...@gmail.com wrote: On Monday, March 30, 2020 at 6:28:55 PM UTC+2, Robert Relyea wrote: On 03/27/2020 12:21 PM, Louis Abraham wrote: Hi Matthew, Awesome, thanks and sorry for contacting the wrong list! Since then, I found the answer to the 14 bytes question

Re: [key4.db] IV size for aes256-CBC

On 03/27/2020 12:21 PM, Louis Abraham wrote: Hi Matthew, Awesome, thanks and sorry for contacting the wrong list! Since then, I found the answer to the 14 bytes question: https://hg.mozilla.org/projects/nss/rev/fc636973ad06392d11597620b602779b4af312f6#l6.49 Basically the DER encoding is used

NSS ESR release date.

Red Hat Planning would like to know the estimate for when the NSS targetted for ESR will be released. We are working on the theory it will be end of May (balancing time for PKCS #11 3.0 changes versus when ESR needs a new NSS). Planning wants me to confirm that with mozilla, particularly JC.

Re: [ANNOUNCE] NSS 3.44 Release

On 05/17/2019 08:54 AM, JC Jones wrote: On Thursday, May 16, 2019 at 9:28:39 AM UTC-7, Paul Wouters wrote: Wait, what? They need work to make them simpler and better support cross compiling for sure, but getting rid of them would really hamper our use of NSS on different platforms. How would

Is there some problem with treeherder?

I've been trying to get an nss-try builds with nss-tools for a couple of days now, but it looks like both nss-try and nss are not properly running any tests. Is there an outage, or do we need someone to kick the try servers? bob -- dev-tech-crypto mailing list

Re: Linker error from tstclnt

On 11/22/2017 07:24 AM, Kai Engert wrote: On 10.11.2017 10:16, muni.pra...@gmail.com wrote: USE_STATIC_RTL=1 I haven't seen this symbol before, maybe it's no longer supported. Does it work if you don't define it? The symbol means build the test binaries with static libraries. That hasn't

Re: Are NSS bug fix releases still FIPS 140-2 certified?

On 04/10/2017 02:58 PM, Ernie Kovak wrote: Kyle Hamilton is right. The authoritative document is the NSS module's security policy, which is linked from their validation certificate (see above). That policy specifies how the module can be used in order to be FIPS 140-2 compliant. According to

Re: How to get a list of SubjectAltNames of a cert in NSS

On 03/03/2017 02:48 PM, Robert Relyea wrote: On 03/03/2017 09:42 AM, Paul Wouters wrote: On Fri, 3 Mar 2017, Robert Relyea wrote: [offlist] redirected back to the list, since the item I was concerned about is not a concern. Thanks for the info. I looked at it and have two questions

Re: How to get a list of SubjectAltNames of a cert in NSS

On 03/03/2017 09:42 AM, Paul Wouters wrote: On Fri, 3 Mar 2017, Robert Relyea wrote: [offlist] redirected back to the list, since the item I was concerned about is not a concern. Thanks for the info. I looked at it and have two questions and one concern (which is why this is offlist

Re: Should PK11_Derive() save the failure status?

On 02/22/2017 10:44 AM, Andrew Cagney wrote: Hi, I've got a PK11_Derive() call failing (presumably something silly on my part), but frustratingly, PORT_GetError() just returns 0. It seems that all variants of PK11_Derive() don't call: PORT_SetError(PK11_MapError(crv)); with the error

Re: NSS open multiple NSS-Databses at once?

On 01/10/2017 02:07 PM, Opa114 wrote: Am Dienstag, 10. Januar 2017 22:24:10 UTC+1 schrieb Robert Relyea: On 01/10/2017 10:18 AM, Opa114 wrote: thanks, but these facts i know. I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases

Re: NSS open multiple NSS-Databses at once?

On 01/10/2017 10:18 AM, Opa114 wrote: thanks, but these facts i know. I don't want top let multiple applications open one Database, i want to open multiple different Mozilla databases, in the old standard format, with one (my) application. I tried to use the NSS_Init functions. These works

Re: NSS open multiple NSS-Databses at once?

