should I do?
Does your key3.db file now contain the private key for your cert?
Is your cert an object signing cert? Or merely code signing?
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org
Rob Crittenden wrote:
Nelson B wrote:
Rob Crittenden wrote:
In an SSL client I want to force the SSL handshake to take place instead
of passively waiting for it to happen during the first write.
Here are a few (?) questions and comments:
1. Is this a blocking socket, or non-blocking
, at a baser level, that there doesn't appear to be a
way to send a client_hello message without receiving a server_hello
first?
I'm sure that's not the problem, since the SSL protocol doesn't allow
the server to send the server hello until after it has received the
client hello.
--
Nelson B
on the sslsocket before calling ForceHandshake.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
you ask in mozilla.dev.general.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
is not regularly read by the folks
familiar with the JavaScript code you're using.
You might try another of the mozilla.dev.tech newsgroups, but I don't
know which one (if any) will give you better results. Sorry.
--
Nelson B
___
dev-tech-crypto mailing list
dev
expletive /cygdrive
hack. You need to configure cygwin to NOT use /cygdrive but instead use
windows compatible path names.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
options
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
or more extensions that specifically
disallow its use for SSL server authentication or for key encryption.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Rich Megginson wrote:
Nelson B wrote:
Below, you seem to be asking how they are stored in certificates.
I'll answer the questions about what appear in certs.
1) Are appended ports actually allowed in the subjectAltName or CN?
No.
How about the return value from SSL_RevealURL( fd
the same application that
called PR_Read, presumably the application can arrange to communicate that
knowledge to itself.
See also http://lxr.mozilla.org/mozilla/source/security/nss/lib/ssl/notes.txt
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech
at this.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
is that
this is a difference between 3.11.2 and 3.11.3.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
numbers
means that one or more CAs goofed.
Anders
--
Nelson B
12345678901234567890123456789012345678901234567890123456789012345678901234567890
0112233445566778
___
dev-tech-crypto mailing list
.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
implementaion?
Yes, I think so.
What is the ss-securityHandshake used for?
I think it may now be unused. I think it was part of the old SOCKS
implementation that was abandoned.
Regards,
Peter
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech
Kaspar Brand wrote:
https://bugzilla.mozilla.org/show_bug.cgi?id=315871
Would it make sense to create a separate bug entry for the getPKCS7()
patch, since this is actually a backend-only thing?
Kaspar, let me suggest that you write to Kai and ask him directly how
to proceed.
--
Nelson B
NSS or PSM developers, but I welcome any
help with NSS or PSM.
Kaspar
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
of the browser in it.
See
http://lxr.mozilla.org/security/source/security/nss/cmd/smimetools/cmsutil.c
--
Nelson B
12345678901234567890123456789012345678901234567890123456789012345678901234567890
0112233445566778
glen beasley wrote:
Nelson B wrote:
David Stutzman wrote:
What is the min/max password length when the module is operating in FIPS
140-2 mode?
Wan-Teh will have to answer that. I think it has changed recently.
It seems that the requirements have changed since the last time NSS
of independent sub-ordinate CAs.
Any comments?
Solution involves client keeping the cert chain(s) for its EE cert(s),
at least to the level of the CA named by the server.
Anders
--
Nelson B
12345678901234567890123456789012345678901234567890123456789012345678901234567890
and multiple readers
to the NSS DB is a safe method of sharing a cert database between processes.
No, it is not. Sorry.
Specifically, only one process would initialize with NSS_InitReadWrite()
and all others would initialize with NSS_Init()
--
Nelson B
guessing that your request somehow got resent accidentally.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
be welcome, I think.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
of the WinNT flavor builds is not interested
in also offering Win95 flavor builds.
Thanks!
Michiel van Meersbergen
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
error message in that case is not.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Christian, I see you're not the first person to have had troubles with this.
See http://forums.tjworld.net/viewtopic.php?p=210
and https://bugzilla.mozilla.org/show_bug.cgi?id=321156 .
Based on your description (which I'll not quote here), I think your
intermediate CA cert does not have the
it to run signtool.
Any pointers on whether this is possible and how to do so?
Make sure that the complete chain is available to signtool, then try
signing again.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https
someone has some info for me
Christian Bongiorno
Ciao,
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
/source/security/nss/cmd/lib/NSPRerrs.h
http://lxr.mozilla.org/security/source/security/nss/cmd/lib/SECerrs.h
http://lxr.mozilla.org/security/source/security/nss/cmd/lib/SSLerrs.h
Sample code to do that is seen at
http://lxr.mozilla.org/security/source/security/nss/cmd/lib/secerror.c#53
--
Nelson
Anders Rundgren wrote:
http://www.w3.org/2006/02/axalto-paper.html
This paper says that we can soon forget about P11 and such
and rely on AJAX-like access to crypto.
We wouldn't have to worry about vendor-independent crypto device
interface standards if everyone in the world would agree to
instance even
if it has not been initialized. If it should prove not to be safe, that
would be an NSS bug.
thanks
Hope this helps.
I have a feeling I've just made the problem seem bigger :)
rob
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech
variable.
Here's a thought: Try the build with gmake instead of make.
On some platforms make is gmake. On others, gmake is separate.
NSS makefiles are gmake makefiles. Try using gmake explicitly.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech
not sure which of those questions you're asking.
How can i set a new token device programacticali
I think you're asking how to install a new PKCS#11 module, but I'm not sure.
Please expect most questions to be answered after 1-2 business days.
--
Nelson B
3.12, so won't be available in any
mozilla based products this year.
He needn't wait for PKIX to do the above. PKIX is only needed if he's going
to involve policy-based chain building.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto
the
CKF_PROTECTED_AUTHENTICATION_PATH flag in the token info flags.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
be
considered valid except for *.example.com domains.
If you really don't trust any CAs except your own to be truthful to you,
then you should mark all other CAs but your own as distrusted.
Thanks for any help.
Balint Balogh
Regards
--
Nelson B
___
dev
that the private key is in the TPM.
You may find it difficult to import the private key into the TPM.
So, assuming that you're the first of many future HP TPM users, please help
us to understand exactly how you got that private key in the first place.
--
Nelson B
and done, there remains no durable signature.
Which of those applications sounds more like yours?
Figure that out, and then Pick a cert of that type.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org
Dave Pinn wrote:
Nelson B wrote:
Best bet is to get a formatted listing of the certificate itself,
showing all the extensions and their criticality.
OK, here goes:
Non-critical X.509 version 3 extensions:
* CRL Distribution Points
* Authority Key Identifier
* Subject Key Identifier
is the private
key?
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
your reply goes to the mailing list, or the newsgroup, but not both.
Then the readers will get just one copy.
--
Nelson B (moderator: dev-tech-crypto mailing list)
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https
?
Is there an NSS utility that does this?
Signtool will tell you if your file is a valid JAR file, but will not
check that it is also a valid XPI file. Ultimately, FireFox or SeaMonkey
themselves are the best test tools for XPI files.
Thanks in advance,
Paul
--
Nelson B
of their 6-in-1 or wildcard certs
in use on the internet.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
/nss/lib/pk11wrap/pk11sdr.h#44
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
for this.
--
Nelson B
12345678901234567890123456789012345678901234567890123456789012345678901234567890
0112233445566778
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https
of
this certificate.
Regards,
Udaybhaskar
--
Nelson B
12345678901234567890123456789012345678901234567890123456789012345678901234567890
0112233445566778
___
dev-tech-crypto mailing list
dev
time, no see!
Actually, quite a few of the NSS command line tools link with NSS static
libs. See a list of them with this URL:
http://lxr.mozilla.org/security/search?string=USE_STATIC_LIBS
I suggest you build one of them and look at its link command and follow
that example.
--
Nelson B
version number of the source file that contained
this error, and where and how you got it.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
the examples of the link commands
they use. That's my suggestion.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
/lib just so that we have the right to
change them at will. But I don't know the answer. I wonder if we need a
slightly different license than the MPL for that code.
--
Nelson B
12345678901234567890123456789012345678901234567890123456789012345678901234567890
whenever they like?)
In any case, I do think PKCS#11 is your best bet. It's well supported
and LOTS of others have trod that path before you.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo
, then this is likely a problem with the declaration of
SECU_ReadDERFromFile in the header file.
Thanks.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
easily?
Thanks,
Dan
No, it can't be done easily.
Why would it be a good idea for users to be able to replace such a
crucial security component easily?
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https
willing to let the NSS team have that pfx file (and its
password) for debugging purposes, please contact me.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
/to/database), options
to seed the NSS Random Number Generator, support for Apache 2.2 as well
as a number of important bug fixes.
Rob, You da MAN!
Seriously, I really appreciate the work you (and others?) have done on this!
--
Nelson B
___
dev-tech-crypto
AND private key imported, it should work.
