the heap allocation fail?
You need to track down where the first error occurs.
My first wild guess is that Matej's PKCS#11 module is doing something bad
to the heap. My second one is that NSS or PSM is trying to free to the
MOZCRT17 heap something that was allocated from another heap.
--
/Nelson
to provide the symbols for your stack. Point your debugger's
symbols client at http://symbols.mozilla.org/firefox
--
/Nelson Bolyard
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
the certManager but that failed too.
With what error message?
What I need to know is how can this be achieved? How can I import a my
TestCA into the profile cert databases so that I can use it by
PK11_FindCertFromNickname function?
Many thanks in advance.
--
/Nelson Bolyard
--
dev-tech-crypto
.
--
/Nelson Bolyard
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
On 2010-08-27 16:48 PDT, Michael Smith wrote:
We're not really looking for a couldn't be compromised solutions -
this is a requirement from a company we're partnering with, not our
idea, and they basically just want it to not be simple (for some
value of that) to compromise. So: serialising
On 2010-06-21 17:57 PDT, Brian Smith wrote:
From arcfour.c:
http://mxr.mozilla.org/mozilla/source/security/nss/lib/freebl/arcfour.c#390
My guess is that valgrind is considering malloc(5) to allocate 5 bytes, when
really it allocates 8 bytes at least (because of alignment).
I presume that
On 2010-06-17 05:58 PDT, John Dennis wrote:
I'm in the process of adding CSR support to the NSS python binding and
I'm not sure I fully follow how CSR attributes are handled so I'm looking
for some clarification.
Look at how certutil does it. That's best example we have right now.
From
Kai
To perform a successful MITM attack on a connection between a victim client
and a victim server, the attacker must have two things:
1) one or more certificates that bear a public key whose corresponding
private key is known to the attacker, and which certificates will be
accepted by the
On 2010-04-14 19:18 PST, 虎 季 wrote:
I am an engineer working in mozilla China, I'm going to provide a
solution for Chinese banks which support IE only in China now.
Welcome, 虎 季. Perhaps you can give us westerners some guidance on how to
pronounce or transliterate your name in western
On 2010-04-15 06:14 PST, Gervase Markham wrote:
On 14/04/10 12:15, Developer wrote:
Why I can not know what part of page is unencrypted?
I see a warning of some parts are unencrypted, but what parts?
There are bookmarklets and greasemonkey scripts which will search for
and highlight the
On 2010-04-11 22:36 PST, Kurt Seifried wrote:
Kurt, I suggest you try posting this again, without the image, but WITH
the certificate that caused Certificate Patrol to complain. As it is,
there's no information in this posting with which anyone can help you.
That would be the PEM file I
On 2010-04-10 18:33 PST, Kurt Seifried wrote:
So I logged in to a bank today and Certificate Patrol threw up a
warning I haven't seen before (see attached image).
Kurt, I suggest you try posting this again, without the image, but WITH
the certificate that caused Certificate Patrol to complain.
On 2010-04-08 09:59 PST, Robert Relyea wrote:
On 04/07/2010 09:35 PM, Nelson B Bolyard wrote:
We plan on alerting users in a future update. This is fair warning
to server operators and those who are debugging their sites.
If this is a real threat don't users deserve a fair warning
On 2010-03-16 22:04 PST, Kyle Hamilton wrote:
Your profile's certificate and trust database appears to be corrupted,
and therefore it can't check to see if the OCSP responder's
certificate is okay.
You'll need to quit Firefox, move the current key*.db, cert*.db, and
secmod.db files out of
On 2010-03-02 10:06 PST, davidwboswell davidwbosw...@yahoo.com wrote:
I maintain a list of applications that use Mozilla technologies in
their projects and wanted to add more examples of projects that use
NSS.
http://www.mozilla.org/projects/mozilla-based.html
There are lots of applications
On 2009-12-21 02:52 PST, Abhishek Rahirikar wrote:
Hello Wan-Teh and All,
I am now getting curiously confused with the problem.
Another cipher I saw today which has similar issues.
