ccage wrote:
>
> I have the SSLSample code building on the Mac, but not sure how
> to supply all of the arguments. Could someone provide an
> example of the args they would pass to this sample program?
Sure. You seem to be asking questions specifically about the sample client.
The answers below are for the sample client, not the sample server.
Note that the sample client and server do NOT speak the https protocol.
That is, they do not speak the http application protocol over SSL.
They speak their own application protocol, which is not any standard protocol,
over SSL. So the sample client ONLY works with the sample server.
You cannot get your browser to work with the sample server, and the
sample client will not work with ordinary https servers.
> 1. case 'C' : cipherString = PL_strdup(optstate->value); break;
>
> Is this required? Example?
Not required. Default is to use all known ciphersuites.
Example: -C EFdel
selects only the ciphersuites that use DES.
Note that this option is for the client. In the server, this option is
lower case 'c', not 'C'.
> 2. case 'c' : connections = PORT_Atoi(optstate->value); break;
>
> # of connections to make?
Not required. Default is 1. I suggest you start there.
Note that this is only a client option.
The 'c' option has a different meaning in the server.
> 3. case 'd' : certDir = PL_strdup(optstate->value); break;
>
> This is Directory where Cert DB is stored, right?
Yes. There are 3 files obtained from that directory: the cert db, the
private key db, and the "security module" db. This program expects them
to have the following names:
cert7.db
key3.db
secmod.db
> Can I use a Netscape or Mozilla cert file from my Preferences folder?
Yes. But that's not what we recommend for the sample client and server.
Have you read the NSS/SSL documentation? It's at
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/
There's a chapter entitled "Getting Started With SSL" that explains
how to setup the DBs specifically for the sample client and server.
I'm not sure that's ever been tested on a MAC though.
> I'm
> asking this because I know how to export my Cert from a browser
> but don't understand how to insert into mozilla "certdb".
The 3 DBs that NSS programs require, cert7.dn, key3.db, and secmod.db
all exist in one of Communicator's folders, but their names are slightly
different. I don't recall the exact names that the browser uses for these
files, but I suspect you'll figure it out.
But since the sample client and server do not speak https, I don't
recommend that you use your mozilla DBs for those programs.
> 4. case 'n' : certNickname = PL_strdup(optstate->value); break;
>
> Reqired? Is this the Nickname of the Cert that the server is
> expecting?
The nickname has different uses in the client and server.
In the server, it identifies the server cert which an SSL server always
sends to the client, and it is required. The server can optionally be
configured to request and/or require the client to authenticate itself
by sending a client certificate, using the F, R, f, and r options.
In the client, the nickname identifies the certificate that the client
will send to the server if the server requests it. It is optional.
If it is not specified, and the server asks for a cert, the client will
tell the server that it has no cert.
> 5. case 'w' : password = PL_strdup(optstate->value); break;
>
> Password to what? Is this an *optional* password to the SSL
> server?
This is the password for the private key database, which is encrypted.
It is not optional for the server, as I recall.
> Thanks for any help.
> -chris
Besides the sample programs in SSLsample, there are also the programs
selfserv, tstclnt, and strsclnt. selfserv _is_ a simple https server.
You can use your browser with it. strsclnt is an https client.
tstclnt is generic enough that it can be made to act as an https client
by providing input (to stdin) that is a properly formatted http request,
but tstclnt uses non-blocking sockets, and I don't know if those are
supported on the Mac or not.
One advantage to using selfserv and strsclnt as your sample programs,
instead of the programs in SSLsample, is that they work with standard
client and server programs. So, you don't have to get BOTH the sample
client and sample server programs running before you can test one of them.
You can test the strsclnt with an ordinary https server (on the web).
The disadvantage is that the "Getting Started" chapter in the NSS/SSL
reference documents don't explain anything about those programs.
(Please continue to direct all followup questions to this newsgroup. Thanks.)
--
Nelson Bolyard Sun / Netscape Alliance
Disclaimer: I speak for myself, not for Netscape
