NSS has a build option NSS_SURVIVE_DOUBLE_BYPASS_FAILURE that enables some code in the SSL library to turn off PKCS #11 bypass mode automatically if the attempt to bypass PKCS #11 fails:
http://mxr.mozilla.org/security/search?string=NSS_SURVIVE_DOUBLE_BYPASS_FAILURE I believe nobody is using that build option. I am going to remove that build option so that the ss->ssl3.hs.messages structure member is only used for one purpose: to buffer handshake messages until we establish which handshake hash functions to use. This will simplify the logic of determining when to stop buffering handshake messages. If you are using the NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option, please let me know. If you call SSL_CanBypass before enabling the PKCS #11 bypass mode, you should not need the NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option. Thanks, Wan-Teh Chang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto