Hello,
There seems to be a possible problem with the SSL implementation used in Google
Drive on MacOS 10.8.2. I seems that this SSL implementation is NSS - please
let me know if you know that Google Drive uses a different SSL implementation
and I should direct this question elsewhere.
Packet
I can provide PCAP files by e-mail, if needed.
Peter
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
suites are supported only on the
client and not on the server.
Is server support for these ciphers just not implemented yet or is
there some issue that blocks such implementation?
Best Regards,
Peter Djalaliev
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https
is hidden and not advertised publicly.
Best Regards,
Peter Djalaliev
On Mar 29, 11:11 am, Jean-Marc Desperrier jmd...@gmail.com wrote:
Jean-Marc Desperrier wrote:
Article on Wired here :
http://www.wired.com/threatlevel/2010/03/packet-forensics/
The original article is well worth reading
To
prevent case 2, CAs are supposed to keep their certificates safe and
revoke them if a suspicion arises that the key is not safe.
Or rather, CAs are supposed to keep their private keys safe, not their
certificates.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
In the case of Netronome's SSL Inspector, if the device replaces
bankofamerica.com's server certificate in the SSL handshake, the new
certificate does _not_ have CN=bankofamerica.com. It is also not
signed by a root CA. Hence, Alice should be fully aware of the man-in-
the-middle and could
It is our standard security nightmare. Side A thinks it is Side B's
problem. Side B thinks it is Side A's problem. In the meantime the
user doesn't use the tech because it doesn't work, and the sides are too
busy arguing to solve the problem. So zero security is delivered.
In this case,
...
Best Regards,
Peter Djalaliev
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
The weakness was discovered when we looked at AES as a hash function,
and tried to find weaknesses that are specific for hash functions. We
think that most cryptographers used only blockcipher-oriented
techniques, against which AES was well protected by the designers.
All this quote says, I
/new_attack_on_a.html
Some of the new SHA-3 algorithm candidates may be affected, too...
Best Regards,
Peter Djalaliev
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
algorithm
input data may be related, which may make related-key attacks plausible
against those SHA-3 candidates.
The authors have not shown that the attack is effective against AES-128.
However, in many real-world applications, such as TLS, AES-256 is still more
secure than AES-128.
Best Regards,
Peter
-friendly functions, such as
wrapping symmetric keys and a more secure random number generator, that
Trousers' may directly use in its PKCS#11 module, but a lot of PKCS#11
functionality is not provided by the TPM and has to be implemented in
software.
Best Regards,
Peter Djalaliev
--
dev-tech-crypto
Hello,
Does anybody know if there is an SSL/TLS module for nginx implemented
using NSS? The module that ships with nginx uses OpenSSL. I didn't
find anything on Google.
Best Regards,
Peter Djalaliev
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org
due
to some other controversies.
Will there be any problems in querying the nsISSLStatus interface
within http-on-examine-response ?
regards
Arun
On Jun 26, 8:08 pm, Peter Djalaliev peter.djalal...@gmail.com wrote:
Arun,
One way is to register a nsIStreamListener using
3.0.3.. For
earlier versions, I don't know if there is a way to get the
nsISSLStatus. From what I can see in the Firefox source code, only
the module that initiated the HTTPS request can get this information.
I hope this helps.
Best Regards,
Peter Djalaliev
On Jun 26, 2:40 am, MAK arungene
the certificate.
I hope this helps.
Best Regards,
Peter Djalaliev
On Jun 25, 12:50 am, MAK arungene...@gmail.com wrote:
Hi all,
My requirement is to fetch a website's SSL server certificate. For
this I need the nsIChannel, so that I can use the securityInfo
option.
I need to fetch nsIChannel
.
Best Regards,
Peter Djalaliev
On Jun 1, 9:31 am, Jan Schejbal jan.schejbal_n...@gmx.de wrote:
I did of course google and I did find the site you linked, but it did
not help me much, as I found no information what has to happen
server-side (or links to such information). I understand that the key
to import private keys into the Firefox key/cert database?
As far as I know, the FF database is normally protected with a master
password. What operation exactly requires providing this password?
Regards,
Peter Djalaliev
___
dev-tech-crypto mailing list
dev
that
adding your own rogue EV CAs defeats the purpose of having EV
certificates issued by CAs that conform to established EV policies.
I would like to reiterate the question they asked you in the OpenSSL
users forum: what are you trying to accomplish by adding your own EV
CA cert?
Regards,
Peter
certificate (along with the private key) into the NSS database.
Regards,
Peter Djalaliev
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
in order to generate a DH SSL
certificate using NSS? Does NSS also have an API to generate the DH
parameters?
Regards,
Peter Djalaliev
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Hello,
I tried connecting to http://suppliers.intel.com (which redirects to
https://supplier.intel.com/supplierhub) from Firefox 3 and IE7 and saw
two different certificate chains when I tried to view the server
certificate. IE7 recognized the root certificate as coming from a
trusted issuer,
The correct initial URL is http://supplier.intel.com, redirected to
https://supplier.intel.com/supplierhub
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Ah, I see. From what I can see in the RFC, this usage is not really
forbidden, but not really standard either. Generalizing my question,
what kind of X509v3 extensions that NSS currently support? I am aware
that CA often use these extensions in less-than-standard ways :)
Peter
On Jul 23,
software token code.
Frankly, I'm not sure how to deal with that.
Does anybody have experience with trying to statically compile
applications that use NSS on the Linux platform? How did you proceed?
I welcome all tips :) Thanks!
Regards,
Peter Djalaliev
of hardware that they need to use properly in order to
preserve security. As we see from previous messages in this
discussion thread (blindly accepting self-signed certificates), users
do not properly execute security-sensitive actions.
Regards,
Peter Djalaliev
On Aug 27, 2:41 am, Nelson B [EMAIL PROTECTED] wrote:
Peter Djalaliev wrote:
I don't know what you mean by full-blown TPMs. I assume that for you,
full-blown TPMs = Big Brother. I don't buy into this completely,
however.
TPM-enabled systems are still under implementation
Now, when I send my sensitives data to that party, that party could always
turn around and give my data to my enemies, put it on a road-side bill
board, or disseminate it in various ways of which I don't approve.
Having an authenticated certificate doesn't assure me that the party won't
do
Mariano,
You can use the NSPR logging macros from within any Mozilla code in
conjunction with the NSPR_LOG_MODULES and the NSPR_LOG_FILE environment
variables.
Please refer to the NSPR documentation on the subject:
http://www.mozilla.org/projects/nspr/reference/html/prlog.html
Regards,
Peter
The subject of this ought to have been
Re: Email certificate from TPM does not show up in Thunderbird
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Funnily enough, one of the other applications that Infineon list as
supporting their product is ... Netscape Communicator!
http://www.infineon.com/cgi-bin/ifx/portal/ep/channelView.do?channelId=-84614channelPage=%2Fep%2Fchannel%2FproductOverview.jsppageTypeId=17099
Regards,
Peter
Subject: Email certificate from TPM does not show up in Thunderbird
(or My shy certificate revisited)
From:Stephen Gryphon [EMAIL PROTECTED]
Date:Fri, 30 Mar 2007 11:00:13 +1000
To: dev-tech-crypto@lists.mozilla.org
G?day,
I am suffering from what appears to
Jana,
pk12util is part of the utilities that ship with a NSS release. You
can find the NSS Release Directory here:
ftp://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/
You have a choice between downloading source code or pre-compiled
binaries.
If you download the source code, you can
Jana,
If you look in the JSS Release directory, JSS 3.4 has a pre-compiled release
for Linux2.4, as well as source code. JSS 4.2 has pre-compiled releases for
Linux 2.4 and 2.6. I don't know why JSS 3.7 has only a built for the HP-UXB
platform.
Would these work for you?
If you want to use
Jana,
I found mine at:
C:\Documents and Settings\my-user-name\Application Data\Mozilla
\Firefox\Profiles\random-profile-name
Whatever the directory is, you need the following files: cert8.db,
cert3.key and secmod.db (certificate db, key db, security module)
Regards,
Peter
cert3.key and secmod.db (certificate db, key db, security module)
I meant key3.db, cert8.db and secmod.db
Regards,
Peter
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Jana,
These dynamic libraries are NSPR libraries and I'm surprised that they are
not part of the NSS release.
You can get a NSPR release from:
ftp://ftp.mozilla.org/pub/mozilla.org/nspr/releases
I guess you downloaded a pre-compiled NSS package, right? If you compile
NSS from scratch, I think
Sure Anders,
Here is an additional piece of documentation:
http://www.xulplanet.com/references/xpcomref/group_XMLSchema.html
The implementation of this interface is in nsSchema:
http://lxr.mozilla.org/mozilla1.7/source/extensions/webservices/schema/src/nsSchema.cpp
Apparently, Mozilla has
...and some documentation on the Mozilla SOAP scriptable API:
http://lxr.mozilla.org/mozilla1.8/source/extensions/webservices/docs/Soap_Scripts_in_Mozilla.html
Regards,
Peter Djalaliev
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
Hello,
I think I am missing something here because this really should work.
So, I have four buffers of unsigned bytes: a digest, the digst's
signature, a public key modulus, and a public key exponent. The
digest was signed using the private key corresponding to that public
key.
