A fair bit of work has been done to mod_nss, an SSL module for Apache
that uses NSS instead of OpenSSL, since it was released last September.
Changes since then include use the NSS OCSP client, addition of a FIPS
mode (similar to modutil -fips true -dbdir /path/to/database), options
to seed
Nelson B. Bolyard wrote:
Rob Crittenden wrote:
A fair bit of work has been done to mod_nss, an SSL module for Apache
that uses NSS instead of OpenSSL, since it was released last September.
Changes since then include use the NSS OCSP client, addition of a FIPS
mode (similar to modutil -fips
I'm having an issue with mod_nss, an Apache module I wrote that provides
SSL using NSS.
The way Apache loads modules is a tad strange. What it does is it loads
them one time in order to get its list of configuration directives and
it verifies that the configuration is ok. It also runs through
Nelson B wrote:
Rob Crittenden wrote:
I'm having an issue with mod_nss, an Apache module I wrote that provides
SSL using NSS.
The way Apache loads modules is a tad strange.
I'd say it's more than a tad!
What it does is it loads them one time in order to get its list of
configuration
In an SSL client I want to force the SSL handshake to take place instead
of passively waiting for it to happen during the first write.
Right after I connect to the server I'm currently doing this:
SSL_ResetHandshake(ssl, /* asServer */ PR_FALSE);
do {
SSL_ForceHandshake(ssl);
Nelson B wrote:
Rob Crittenden wrote:
In an SSL client I want to force the SSL handshake to take place instead
of passively waiting for it to happen during the first write.
Right after I connect to the server I'm currently doing this:
SSL_ResetHandshake(ssl, /* asServer */ PR_FALSE
Nelson B wrote:
Rob Crittenden wrote:
In an SSL client I want to force the SSL handshake to take place instead
of passively waiting for it to happen during the first write.
Right after I connect to the server I'm currently doing this:
SSL_ResetHandshake(ssl, /* asServer */ PR_FALSE
I've got a couple of API questions. I'm not sure if these are available
or not:
1. Can I get the numeric value of the cipher that has been negotiated
instead of just the character value (e.g. from SSL_SecurityStatus())?
2. If I call PR_Shutdown() on an SSL socket, is there a way later to see
Wan-Teh Chang wrote:
Rob Crittenden wrote:
Wan-Teh Chang wrote:
Rob Crittenden wrote:
2. If I call PR_Shutdown() on an SSL socket, is there a way later to
see the flags I called it with? For example, if I call it just with
PR_SHUTDOWN_SEND is there a way I can find that out later?
I don't
Sandeep Cavale wrote:
Hi,
I seem to be having the same issue as below...
In addition, after such a failure if I do cryptoadm list -v, the hardware
provider fails to list my hardware accelerator card (mca0- Sun Crypto
Accelerator)
Further this is what the /var/adm/messages indicate:
Aug 25
I'm considering how to handle SSL re-negotiation in the Apache NSS
provider mod_nss to handle the SSL client-initiated handshake bug.
NSS provides a callback, SSL_HandshakeCallback(), which according to the
docs is called when an SSL handshake has completed.
So let's say I have the
Is ALPN supported on the server side? I can't tell from
the API and Julien asked in
https://bugzilla.mozilla.org/show_bug.cgi?id=959664 but never got an answer.
I'm looking to add HTTP/2.0 support to mod_nss and I need ALPN to do that.
thanks
rob
--
dev-tech-crypto mailing list
I don't see a way to implement OCSP stapling on the server side.
SSL_SetStapledOCSPResponses() is I think what one would use to set the
response in the SSL session but I don't see a way to get the response
from the OCSP handler. At least, I don't see a way without implementing
my own status
015 at 6:53 AM, Rob Crittenden <rcrit...@redhat.com> wrote:
Is ALPN supported on the server side? I can't tell from
the API and Julien asked in
https://bugzilla.mozilla.org/show_bug.cgi?id=959664 but never got an answer.
I'm looking to add HTTP/2.0 support to mod_nss and I need ALPN to do that.
I want to control the set of CA certificates available to authenticate
client certificates. AIUI I can use SSL_SetTrustAnchors() to do this but
it isn't working as I'd expect.
The code looks like:
CERTCertList * ca_list = CERT_NewCertList();
SSL_SetTrustAnchors(fd, ca_list); (returns
It looks like when multiple NSS databases are initialized using
NSS_InitContext() the nicknames can take multiple forms depending on
order of initialization. Using the multinit program and three NSS
certificate databases with identical nicknames I saw the following names
associated:
(first
Robert Relyea wrote:
On 10/21/2016 07:04 AM, Rob Crittenden wrote:
I'm trying to figure out how to dynamically enable FIPS support for
NSS Contexts.
I started with multinit.c and initialize FIPS right after calling
NSS_InitContext() using this:
So you can't change the state of an already
I'm trying to figure out how to dynamically enable FIPS support for NSS
Contexts.
I started with multinit.c and initialize FIPS right after calling
NSS_InitContext() using this:
if (!PK11_IsFIPS()) {
fprintf(stderr, "Initializing FIPS\n");
SECMODModule *mod =
Chris Tomlin wrote:
>
> Hello all,
>
> I'm getting an NSS error in my httpd logs and it's a bit strange. The error
> I'm getting is this:
>
> Misconfiguration of certificate's CN and virtual name. The certificate CN has
> server.name. We expected server.name as virtual name.
>
> In this
SSL_BYPASS_PKCS11 is marked as deprecated in ssl.h. What are the plans
on removing it?
rob
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
20 matches
Mail list logo