You're doing a good job of figuring out most of this stuff by yourself,
which is commendable. So, keep going and I think soon you'll have it
solved.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto
Paul Santapau wrote:
Nelson B escribió:
All the error codes for TBird's crypto are negative numbers, in the
range -6000 .. -12288 and the number 1028 isn't in that range.
Ok, good guess ;-). But the number that appears is really 1028
between parenthesis. I can send u an snapshoot if wanted
-t certificate -a -i yourfile
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Policy Qualifier Name: PKIX User Notice Qualifier
Display Text: .C.e.r.t.i.f.i.c.a.d.o. .p.a.r.a. .a.p
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
[EMAIL PROTECTED] wrote:
Any plans to support ftp/ssl in Firefox?
I think the answer is likely: no-one who frequents this newsgroup/list
is planning to do so, but you should check in m.d.t.network.
--
Nelson B
___
dev-tech-crypto mailing list
dev
=335021
Also, I've searched all over looking for some documentation on certutil
and signtool. Is there any around?
Start looking here:
http://www.mozilla.org/projects/security/pki/nss/tools/index.html
Regards,
Paul
--
Nelson B
___
dev-tech
) the URL of one or more.
I'd like ot amass a list of them.
Thanks.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Bruno Boutteau wrote:
Nelson B wrote:
Bruno Boutteau wrote:
How can we import a PKCS #7 certificate or .cer in Firefox? It is easy
with IE just click on it and accept the next OKs up to FINISH!!!
Thanks in advance (Certificate was delivered on crypto smart card)
Thanks for first answer
Mikolaj Habryn wrote:
On Sun, 2006-04-09 at 22:08 -0700, Nelson B wrote:
These other functions
do not, as a rule, require that the user cert have a chain that verifiably
was issued by a locally trusted root. Verifying that the chain leads to
a locally trusted root is a function for a relying
should be able to do is to mark the CA only as
trusted for email which limits the risks.
Thanks for confirming that.
Odd that crypto.signtext should check for an email cert when it is not
performing email signing or encryption.
--
Nelson B
___
dev
validation will render your application
completely vulnerable to various attacks, the very ones from which SSL
(HTTPS) is intended to protect you.
Why not use a valid cert from a known issuer?
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech
, David!
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
be on autopilot.
Jay
--
Nelson B
12345678901234567890123456789012345678901234567890123456789012345678901234567890
0112233445566778
___
dev-tech-crypto mailing list
dev-tech-crypto
Rich Megginson wrote:
Nelson B. Bolyard wrote:
One more thing: http upgrade is EVIL. :-/
Why? And does that apply to LDAP upgrade as well? Because the
recommended way to use TLS with LDAP is to use the startTLS extended
operation on the unsecure port to upgrade the connection to TLS
.
Given that your list of called NSS functions above didn't include the
functions to configure the SSL socket with certs and keys, I'd guess you
didn't do that, and so ssl3_config_match_init found no certs and keys
for any cipher suites.
One more thing: http upgrade is EVIL. :-/
--
Nelson B
Nelson B. Bolyard wrote:
Among the system files, the best sources of entropy probably come from
the files in Temporary Internet Files and the temp directories.
I just noticed that I had been reading the code for WinCE, which is rather
different from the general Windows code (Win95-WinXP
RFE for this is now
https://bugzilla.mozilla.org/show_bug.cgi?id=331314
Contributions welcome in that RFE.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Frank,
http://www.hecker.org/mozilla/ca-certificate-list
says it's an unofficial working document.
So, where's the official list of CA certs in mozilla?
And where is the official list of certs not in mozilla (with reasons why)?
Google showed lots of stuff about policies, and lots of irrelevant
Nelson B Bolyard wrote:
Kyle Hamilton wrote:
(I /hate/ that I have to click 'reply all' to reply to the original
poster /and/ the list.)
What would you propose instead?
Having a Reply-To: header in each message that replies to the alias?
or ?
The particular MailMan list management
in the meantime, get an EKU extension if you can.
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
into my build?
Have a look at http://www.mozilla.org/build/distribution.html
There you will find some text about configuring with --enable-crypto
I think that does the trick.
Note: followups directed to mozilla.dev.tech.crypto
--
Nelson B
___
dev-tech-crypto
module implement all the SSL-related PKCS#11 mechanisms?
If not, it may be necessary to move keys from one module to another,
which is typically quite costly (in terms of performance).
--
Nelson B
___
dev-tech-crypto mailing list
dev-tech-crypto
801 - 878 of 878 matches
Mail list logo