Tool using NSS fails to perform handshake with cipher
SSL_RSA_WITH_DES_CBC_SHA. But Openssl is able to
On 2009-12-14 07:19 PST, Konstantin Andreev wrote:
I have noticed that softoken's C_Sign() (and C_SignFinal too) terminates
signing operation if called with too small output buffer
Neil wrote:
This is probably PSM again,
Yes.
but I hope someone here can answer it, or point me somewhere.
We have a both menuitem and a dialog that logs you out of the SDR, so
that you need to reenter your Master Password to gain access to your
stored certificates and other encrypted
star_ni...@my-deja.com wrote:
We are getting this error from a library.
What library function? PR_Write?
What NSS library version?
How did you get this copy of NSS?
As binaries directly from Mozilla?
As binaries from from Linux distribution? (which one?)
As sources? (where from? Have you
On 2009-09-12 17:33 PDT, Guenter wrote:
[...] so I assume that:
rv = NSS_Initialize(certDir, , , , NSS_INIT_READONLY);
works also fine with pre-3.12.0, and there's no need to specify secmod.db
as 4th argument, right?
You only need to specify a non-empty string for the 4th argument if you
On 2009-09-12 09:23 PDT, Guenter wrote:
Hi all,
I've some questions regarding proper initializing NSS.
From what I've read newer NSS now supports / prefers SQLite cert databases:
Supports: yes
Prefers: I would say no. NSS must be explicitly instructed to use the new
SQLite3 databases in each
On 2009-09-11 13:12 , Klaus Heinrich Kiwi wrote:
I don't know what it was, but now I can load opencryptoki as a PKCS#11
modules in my systems. I've tried with the software token, TPM token and
the ICA token. Loaded the modules with modutil and generated key
pairs/certificates/cert requests
On 2009-09-10 23:14 , nsk yatree wrote:
Hi.
Most likely I will not be the first person who asks such questions.
I think you might well be the first to ask how to add GOST.
Others have asked the NSS team to do it. You've asked how to do it
yourself. That's a much better question. :)
More
On 2009-08-21 12:39 PDT, Neil wrote:
Polly wrote:
Neil wrote:
Polly wrote:
Tom, you asked what third party DLLs I'm using -- it's the openssl
DLLs ssleay32.dll and libeay32.dll.
One possible alternative might be to rewrite your code to use NSS?
Thanks for the suggestion. As it
On 2009-08-20 07:27 PDT, Brendan wrote:
I am having trouble decoding a custom extension that I created using
Openssl. I have created the templates for nss but I am receiving a
bad der error number from the decoder. As far as I can tell the der
is correct and can be parsed by openssl commands
On 2009-08-14 14:43 , VT wrote:
I have an SSL server application and an SSL client on an Windows XP machine.
The SSL server application seems to work perfectly in NSPR4.1.2/NSS3.3.2 but
crashes in NSPR4.7/NSS3.12 (I did a build using MozillaBuild).
3.12.0 ? or 3.12.what?
Did you build a
On 2009-08-06 03:47, Michael Ströder wrote:
Eddy Nigg wrote:
Quite a while ago, I read a message from someone saying he had devised,
or was going to devise, a scheme to extract all of Mozilla's trusted root
certs from NSS and make PEM files from them, and use them as trusted
certs
in some
Hi all,
Quite a while ago, I read a message from someone saying he had devised,
or was going to devise, a scheme to extract all of Mozilla's trusted root
certs from NSS and make PEM files from them, and use them as trusted certs
in some other non-NSS-based product.
Does anyone remember that?
Can
On 2009-07-31 12:38 PDT, Ian G wrote:
On 31/07/2009 11:29, William L. Hartzell wrote:
Nelson B Bolyard wrote:
Some lax CAs will evidently issue certs with just about anything in the
DNS names. I'd pull the plug on them if I could find them, but the
presenters at Black Hat were careful NOT to
On 2009-07-22 06:09 PDT, nk wrote:
Is there any way I can reproduce what you're seeing?
I would probably require me to be able to access your CA server,
and perhaps also to trust your root cert for the test.
