NSS without PKCS#11 ?
Is it possible to use NSS in the traditional SSL way, that means without a PKCS#11 module? Thanks, Alex
Re: PR_IO_TIMEOUT_ERROR when doing a PR_Send with PR_INTERVAL_NO_TIMEOUT???
- Platform is Win2K/Win32 - Acting as a client - Blocking SSL Sockets Your speculation seems to make sense because I only get PR_INTERVAL_NO_TIMEOUT with the first call to PR_Send _sometimes_. And, if I happen to step through the socket creation/SSL handshake process w/ the debugger and then just run when the creation process is done, I never get this problem. So, it seems that one of the initialization functions says it's done, when it's not quite done, I would guess. Could I use PR_Poll in this case to ensure that the SSL socket is ready, 100% garaunteed?? Mike Nelson B. Bolyard [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... Mike Oliver wrote: Nelson B. Bolyard [EMAIL PROTECTED] wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... This can happen if you have set the SSL_ENABLE_FDX flag on the SSL socket, but do not have threads reading and writing simultaneously. Have you set SSL_ENABLE_FDX? No, I have not set SSL_ENABLE_FDX. W/r/t options, all I have set is: SSL_SECURITY SSL_HANDSHAKE_AS_CLIENT More questions: 1. What platform? 2. Is your program acting as an SSL server at any time? (The HANDSHAKE_AS_CLIENT would suggest not, but I have to ask) One way it could conceivably happen is as follows: SSL or NSPR might call some system function, other than send or recv, that normally does not block for a long time, but that is capable of retunring ETIMEDOUT (if Unix) or WSAETIMEDOUT (if Win32). The PR_INTERVAL_NO_TIMEOUT timeout value should prevent the underlying system send or recv call from returning ETIMEDOUT, but some other system call could unexpectedly return it, causing NSPR/NSS to return it as PR_IO_TIMEOUT_ERROR. This is just speculation, of course. Please continue to post any followup messages to this newsgroup. -- Nelson Bolyard Netscape Disclaimer: I speak for myself, not for Netscape
Re: JSS library - PrivateKey.getEncoded() return NULL
Thanks a lot for your valuable help Jasen. But I still have some questions about your workarounds: 1/ Unfortunately this is not a solution for us because one of the main goal of using JSS and NSS in Java and C environment is to have a common keystore and tools to manage it (certutil and pk12util). 2/ Same as 1/. This is not a solution for us. We need to use PrivateKey for encryption methods. 3/ How can I get a EncryptedPrivateKeyInfo (or a PrivateKeyInfo) from a PrivateKey ? PrivateKeyInfo needs a octet_string (from a byte array) representation of the private key ... so if PrivateKey.getEncoded() return null, I have no chance to get this octect_string ... Did I miss something ? Thanks again from a lost (in JSS) guy. Pierre Jasen Halmes [EMAIL PROTECTED] wrote in message news:[EMAIL PROTECTED]... I was trying to do this exact thing, if you look at the JSS source code you'll see they don't implement this method. The explanation I got was that it was not secure to expose a private key in plaintext. There are a couple of workarounds: 1) use a java.security.PrivateKey which requires changing your key generation code. When you do this you can call getEncoded() and get a byte array, however this key will not work with other mozilla functions, I'm not sure which off the top of my head. I think my problems had to do with trying to verify a Signature with the PrivateKey or something like that. 2) use the JSS KeyWrapper and a symmetric key to get an encrypted byte array of the PrivateKey, this adds the need to handle symmetric key generation. I actually tried using an algorithm that will produce the same symmetric key based on a passphrase. So then I just need to keep this passphrase secure. This was the solution I used, BUT the bytes are not usable by other encryption methods like for verification or whatever so I have to convert back to a PrivateKey to do anything. I am just using this method to store the keys. 3) start with the PrivateKey and get an EncryptedPrivateKeyInfo which is a pkcs#8 format private key. Meaning that saving the EncryptedPrivateKeyInfo to a file is how you make pkcs#8 keys. This is how they should be stored normally I think, but I'm not positive of the difference between this and step 2). Other than the fact that step 2) isn't an ASN type and an EncryptedPrivateKeyInfo is. I hope that helps and that I didn't pass on any misinformation... Jasen
NSS and JSS version
When using CryptoManager.JAR_JSS_VERSION and CryptoManager.JAR_NSS_VERSION to get JSS and NSS version from JSS I get this: JSS_VERSION = JSS_3_0 NSS_VERSION = NSS_3_2_RTM That's wrong because I'm using JSS version 3.1 and NSS version 3.3 What's wrong ? Did I miss something ?
Re: mozilla can't connect to some https-sites
On 01-10-24 05:46:48 CEST, Nelson B. Bolyard wrote: Robert Joop wrote: i've discovered that mozilla up to 0.9.5 (build 2001101202) can't connect to some https-sites netscape navigator 4.77 can connect to, for example https://me.in-berlin.de/. with mozilla 0.9.5 i get an unknown SSL error (-8101), Well, first of all, you should be getting a better error message than that. Error code -8101 is not a new error code. PSM should recognize it. SEC_ERROR_INADEQUATE_CERT_TYPE means that the server certificate (or one of the CA certificates in the server cert's chain) has some extension that says it is not able to be used for SSL server certificates. what does mozilla want (that netscape doesn't)? netscape certificate extensions, perhaps? :-) (i doubt it, it doesn't even list the extension name, just its OID.) the root CA certificate (http://ca.in-berlin.de/cgi-bin/rootca) has: certificate key usage: critical, certificate signer. the server CA certificate (http://ca.in-berlin.de/cgi-bin/serverca) has: certificate key usage: not critical, certificate signer. the certificates were generated using openssl. Perhaps this error could also be caused by lack of a trust flag for the root CA cert. the root CA is trusted for web servers and email users, the server CA (signed by this root CA) is trusted for web servers. mozilla tells me Could not verify this certificate for unknown reasons. for both. unknown reasons... navigator 4.77 works fine. has anybody got an idea why? I'll guess that your two browsers use different copies of the cert7.db and key3.db files. yes, but the CA certificates are in both browsers. (can't remember how they got there, mozilla either converted netscape's dbs or i downloaded them in the same way. other users in different environments discovered the same when they tried to use mozilla on these https-sites.) rj
Re: NSS without PKCS#11 ?
Alexander Kuit wrote: Is it possible to use NSS in the traditional SSL way, that means without a PKCS#11 module? NSS includes the only PKCS#11 modules that it needs. There is no need to have any others. But NSS does need one or more of the modules that come with it. Thanks, Alex -- Nelson Bolyard Netscape Disclaimer: I speak for myself, not for Netscape
Re: logging in nss?
Jasen Halmes wrote: Is there any facility built into nss where I could add some code to an nss function and read output in some sort of a log? Since I am running from an appserver I am trying to think of ways to get some more dubug info, I'm not sure what a printf would do in this environment so I was thinking maybe a log would work? You can use the logging functions in NSPR. By default, the log output goes to stderr. You can define an environment variable to direct the output to a file. The logging can be turned on or off by defining an environment variable. NSPR logging is documented in http://www.mozilla.org/projects/nspr/reference/html/prlog.html. Wan-Teh