On 01/08/2017 05:34 AM, Opa114 wrote: Hi there, i have to use NSS in one of my applications and therefor i have to open multiple databases (for example Firefox and Thunderbird) at once to read and write into these. How can i do this programatically in C++? Some exmaple Code would be very

Re: Fwd: debug PKCS11

On 11/18/2016 12:49 AM, Alexei Mayanov wrote: Hello! I'm developing PKCS11 library for my device. This library is based on pkcs11-proxy (https://github.com/SUNET/pkcs11-proxy). It work good with different apps but with Firefox I can't login with client certificate on to the test site. Firefox

Re: NSS_Context and FIPS

On 10/21/2016 07:04 AM, Rob Crittenden wrote: I'm trying to figure out how to dynamically enable FIPS support for NSS Contexts. I started with multinit.c and initialize FIPS right after calling NSS_InitContext() using this: So you can't change the state of an already open database. NSS will

Re: NSS db nicknames with NSS_InitContext()

On 10/18/2016 11:16 AM, Rob Crittenden wrote: It looks like when multiple NSS databases are initialized using NSS_InitContext() the nicknames can take multiple forms depending on order of initialization. Using the multinit program and three NSS certificate databases with identical nicknames I

Re: JSS/NSS locks my smart card after 1 bad pin entry

On 10/07/2016 06:56 PM, Ernie Kovak wrote: Hello - We're using JSS4 and NSS 3.24 with an OpenSC module to interact with a DoD CAC. CACs will lock after 3 consecutive bad PIN entries. We're finding that if the user enters a bad PIN even once, that hard limit is exceeded and the card is

Re: Replacement for PK11_GetLowLevelKeyIDForCert etc

On 06/24/2016 06:29 PM, Andrew Cagney wrote: Hi, according to the NSS documentation, the functions for getting CKAIDs are deprecated vis: /** * New functions which are already deprecated

Re: [ANNOUNCE] NSS 3.24 Release

On 05/22/2016 04:26 PM, Paul Wouters wrote: On Sun, 22 May 2016, Kai Engert wrote: Subject: [ANNOUNCE] NSS 3.24 Release * NSS softoken has been updated with the latest NIST guidance (as of 2015) What does this relate to? Do you have the specific FIPS publication? Is this perhaps the GCM

Re: RFC7512 PKCS#11 URI support

On 04/07/2016 03:49 PM, David Woodhouse wrote: On Thu, 2016-04-07 at 05:01 -0700, Julien Pierre wrote: The problem really stems from the design of NSS, specifically the CERTCertificate*, which maps to a unique DER encoded cert, but not to a single PKCS#11 object in a single token. Since the

Re: RFC7512 PKCS#11 URI support

On 04/04/2016 03:19 PM, Ryan Sleevi wrote: On Mon, Apr 4, 2016 at 12:39 PM, David Woodhouse wrote: We usually reserve the term "breaks the API" for when something *used* to work, and now doesn't. Not when a previously-failing call now actually does something useful. No,

Re: NSS_NoDB_Init(".") and FIPS mode

On 03/18/2016 01:55 PM, Wan-Teh Chang wrote: On Fri, Mar 18, 2016 at 10:49 AM, Robert Relyea <rrel...@redhat.com> wrote: Yes, SECMOD_DeleteInternalModule() is a toggle which switches NSS between FIPS and non-FIPS. If you don't have a database open, or the database is open readOnly, the

Re: Programmatically smartcard/token access with NSS

On 03/17/2016 06:17 AM, Túlio Gomes wrote: Hello, i need to access a smartcard for signing documents with the private key stored inside it. The idea is to create a c++ component that will be used with a pnacl module inside chrome's browser. So i decided to use NSS, but i'm confused about what

Re: NSS_NoDB_Init(".") and FIPS mode

On 03/18/2016 09:14 AM, Andrew Cagney wrote: Is it possible to put NSS (softtoken) in FIPS mode (PK11_IsFIPS()) without a "modutil -fips true" database? By FIPS mode I guess I really mean confirm that NSS has performed some sort of FIPS self-check. An earlier thread mentioned some way of

Re: server-side OCSP stapling

On 03/01/2016 02:19 PM, Martin Thomson wrote: AIUI, support for stapling in NSS is pretty primitive. You are expected to make the OCSP query yourself and use the API to configure the server. IIRC the API to fetch the ocsp response is mostly application code. NSS has a simple http request

Re: Using NSS in FIPS mode

On 01/22/2016 06:42 AM, jonetsu wrote: Robert Relyea wrote: The call PK11_IsFIPS() returns true if softoken is in FIPS mode. The dance to programatically is to call SECMOD_DeleteInternalModule(), which toggles the module between FIPS and non-FIPS modes. Thanks. I will try it. When

Re: Using NSS in FIPS mode

On 01/21/2016 07:33 AM, jonetsu wrote: Hello, Please let me know if this is not the right place to ask about the following... This is the right place. I am new to NSS and would like to use it in FIPS mode. I do know about OpenSSL and GnuTLS, both of them having explicit calls to enabled

Re: Algorithms supported in NSS 3.17, FIPS mode

On 12/14/2015 05:04 PM, Paul Wouters wrote: Don't know about DRBG, but everything else you asked for is supported. Sent from my iPhone On Dec 14, 2015, at 18:03, jonetsu wrote: Hello, I am trying to get a list of the algorithms and ciphers supported by NSS 3.17 in

Re: AES-256 vs. AES-128

On 11/30/2015 12:07 PM, Julien Vehent wrote: On 2015-11-30 12:47, Robert Relyea wrote: I've always found the 128 bit prioritized over 256 a silly recommendation, I support reordering. Can you expand on why you think it is silly? The argument went that 128 bit was 'sufficient

Re: AES-256 vs. AES-128

On 11/25/2015 02:01 PM, April King wrote: My colleague Julien Vehent and I are in the process of updating the Mozilla Server Side TLS documentation: https://wiki.mozilla.org/Security/Server_Side_TLS One of the topics of conversation was whether or not the Modern TLS configuration should

Re: Add New OID to NSS

On 11/04/2015 11:21 AM, JBarry wrote: Hi Bob, Thank you for the helpful reply. I have looked at the files you have mentioned and am a little confused about something. For example (secoid.c lines 34-35): /* USGov algorithm OID space: { 2 16 840 1 101 } */ #define USGOV 0x60,

Re: Add New OID to NSS

On 11/04/2015 08:57 AM, JBarry wrote: Hello, I'll apologize in advance if this question has already been asked/answered (I did look and found nothing that helped me out) or if the question seems trivial. I am a college intern currently working with NSS for the first time, so please forgive me

Re: Prevent "proxyfying" PKCS#11

On 09/25/2015 01:36 AM, helpcrypto helpcrypto wrote: Hi all I hope you can find a solution for my problem, cause I can't. (And perhaps it's impossible) Based on my knowledge of PKCS#11 standard, the spec is exposed to a MITM attack that steals the PIN when an application invokes C_Login

Re: Prevent "proxyfying" PKCS#11

On 09/25/2015 09:13 AM, Erwann Abalea wrote: Le vendredi 25 septembre 2015 14:39:04 UTC+2, helpcrypto helpcrypto a écrit : On Fri, Sep 25, 2015 at 11:52 AM, Erwann Abalea wrote: [...] Although it won't solve my problem, this will make possible to kill signature applets

Re: Can sign but cannot encrypt email using a valid S/MIME certificate

On 09/04/2015 05:06 AM, Thibault Derrien wrote: Dear all, I have obtained numerical certificates of national certification authority in Czech Republic (ICA). 1/ I have imported the certificate into Mozilla Thunderbird > Account Settings > Security > Digital Signing. - It shows Software

Re: pk12util: Wrong certificate names in database

On 07/27/2015 12:54 AM, Trick, Daniel wrote: Thank you a lot for clarification, Kaspar! So, by design of NSS, all certificates with the same DN will end up with the same nickname. And the very first certificate with a specific DN will set the nickname for all other certificates (with that

Re: placing NSS in fips mode using modutil is forgotten ?