There is no CA server involved at this point. All I am doing is
supplying a
I previously replied to this but my reply hasn't shown up here in the
newsgroup, apparently, so ...
On 2009-07-14 06:44 PDT, dmorford wrote:
Is Firefox the program that you're trying to get to use AIAs and CDPs?
Firefox does not do that yet, not even when it has NSS 3.12.
Firefox 3 does not
On 2009-07-13 05:00 PDT, denish patel wrote:
Hi All,
I have a simple LDAP Client that connects to a Directory Server (DS).
However, when the DS hangs the program does not respond.
It is able to connect properly when the DS is not in a hang state.
Also when the DS has been stopped entirely,
On 2009-07-09 18:14 PDT, Michael Kaply wrote:
I'm trying to figure out a different behavior I'm seeing today vs. NSS I
was using about a year ago.
Basically I have a code signing cert that contains a complete chain and
my memory of importing a year ago (and looking at the DB files that I
On 2009-07-05 16:03 PDT, Ian G wrote:
On 4/7/09 23:19, Nelson B Bolyard wrote:
You provide customer support for Firefox?
Yup. Doesn't everyone who is a techie? I mean, I don't want to, but
because I am a techie, people assume that I know Firefox back to front
and can make it do circus
On 2009-07-01 15:48 PDT, Nagendra Modadugu wrote:
I'm asking for implementation requirements :-) Client behavior is
straightforward, here are the outstanding questions about server behavior:
Ah, OK, thanks for clarifying that.
Should it be possible to statically configure an NSS server with
I wrote:
If Microsoft has merely taken a DER-encoded object from another standard
and has incorporated it into a cert extension, that seems fine to me.
I hope they did it in such a way that existing BER/DER parsers of the
sMIMECapabilities attribute can just parse the extension body directly.
On 2009-06-22 15:10 PDT, Kyle Hamilton wrote:
https://wiki.mozilla.org/images/c/ce/BuiltIn-CAs.pdf
Am I correct in inferring that to the best of your knowledge, if a root
does not have a bug number associated with it, it is a legacy root (one
that was inherited from Netscape/AOL)?
I don't
On 2009-06-01 06:31 PDT, Jan Schejbal wrote:
I did of course google and I did find the site you linked, but it did
not help me much, as I found no information what has to happen
server-side (or links to such information). I understand that the key is
generated, stored and a
On 2009-05-28 14:02 PDT, Kyle Hamilton wrote:
Nelson, a question for you: Which extendedKeyUsage OIDs are checked
for each of the three trust bits? Is this part of PSM, or NSS?
The answer is found in this web page:
http://www.mozilla.org/projects/security/pki/nss/tech-notes/tn3.html
Since
VinuT wrote, On 2009-05-22 16:26 PDT:
We are using NSPR/NSS for SSL communication on Solaris8.
Right now, we are using it as a client to communicate to another SSL server
running on windows.
However my PR_Read call returns with 0, when its called a second time.
The first calls succeeds and
Eddy Nigg wrote, On 2009-05-21 15:15:
On 05/21/2009 03:46 AM, Nelson Bolyard:
Also related, in bug #490895 VeriSign has requested inclusion of the
SHA-1 version of their roots to replace the corresponding old MD5
version of their roots. At the time of inclusion of the SHA-1 version
On 2009-05-20 13:58, Kathleen Wilson wrote:
When processing a cert chain, does Mozilla use a specified algorithm/
order for determining which root to use when there are two roots
included that are identical except for signature algorithm and serial
number?
The algorithm for choosing from among
Eddy Nigg wrote, On 2009-05-18 19:28 PDT:
On 05/19/2009 05:15 AM, Nelson B Bolyard:
Eddy Nigg wrote, On 2009-05-18 18:38 PDT:
I'll create also the missing patch for Cybertrust and/or upon advise a
mega patch of all EV enablements. Errr...please advise :-)
Thanks Eddy. I see you've
On 2009-05-04 12:27, Andrews, Rick wrote:
A customer asked this question, and I couldn't answer it.
Let's say I'm a hacker with access to a public kiosk, and I want users
of that kiosk to see the EV green toolbar when they use the kiosk to
visit my hacked web site. My web site is configured
Arshad Noor wrote, On 2009-04-23 20:11:
Nelson Bolyard wrote:
The NSS team participated in the process of defining PKCS#12 precisely
to avoid the security trap of exporting private keys in PKCS#8 format.
Avoiding that trap is precisely why PKCS#12, and not PKCS#8, is THE only
format
Nelson Bolyard wrote, On 2009-04-19 22:54 PDT:
... and then into the depths of libPKIX.
Time to get out the debugger,
Even though I don't have a real test case, I did launch the debugger and
watch it go into libPKIX. At this line
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security
Neil wrote, On 2009-04-02 01:19:
Nelson Bolyard wrote:
If you have public redistributable header files that declare the MSVCRT
memory guards, please send a pointer to them. Thanks.
I can't actually find the documentation I originally read about it; this
is the nearest that I get from
Benjamin Smedberg wrote, On 2009-03-31 08:35:
On 3/30/09 5:34 PM, Nelson B Bolyard wrote:
The problem is mixing DLLs that use standard VCRT with those that use
Mozilla's modified VCRT.
As long as there are bugs in the browser of the sort that Neil has
found, developers of libraries upon
Neil wrote:
Nelson B Bolyard wrote:
I don't have a tool that makes it easy. All I did was piggy-back on a
feature of the MSVC debug heap,
Another feature of the professional package only, sadly.
I use VC2005Express...
Hmm. Perhaps it is the source code to the debug RTL that is only
Jean-Marc Desperrier wrote:
Nelson B Bolyard wrote:
The problem is in the way that Mozilla builds JEMalloc for FF on Windows.
They build a replacement for the Microsoft C RunTime Library. This
replacement is a hybrid, built in part from JEMalloc source code, and in
part from Microsoft's
Jean-Marc Desperrier wrote, On 2009-03-10 04:55:
Peter Lind Damkjær wrote:
Varga Viktor wrote:
snip
OCSP request with multiple certificate from different CA
--
The RFC has the possibility to send multiple certificate serial number into
OCSP request. It is not defined that
Vidal Pascal wrote, On 2009-02-06 00:05:
Hi,
Include all the certificates which chain from the original end-user
certificate into the PKCS7 file. Firefox should import them happily.
Maybe.
I agree with you, that's i've done. In fact, the problem is:
EE certificate contains an AIA
Jean-Daniel wrote to mozilla.dev.security on 2009-01-20 10:42 PST:
Hello, I'm trying to generate a keypair using nss, but I encounter some
issue. My key generation can take up to 30 seconds on a recent machine
(Core 2 Duo 2.2 Ghz) (most generation take less the 10 seconds, and
sometimes less
Eddy Nigg wrote, On 2009-01-21 05:16:
On 01/21/2009 03:10 PM, Michael Bell:
Do you mean that all CA certificates must be present if the card is
removed from the machine?
If the CA certificates are on the card, there are some odd behaviors.
Oh? Please tell us more.
Michael Bell wrote, On 2009-01-21 04:12:
Michael Bell wrote:
I analysed the situation and discovered that the purpose of the cert
on Windows is Client, sign, encrypt but the purpose on Linux is
unknown.
Can you see the actual contents of the cert itself inside FF's certificate
manager
Michael Bell wrote, On 2009-01-21 05:36:
I think we or better I should stop here. OpenSC clearly announced that
CardOS V4.3B is only supported if the card was created with OpenSC. So
you were hundert percent right. It looks like only the error message is
not fully correct. I read on an OpenSC
Gervase Markham wrote, On 2009-01-20 20:33:
Nelson B Bolyard wrote:
In Mozilla products, no roots have ever been SGC enabled.
Some roots were, and still are, marked as trusted for SSL Step Up.
Here's a list.
