On Thu, Mar 19, 2020 at 12:00:32PM -0400, Brian Reichert wrote: > On Thu, Mar 19, 2020 at 08:39:24AM -0700, Kevin Jacobs wrote: > > SSL_OptionSet with SSL_ENABLE_EXTENDED_MASTER_SECRET will do the trick, but > > I'm not aware of a config file option for this. > > > > NSS 3.48 enabled this by default, so if you're able to use a newer version, > > it should "just work". > > This says is was supported as of 3.2.1: > > > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes > > For 3.48 to be enabled by default, but it was introduced in 3.2.1, > implies to me that when it was introduced, it was not enabled, but > enableable. I have no idea what that mechanism might be. > > Anyway, I guess the next step is to engage the mod_nss people > directly.
And they've responded: There is no config setting for this option. The only way to enable it if the underlying nss does not enable it by default would be to modify and rebuild the package. So - mozilla-nss-3.45 supports EMS, but does not enable it by default. You've showed me how to enable it for the selfserv utility. Is there some out-of-band way I can coerce /usr/lib64/libnss3.so, or whatever the operational binaries are, to enable this? Config file, environment, anything... I'm pawing through the docs here for clues, but am not getting any traction yet. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS > > I appreciate the pointers! > > > > > Thanks, > > Kevin > > -- > Brian Reichert <reich...@numachi.com> > BSD admin/developer at large > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- Brian Reichert <reich...@numachi.com> BSD admin/developer at large -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