On 06/10/2015 06:15 AM, Paul Wouters wrote: Hi, I'm trying to do various FIPS tests for libreswan. Our testing system using KVM is a little tricky to selectively boot with fips=1, so I did some scripting to get everything into faked FIPS mode. It basically comes down to first running a script

Re: NSS set extractable = no

On 05/18/2015 03:04 PM, Arthur Ramsey wrote: I have a requirement to disable key export on a key stored in a NSS DB in FIPS mode. I read through the documentation and found mention of the ability to do this, but not how. Where can I find information on how to disable key export? I will be

Re: PK11SymKey in FIPS mode from nothing

On 05/12/2015 10:44 AM, Paul Wouters wrote: On Tue, 12 May 2015, Robert Relyea wrote: So, in FIPS mode, in a standalone test program, what is the correct way to turn g^ir into PK11SymKey. PK11SymKey *sym_key = PK11_ImportSymKey(slot, CKM_DH_PKCS_DERIVE, PK11_OriginUnwrap

Re: PK11SymKey in FIPS mode from nothing

On 05/12/2015 08:58 AM, Andrew Cagney wrote: Hi, I'm looking to clean up some test code (IKEv2, NISTs CAVP tests), so that they work in FIPS mode (what ever that means). So CAVS tests require hooking outside the FIPS mode boundary because CAVS tests access CSPs which aren't allowed outside

Re: target parameter to PK11_Derive

On 05/07/2015 11:49 AM, Andrew Cagney wrote: [inline] On 5 May 2015 at 13:18, Robert Relyea rrel...@redhat.com wrote: The target Mechanism is the operation you are going to use the target key for, It shouldn't match the mechanism used to derive the key. It is basically used to set

Re: target parameter to PK11_Derive

On 05/05/2015 08:42 AM, Andrew Cagney wrote: Hi, I'm cleaning up some code (it has a long history) that, among other things, computes IKE's PRF (hmac) and PRF+ (key derivation function). The computation involves the use of PK11_Derive to perform lots of concatenation, padding, xoring, and

Re: NSS support for RFC7512 PKCS#11 URIs

On 05/03/2015 02:17 AM, David Woodhouse wrote: On Sat, 2015-05-02 at 18:33 -0700, Jan Pechanec wrote: On Fri, 1 May 2015, David Woodhouse wrote: On Fri, 2015-05-01 at 11:35 +0100, Alan Braggins wrote: On 30/04/15 17:56, David Woodhouse wrote: Has anyone looked at implementing RFC7512

Re: Problems with FF and internal certificates

On 05/04/2015 10:09 AM, Brian Smith wrote: On Fri, May 1, 2015 at 9:11 AM, Tanvi Vyas tv...@mozilla.com wrote: On Apr 27, 2015, at 2:03 PM, Michael Peterson michaelpeterson...@gmail.com wrote: Now, in the album I posted above (https://imgur.com/a/dmMdG), the last two screenshots show a

Re: Key zeroization in NSS DB

On 03/25/2015 04:30 AM, Jan Otte wrote: Hi, When finding out how to do key zeroization in NSS DB I stumbled upon https://bugzilla.mozilla.org/show_bug.cgi?id=347450 The last comment states that key zeroization is not needed for FIPS, which is in contrast with the initial description. What is

Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2

On 01/13/2015 09:18 AM, Christina Fu wrote: jss-4.2.6-35 can be found on koji for various supported fedora platforms. For rhel it's the same version number. Christina Are there any outside available builds, like windows? bob On 01/13/2015 09:09 AM, Robert Relyea wrote: Christina, which

Re: Using JSS SSLSocket and and SSLServerSocket TLS 1.1 and 1.2

Christina, which version of JSS has TLS 1.1 and 1.2 support enabled? Bob On 01/12/2015 02:10 PM, deepr...@gmail.com wrote: Folks, Sorry for the totally newbie question but I've hunted high and low. I am supporting some Java code that uses JSS4, NSS to provide SSL Server side services. In

Re: Accessing Firefox keystore

On 01/09/2015 08:03 AM, Opa114 wrote: i do. but i want to parse the cert8.db or maybe access this fle in an easier way with JAVA. i have to read the file and maybe i have to remove and/or add new certificate to it. While there is some documentation on the format of cert8.db, If you are

Re: Accessing Firefox keystore

On 12/11/2014 12:33 AM, helpcrypto helpcrypto wrote: Hi again, sorry for delay. Yes, you can (SHOULD) use SunPKCS#11 to access directly the libraries/modules. You can do it two ways: - attack libraries directly - parse (legacy) secmod.db on Firefox profile to list modules/libraries.