Is the marking internal to or external to the cert? The fact that you
say no certs
Gervase Markham wrote, On 2009-01-19 14:11:
Does anyone know where I can find a definitive list of browsers for whom
SGC is helpful? That is to say, a list of browsers for which, if I
connected to a site with an SGC certificate, would provide a higher
grade of encryption than if I connected to
Michael Ströder wrote, On 2009-01-15 08:23:
Johnathan Nightingale wrote:
You may also be interested in the work on OCSP-stapling, so that no
third party learns about your browsing, but you still get a CA-signed
OCSP response. The CAs are interested in this too, since it takes the
load
Robert Relyea wrote:
Martin Paljak wrote:
Thanks for tips! Could you point me to the line in spec where it says
that slots can only be added. I cant find the place where it forbids
removing.
That's what I get for not checking the spec after the meeting in which
we discussed this. The
Ian,
Previously in this thread, you wrote:
For me, the purpose of this debate is finding out what users can expect from
Mozilla by way of security.
The answers to that quest probably include these properties:
- open, openly specified, not secret,
- inner workings subjected to public scrutiny.
fat.fuck wrote:
first off: i am but a humble java programmer by trade; not a sysadmin;
nor a network guy. so a lot of nss tool-related stuff is a foreign
language to me. please, help a certutil rookie make sense of the
world?
Welcome.
using openssl, i created a self-signed ca cert (and
ff wrote:
i remembered what documentation instructed me to use $HOME/.netscape/
cert7.db. it was sun's Sun ONE Server Console 5.2 Server Management
Guide. the chapter on Using SSL and TLS with Sun ONE Servers:
http://docs.sun.com/source/816-6704-10/ssl.html#22531
Copy the Netscape
Wolfgang Rosenauer wrote:
Wolfgang Rosenauer schrieb:
Are you trying to use NSS_InitWithMerge to create a new cert9.DB
where none existed before?
Yes. NSS_InitWithMerge is used regardless of an existing cert9.db (and
even cert8.db). The conversion function uses pretty much what is on
Eddy Nigg wrote:
On 11/19/2008 05:52 PM, Anders Rundgren:
In the meantime, wouldn't it be of some value if Mozilla tried to
satisfy a PKI-
related activity that in number of users, already is much bigger than
S/MIME,
i.e. the concept of Web Signing?
What is this supposed to be? Perhaps I
Robert Relyea wrote:
Typically
needsUserInit means there isn't a password record in your key database.
Without this you can not store any keys. The difference between 'not
initialized', 'doesn't have a master password', and 'has master a
password' is as follows:
1) 'not initialized' ---
Wolfgang Rosenauer wrote:
This was a new profile actually. And yes, the database which reveals
this issue isn't complete it seems. I removed it and created a new empty
one using certutil -d sql:. -N and now Firefox works correctly.
It is possible that code that uses NSS in ways not tested by
Anders Rundgren wrote:
IM[NS]HO, S/MIME encryption using PKI is one of the biggest security farces
ever. Even the use-case is often wrong. Somebody representing e-Health
once described for a big audience how S/MIME encryption could be used to
exchange private medical information between a
Anders Rundgren wrote:
I haven't followed this lengthy discussion in detail but I have for a long
time wondered how DNSSEC and SSL-CA-Certs should coexist.
Which one will be the most authoritative?
Could DNSSEC (if it finally succeeds) be the end of SSL-CA-certs?
DNSSEC only attempts to
David E. Ross wrote, On 2008-11-05 16:10:
I'm having a problem with a credit union's Web site (which prompted my
other message IP Address Question in mozilla.support.seamonkey).
Sometimes when I access the site's home page -- which is https --
everything is okay; a secure session is
Balaji Kamal Kannadassan wrote, On 2008-10-31 04:24 PDT:
We have a valid certificate and I signed my jar file with the jarsigner
when I open it using jar:!/prefstryjs.html I am getting below error. I
ran out of options, please any help on the same would be great.
Error:
--
David E. Ross wrote, On 2008-11-01 11:16:
One financial institution where I have an account changed to an EV cert
two days ago. Does SeaMonkey 1.1.12 have the NSS to support EV certs?
