On Thu, 2016-04-21 at 09:13 -0400, Rob Crittenden wrote: > William Brown wrote: > > > > https://fedorahosted.org/389/ticket/48798 > > > > https://fedorahosted.org/389/attachment/ticket/48798/0001-Ticket-48798-Enable > > -DS-to-offer-weaker-DH-params-in-.patch > > > > https://fedorahosted.org/389/attachment/ticket/48798/0001-Ticket-48798-lib389 > > -add-ability-to-create-nss-ca-and.patch > > > I don't understand why you are linking enabling weak DH params with > enabling DHE on the server side, or are you just forcing server-side DH > if the weak params are enabled? Is there some other switch to enable > server-side DH too? What about the managing the DH ciphers? > > You should check for the existence of SSL_ENABLE_SERVER_DHE if you want > to be able to build with older NSS. That's about to change to be within #if NSS_VMAJOR * 100 + NSS_VMINOR >= 320 so it should be fine. > In the second patch there is no context why creating your own CA is > linked in any way with testing DH params, plus the "This is a trick" > code is duplicated between the patches. I think I'd just revise the > commit message on the second patch saying it is code to generate an RSA > CA and leave it at that. >
Well, we need certificates to test ssl, else no DH ... But I will update the commit message. > There is a comment that the "shipped" NSS db is broken but no > explanation of how. > It has no password, and all kinds of basic operations just ... break. You can't import certificates correctly and some other issues I cannot remember because I generally just nuke it from orbit before I start. This isn't the first test where we have to "refresh" the shipped nss db to make things work. Noriko's OpenSSL patch has to do it too. -- Sincerely, William Brown Software Engineer Red Hat, Brisbane
signature.asc
Description: This is a digitally signed message part
-- 389-devel mailing list 389-devel@lists.fedoraproject.org http://lists.fedoraproject.org/admin/lists/389-devel@lists.fedoraproject.org