Re: libnsssysinit

On 12/08/2014 05:05 AM, David Woodhouse wrote: On Mon, 2014-12-08 at 10:15 +, Martinsson Patrik wrote: So, to summarize, $ sudo update-alternatives --install /usr/lib64/libnssckbi.so libnssckbi.so.x86_64 /usr/lib64/p11-kit-proxy.so 1000 $ cat /etc/pki/nssdb/pkcs11.txt

Re: libnsssysinit

On 12/08/2014 08:59 AM, David Woodhouse wrote: I still maintain that the path to sanity involves killing /etc/pki/nssdb entirely, and then you can look at applying *correct* fixes to whatever's still not behaving correctly. The whole point of /etc/pki/nssdb is so you have one place to install

Re: libnsssysinit

On 12/04/2014 03:31 AM, David Woodhouse wrote: You say that this shouldn't be necessary (and probably a bug), just to clarify things for me, do you mean that, 1 ) adding the libnssckbi.so to shouldn't be necessary since it should already be there from the beginning, and that the bug is that

Re: libnsssysinit

On 12/04/2014 02:00 PM, David Woodhouse wrote: On Thu, 2014-12-04 at 10:33 -0800, Robert Relyea wrote: That one. libnssckbi.so is what provides the default trust roots. It's *always* supposed to be loaded in an NSS system. You shouldn't need to add it manually. I don't. Huh? that is not true

Re: Reducing NSS's allocation rate

On 11/11/2014 12:32 PM, Ryan Sleevi wrote: On Tue, November 11, 2014 10:26 am, Nicholas Nethercote wrote: On Mon, Nov 10, 2014 at 7:06 PM, Ryan Sleevi ryan-mozdevtechcry...@sleevi.com wrote: Not to be a pain and discourage someone from hacking on NSS My patches are in the following

Re: NSS modutil: Adding PKCS#11 module with PIN to nssdb

On 11/06/2014 03:12 PM, Mike Gerow wrote: Apologies if a dupe of this shows up. I had posted my last question without _properly_ subscribing to list and so it is stuck in some kind of moderator queue. I'm trying to add the opencryptoki PKCS#11 module to Chrome/Firefox's nssdb, and it seems to

Re: NSS modutil: Adding PKCS#11 module with PIN to nssdb

On 11/06/2014 04:08 PM, Mike Gerow wrote: Thanks for the quick reply! I can see how caching the PIN would have its issues, but I'm not interested in having NSS ask for the PIN once and save it, but in configuring it to just use a provided PIN in the first place. Still has the same issue, if you

Re: When will TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 cipher suite be available?

On 09/28/2014 03:09 PM, Eric Rescorla wrote: Eventually, but it's not a very high priority. Is there some reason you can't use AES-128? Actually the issue is ths SHA384. We need to implement the new PKCS #11 spec to TLS key derive in softoken first. bob -Ekr On Mon, Sep 22, 2014 at 4:49

Re: issues with NSS 3.12.4

On 09/25/2014 04:22 AM, Sunil Raj wrote: Hi, Even I am facing the same issue. Were u able to find the problem? Java is trying to do something that isn't allowed in FIPS mode. It's trying to import a key in the clear. It should instead generate the key inside the token rather than import it.

Re: Adding local cryptographic algorithms to NSS library.

On 08/04/2014 05:43 AM, Andrey Askerko wrote: I want to add support of local cryptography algorithm into firefox. And I want to ask some questions: 1) I must modify only NSS module, or some firefox functions/definitions too? 2) Where I can find some manual, how I can add algorithm into NSS and

Re: modutil add softokn3.dll error

On 07/21/2014 05:48 AM, ramahmoo wrote: Hi, I am trying to add the newly built softtoken dll using the following command modutil -add Softoken -mechanisms RSA:DSA:RC4:DES -libfile C:\nss-3.16.1\dist\WIN954.0_OPT.OBJ\lib\softokn3.dll -dbdir c:\nssdb But i am getting the following error ERROR:

Re: SSLKEYLOGFILE always enabled

On 07/16/2014 07:31 AM, Jonathan Schulze-Hewett wrote: Does having this enabled violate the FIPS 140 requirements on exposing key materials in the clear? No, because the key logging fails if you are in FIPS mode (It used the PK11_ExtractKeyValue() to get the key, which will return an error

Re: How to export private key in RSA format from NSS

On 07/15/2014 08:05 PM, Chuck Lee wrote: Yes, but it doesn't work because it also calls PK11_ExportPrivKeyInfo() to get the RSA private key info. Now I am trying to decrypt key exported by PK11_ExportEncryptedPrivKeyInfo() with method SEC_OID_PKCS12_V2_PBE_WITH_SHA1_AND_40_BIT_RC4

Re: NSS Custom Crypto Module

On 07/10/2014 01:53 PM, ramahmoo wrote: Thanks,i would ready the documentation. Can i extend/modify the NSS internal pkcs#11 source (softokn3.dll source) to achieve my requirement? It's probably not a good idea to try to create your own softokn3.dll to replace the mozilla one, you will be

Re: Other ECC Curves

On 06/10/2014 09:47 AM, Kurt Roeckx wrote: On Mon, Jun 09, 2014 at 04:27:56PM -0700, Rick Andrews wrote: AFAIK, Symantec and other CAs have added ECC roots to Mozilla's root store using NIST curves. Are any other ECC curves supported by Mozilla, in case one wanted to use a different curve?

Re: ECC, FIPS Mode, and PKCS#11 devices

On 05/30/2014 07:47 AM, Jonathan Schulze-Hewett wrote: To whom it may concern, I have a PKCS#11 device that supports ECC operations. In particular C_GetMechanismList includes the following items: CKM_ECDH1_DERIVE CKM_ECDH1_COFACTOR_DERIVE CKM_EC_KEY_PAIR_GEN CKM_ECDSA The module is

Re: Chrome: From NSS to OpenSSL

On 04/08/2014 06:31 AM, Alan Braggins wrote: On 08/04/14 13:11, Jean-Marc Desperrier wrote: Ryan Sleevi a écrit : reliance on PKCS#11 means that there are non-trivial overheads when doing something as simple as hashing with SHA-1. For something that is such a simple transformation, multiple

Re: Cryptoki interface to decrypt mail with thunderbird

On 03/18/2014 04:29 AM, Leon Brits wrote: Robert, Thanks for your help. This discussion has helped me to find the error in our padding implementation for symmetric ciphers using OpenSSL which defaults to always pad. Encryption and decryption via thunderbird now works just fine. go ahead

Re: Cryptoki interface to decrypt mail with thunderbird

On 03/13/2014 05:12 AM, Leon Brits wrote: Robert, Attached is a log of the backtrace when I try to use Thunderbird to decrypt an email. As you can see in the log it reaches C_DecryptUpdate(), but then asserts at cmscipher.c:452. I don't see the attachment? did you forget or did the mailing

Re: initializing the standalone nss soft token (libsoftokn3.so)

On 03/10/2014 08:50 PM, Dave wrote: I'm having trouble initializing the nss soft token when linking against it directly. The function _NSSUTIL_EvaluateConfigDir (utilpars.c) is segfaulting when passing the following initialization arguments to C_Initialize: CK_CHAR * configString =

Re: NSS algorithm performance

On 03/04/2014 03:54 PM, Julien Pierre wrote: Did anyone ever write a script that measures the performance of all the low-level algorithms in freebl, and collects the data in a way that's easy to compare ? This would probably be using bltest. This is for the purpose of evaluating different