EV was a new feature of FF3. It relies on a new version of NSS, NSS 3.12
but most of the work to support EV
Frank Hecker wrote:
* OCSP. My understanding is that the Microsec practice of having a
separate root for OCSP is very problematic, particularly given the
inclusion of AIA extensions with OCSP URLs in end entity certificates.
As I understand it, Microsec is removing AIA extensions with OCSP
[EMAIL PROTECTED] wrote, On 2008-09-29 05:43:
Hi there,
I am trying to tie off an embedded browser using XulRunner 1.8/Firefox
2 with XPCOM.
tie off. I like the birth metaphor. :)
I have created a user keystore and can get a user to
import a client side X.509 certificate from a PKCS12
capricieuse wrote, On 2008-09-24 05:04:
I am developing an application for signing Web Formular and i m using
a UsbToken to get to the Private Key.
I what that my application connecte from the server side to client
side and load information from the Token to the server where the
signature
Ian G wrote, On 2008-09-24 05:12:
Nelson B Bolyard wrote:
Ian G wrote:
Nelson B Bolyard wrote:
The curiosity here is that the Certificate Policies extension may
not be shown prominently by software. As the point of the cert is
to make some claim to the user, and the essence of that claim is
Previously I wrote that one can create a PEM file containing all of
Mozilla's trusted roots with a simple shell script.
One can get a simple text list of those root cert's nicknames.
Here's a simple (?) shell script to do it. It uses NSS's certutil
program. It first produces a text file
In a Network World column,
http://www.networkworld.com/community/node/31124
the author writes:
At Black Hat ‘08 there was a great demonstration of how valid “internal
testing only” FQDN certificates for URLs that you don’t control can be
obtained by anyone asking. The one obtained by the
Wan-Teh Chang wrote:
On Tue, Aug 19, 2008 at 5:40 PM, Nelson Bolyard
[EMAIL PROTECTED] wrote:
In a Network World column,
http://www.networkworld.com/community/node/31124
the author writes:
At Black Hat '08 there was a great demonstration of how valid internal
testing only FQDN
F. wrote:
Anyone test Firefox 2 with client certificate + OCSP flag and
verification enabled?
To me, internal error . I do not know if this is a bug.
We need more info than that to be able to provide any meaningful reply.
I gather that you viewed your cert using the certificate manager, and
fercufer wrote, On 2008-08-13 06:52:
SignerInfo crashes firefox 3 in Windows. Below I put the code and the
log files with Firefox 3.0.1
I have found a page about this bug.
http://support.mozilla.com/tiki-view_forum_thread.php?locale=ltforumId=1comments_parentId=86104
But there isn´t valid
Subrata Mazumdar wrote, On 2008-08-12 20:30:
I have a certificate based mutually authenticated session between the
browser and a web server.
I would like to find out the certificate used presented by the browser
using a programmatic API.
I gather that you want to do this in the browser?
Or
Nelson Bolyard wrote, On 2008-08-12 22:59:
I didn't understand that very well, but I _think_ you're saying that if
adding a CA cert that trusted to issue client certs causes that CA to also
be trusted to issue server certs, that would be bad.
Indeed, that would be bad, and it definitely
Howard Chu wrote, On 2008-08-12 19:12:
That was the other point I was trying to make about global state... It's
common practice to set up services with private CAs, so that random nosy
clients cannot connect to them. In an OpenLDAP proxy installation you'll
have one server cert/key and
bmo wrote, On 2008-08-12 11:41:
I've posted a PNG of the chain of trust as reported by the browser to
http://www.tryventi.com/certissue/onehub_cert.png
That shows your cert to be valid. That's all that matters, with respect
to your cert.
You originally reported an error message that said:
Julien R Pierre wrote on 2008-08-12 16:53 PDT:
Robert Relyea wrote:
SECMOD_OpenUserDB() will open new database slots in the internal
database module.
Unfortunately, those additional DBs can't be manipulated separately.
huh?
- key gens can be done in each one separately,
- certs can be
bmo wrote, On 2008-08-12 19:36:
I just pulled out a Windows Vista Machine -- with Firefox 2.0.15, and
hit the page with our signed java applet on it -- SUCCESS -- I am
provided a prompt that says the applet verified, do I want to run the
code?