Re: SSL objects and NSS code communicating with PKCS#11 module

On 03/05/2014 01:21 AM, Raad Bahmani wrote: Hello Robert, thank your for your answer ! 3) Which algorithm is used for login with SSL ? I'm not sure what you mean by 'login with SSL'. Do

Re: SSL objects and NSS code communicating with PKCS#11 module

On 03/03/2014 04:31 AM, Raad Bahmani wrote: Hello together, I need to implement a PKCS11-library which simulates a smart-card and responds to login attempts with SSL certificates. I have found out that SSL needs the following mechanisms, so the C_GetMechanismList of my library specifies

Re: SHA-256 support

actually supports (since XP SP3). My evaluation on when we supported SHA-2 covers all 3 hash functions. On 19/11/13 02:20, Robert Relyea wrote: I think it's safe to say if your NSS ap is newer than a decade old, you have SHA-2 support. The one caveat is that SHA-224 support was added much later

Re: SHA-256 support

On 11/19/2013 10:40 AM, Wan-Teh Chang wrote: Bob's answer is accurate. Note that CAs are more interested in SHA-2 based signature support rather than plain SHA-2 support. So another way to track down the NSS version is to look at the CVS history of the secvfy.c file:

Re: SHA-256 support

On 11/18/2013 07:00 AM, Gervase Markham wrote: Hi everyone, Following Microsoft's announcement re: SHA-1, some CAs are asking browser and OS vendors about the ubiquity of SHA-256 support. It would be a help to them if we could say: - Which version of NSS first supported SHA-256 I quick look

Re: oddball, old cipher suite in firefox client hello

On 11/01/2013 01:43 AM, Brian Smith wrote: On Fri, Nov 1, 2013 at 1:28 AM, Jeff Hodges j...@somethingsimilar.com wrote: /* New non-experimental openly spec'ed versions of those cipher suites. */ #define SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA 0xfeff #define SSL_RSA_FIPS_WITH_DES_CBC_SHA

Re: Removind dead code from NSS

On 10/04/2013 06:52 PM, Ludovic Hirlimann wrote: Hi, AFAIK NSS still contains code for SSL2 , but no product uses it. SSL2 has been turned off at least 2 years ago. By removing SSL2 code we get : Smaller librarie faster compile time + test time What do you guys think ? Ludo

Re: Removind dead code from NSS

On 10/07/2013 11:19 AM, Ryan Sleevi wrote: On Mon, October 7, 2013 11:07 am, Robert Relyea wrote: On 10/04/2013 06:52 PM, Ludovic Hirlimann wrote: Hi, AFAIK NSS still contains code for SSL2 , but no product uses it. SSL2 has been turned off at least 2 years ago. By removing SSL2 code we get

Re: Removing SSL 2.0 from NSS (was Re: Removing dead code from NSS)

On 10/07/2013 12:01 PM, Kurt Roeckx wrote: On Mon, Oct 07, 2013 at 11:17:46AM -0700, Brian Smith wrote: On Fri, Oct 4, 2013 at 6:52 PM, Ludovic Hirlimann ludovic+n...@mozilla.com wrote: Hi, AFAIK NSS still contains code for SSL2 , but no product uses it. SSL2 has been turned off at least 2

Re: Removing SSL 2.0 from NSS (was Re: Removing dead code from NSS)

On 10/07/2013 12:44 PM, Wan-Teh Chang wrote: On Mon, Oct 7, 2013 at 11:17 AM, Brian Smith br...@briansmith.org wrote: I think it is likely that some vendors of NSS-based products with very conservative backward-compatibility guarantees, like Oracle and maybe Red Hat, may need to continue

Re: Removal of generateCRMFRequest

On 09/28/2013 12:17 PM, Brian Smith wrote: On Sat, Sep 28, 2013 at 7:52 AM, Sean Leonard dev+mozi...@seantek.com wrote: On 9/27/2013 5:51 PM, Robert Relyea wrote: I don't have a problem with going for an industry standard way of doing all of these things, but it's certainly pretty presumptuous

Re: Removal of generateCRMFRequest

On 09/27/2013 05:01 PM, Ryan Sleevi wrote: On Fri, September 27, 2013 4:09 pm, Eddy Nigg wrote: On 09/28/2013 01:59 AM, From Ryan Sleevi: If your site requires a client certificate, and you know that a client certificate is stored in a smart card, then you also know that when using

Re: Need to use the main NSS module as a PKCS#11 module in IBM Notes

On 09/11/2013 05:52 PM, Kyle Hamilton wrote: Elio, Thanks for responding. IBM Notes reports that the path is invalid. Is there a requirement that softokn3.chk be in the current working directory? -Kyle H softokn3.chk should be in the same directory as softoken. Softoken asked the OS

Re: Proposal to Change the Default TLS Ciphersuites Offered by Browsers

On 08/26/2013 02:24 PM, Brian Smith wrote: On Thu, Aug 22, 2013 at 11:21 AM, Robert Relyea rrel...@redhat.com wrote: So looking at this list, I think we have a major inconsistency. We put Ephemeral over non-ephemeral, but we put 128 over 256. While I'm OK with Ephemeral (PFS) over non

Re: Proposal to Change the Default TLS Ciphersuites Offered by Browsers

On 08/23/2013 02:03 AM, Gervase Markham wrote: On 22/08/13 19:21, Robert Relyea wrote: The attack profile protection of PFS versus non-PFS is basically two points: 1) some government agency could force a server to give up it's private keys and decrypt all the traffic sent to that server

Re: Proposal to Change the Default TLS Ciphersuites Offered by Browsers

On 08/19/2013 11:06 AM, Kurt Roeckx wrote: On 08/09/2013 04:30 AM, Brian Smith wrote: Please see https://briansmith.org/browser-ciphersuites-01.html First, this is a proposal to change the set of sequence of ciphersuites that Firefox offers. So I think there are a whole bunch of things

Re: Proposal to Change the Default TLS Ciphersuites Offered by Browsers

On 08/16/2013 03:05 PM, Wan-Teh Chang wrote: On Fri, Aug 16, 2013 at 11:13 AM, Camilo Viecco cvie...@mozilla.com wrote: Hello Brian I think this proposal has 3 sections. 1. Unifing SSL behavior on browsers. 2. Altering the criteria for cipher suite selection in Firefox (actually NSS) 3.

Re: Fwd: RE: [cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

On 08/15/2013 03:21 AM, Gervase Markham wrote: On 15/08/13 01:19, Robert Relyea wrote: On 08/09/2013 02:57 AM, Gervase Markham wrote: Can an NSS hacker please tell me, in the fashion of the attempt by the IE representative below, what types of certificate NSS accepts for making SSL connections

Re: Fwd: RE: [cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

Time_Stamp == EKU_Time_Stamp // 597-601 Technically this is EXT_KEY_USAGE_TIME_STAMP || EKU_TIME_STAMP. What is the difference between these two? Looking at the wording, they seem identical - EKU stands for EXT_KEY_USAGE... One is the bit set in the Netscape

Re: moznss with openldap - error -8018:Unknown PKCS #11 error

On 08/07/2013 10:38 PM, Augustin Wolf wrote: Hi List, I have a Centos 6.4, fresh install, and I'm trying to configure OpenLDAP with moznss. For now, self signed certificate is sufficient for my needs. But when I try to search using secure connection (-Z option), I got error: ldap_start_tls:

Re: Fwd: RE: [cabfpub] Ballot 108: Clarifying the scope of the baseline requirements

On 08/09/2013 02:57 AM, Gervase Markham wrote: Can an NSS hacker please tell me, in the fashion of the attempt by the IE representative below, what types of certificate NSS accepts for making SSL connections? What features must the cert or chain have or not have? Or, if this is a PSM question,

Re: Proposal to Change the Default TLS Ciphersuites Offered by Browsers

On 08/09/2013 10:12 AM, Brian Smith wrote: On Fri, Aug 9, 2013 at 3:27 AM, Gervase Markham g...@mozilla.org wrote: * Can you provide some background or references on exactly how ciphersuite construction and choice works? Can I invent e.g. TLS_DHE_ECDSA_WITH_AES_128_MD5 or some other random

  1   2   3   4   5   >