I then installed FF 3.0.1 on the Vista machine.
Gordon.Young wrote, On 2008-08-07 10:07:
the interesting thing is that even though the entire chain is passed
during SSL handshake, Firefox does not find the issuer of the EE
issuing CA's certificate. on this test server we are sending EE
CertIssuing CACross certificateGTE Root.
It looks
Nelson Bolyard wrote, On 2008-08-03 21:05:
David Allan wrote, On 2008-08-02 19:43:
would you like me to file a bug against that?
Yes, please. You can put this text into the bug report, if you'd like.
I filed this bug about the issue:
https://bugzilla.mozilla.org/show_bug.cgi?id=449087
David Allan wrote, On 2008-08-02 19:43:
PK11_PubWrapSymKey(CKM_RSA_PKCS_OAEP,
RSAPublicKey,
UnwrappedKey,
WrappedKey);
I'd guess that call failed, right?
Or are you using some third party PKCS#11 module that implements it?
NSS's
Daniel Stenberg wrote, On 2008-07-26 13:45:
As a user of OpenSSL, NSS, yassl and GnuTLS I can certainly agree that
GnuTLS has flaws in its API but NSS most certainly also has flaws as well
_and_ notable missing features that GnuTLS offers.
Daniel, please tell us what features are missing that
David Sadler wrote:
I am trying to enable crypto hardware support on an IBM z/Series system
running Linux.
Is this IBM linux? Red Hat Linux? or ?
(I ask because I know that Red Hat Linux supports mod_nss in Apache, but
I was not aware that it was also being used in any IBM Linux. That
Wan-Teh Chang wrote:
NSS doesn't allow importing or exporting of *unencrypted* secret
or private keys in FIPS mode.
This is not an issue for SSL because the incoming premaster secret
from the *client* is encrypted with the server's RSA public key.
If you really have to import an
Ruchi Lohani wrote, On 2008-07-21 11:53:
Was just wondering whether there is a bug number in the mozilla bugs for
this issue -
https://bugs.launchpad.net/ubuntu/+source/firefox/+bug/108929
I am continuously getting the same crash on firefox with the following
trace -
#1 0xb7f0de38 in
Kyle Hamilton wrote, On 2008-07-03 19:51:
https://www.paypal.com/cgi-bin/webscr/cgi-bin/webscr?cmd=_ssrreturn=http%3A%2F%2Fpaypal-cgi-bin.s6.pl/?cgi-bin.webscrcmd=_login-run.webscrcmd=_account-run.DisputeTransactionID.2LC956793J776333Y
This is a valid PayPal URL that issues a redirect to an
Robert Relyea wrote, On 2008-07-02 14:03:
Bruce Keats wrote:
Hi,
I started using firefox 3 and I am now getting errors connecting to
intra-net sites that were OK in firefox 2. We have our own intra-net
and we have a CA that issues server certs and user certs. I have
loaded the CA
Someone has recently suggested to me that one of the CAs now included
in Mozilla's list of trusted root CAs actually has the practice of
generating key pairs (including the private key) for their subscribers
and delivering the private key and associated cert chain to the
subscriber in a PKCS12
Gervase Markham wrote, On 2008-06-30 04:59:
Nelson Bolyard wrote:
Do we really want to allow this?
Should this at least be a question that CAs must answer as they apply
for cert inclusion or EV status upgrades?
At a minimum, please add it to the Questionable CA practices document
I wrote:
2. Mozilla's trademark policy says that if you change certain things
about Mozilla in your own build or packages, then you cannot release
your build using Mozilla trademarks (e.g. the Firefox brand name).
The set of trusted root CA certs is one of those things, I believe.
See
I'm working on some code to handle the Issuing Distribution Point
extension in CRLs. Before I commit it, I'd like to test it with some
live CRLs from real CAs, CRLs that have that extension. Trouble is,
I haven't been able to find any live CRLs that have that extension.
Anybody know of a CA
1 - 100 of 226 matches
Mail list logo