I tried to
Found it. Thanks anyway.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
. embedded apps)
Given this, we can also write a nice documentation module on
debugging NSS in the NSS documentation wiki that Wan-Teh maintains.
What do you all think about that?
Regards,
Peter Djalaliev
On Mar 8, 12:16 pm, Pedro DeKeratry [EMAIL PROTECTED] wrote:
Our device implements
Here are my doubts about the easiness of this:
Let's say you use the FTP implementation in Firefox (I assume you want to do
this). When the you attempt to initiate a FTP connection, Firefox's FTP
code will attempt toe establish a socket connection using the socket objects
provided by
Has Secure FTP been standardized? I can't seem to find any sort of an
RFC or another standard to do with Secure FTP.
Is the sFTP you are talking about more than just FTP over an SSL
connection?
If it is not, then it might not be too hard to implement this secure
FTP through an extension.
If
When you call GetUniqueIdentifier(), does unique imply that the
identifier will be unique for that layer name, or that the identifier
will just be unique among the identities issued so far? I wasn't
familiar with the semantics of this function and assumed the latter.
I agree that the
Sorry for replying late on this thread...
ssl_FindSocket first checks the identity of the layer, so
it seems that it should fail with the PR_BAD_DESCRIPTOR_ERROR
if it receives a non-TLS
PRFileDesc:http://lxr.mozilla.org/seamonkey/source/security/nss/lib/ssl/sslsock
220
Well,
Due to the changes I made to my code I am now able to do it. I am
doing this from within the mod_nss Apache module, which actually
stores a pointer to the SSL file descriptor when it layers it upon the
original TCP fd.
Otherwise, if I weren't to do within mod_nss, Nelson's idea about
Hello,
Given only a NSPR file descriptor, what would be the correct way to
see if:
1) TLS functionality has been layered on the file descriptor stack?
2) The TLS handshake has been done with the host on the remote end of
the socket connection?
For 1), can I use the PR_GetDescType() from the
Yeah,
I agree with David. I don't know if there is a make install feature
in the NSS build system (I don't remember, I think I couldn't find one
when I first started using NSS). I copy the header files and shared
libraries of my NSS builds manually to /usr/include and /usr/lib.
After you build
I think the answer to your question is that you can only sign and
verify text (for signing forms), as well as generate RSA keys (for the
key generation mechanism embedded in HTML). Most NSS functionality is
not exported to Firefox. Any functionality that is exported is done so
through the PSM
Hello,
I see that NSS 3.11 features a framework (in development) for client
hello extensions, but server hello extensions are not used. Are there
plans to extend the framework to allow server hello extensions, too?
Regards,
Peter
___
dev-tech-crypto
John,
There is a password for the Mozilla store, which protects the private
keys stored inside. The password is used to wrap a private key, which
is then used to access the private keys stored in the Mozila db. I
don't remember the exact details, do you need them?
There might be additional
Alex,
mod_nss is available here :
http://directory.fedora.redhat.com/wiki/Mod_nss
and some additional documentation is available here:
http://directory.fedora.redhat.com/docs/mod_nss.html
If you are running mod_ssl and are using NSS's crypto library, you
might be much better off running
Nelson,
Thanks for the great reply! This gives me a much better idea of the
behavior of the code :)
I erroneously assumed the connection between SECWouldBlock and
PR_WOULD_BLOCK_ERROR (I read the notes.txt file a while ago...). Also,
a function in the NSS code would in some cases check if a
Alex,
I think this basically means that NSS_SetDomesticPolicy() or
NSS_SetExportPolicy() is trying to flag an unimplemented cipher as
SSL_ALLOWED. You shouldn't be getting this error because the table in
sslsock.c that NSS_SetDomesticPolicy() / NSS_SetExportPolicy() get all
ciphers from contains
Hello,
I have a question about what happens when the first SSL handshake on a
SSL connection tries to gather data from a socket that would block
(e.g. there is no data tobe read yet).
I am using the SSL3 implementation on a Linux platform.
So, in Do1stHandshake(), the next handshake function is
Hello,
I don't know about the release notes (I suspect these are the newest
ones), but here are some build instructions that should work. They
haven't really changed as far as I know:
1) Download the NSS and NSPR source tarballs from their respective
release dirs:
Nelson,
I completely agree with you about this not having to be a priority.
Code transparency is definitely important, ambivalent/outdated code can
cause the introduction of new bugs down the road, but it's eventually
up to the NSS maintainers/contributors to decide what has higher
priority.
Helson,
Thanks for you reply :)
What is the ss-securityHandshake used for?
I think it may now be unused. I think it was part of the old SOCKS
implementation that was abandoned.
This probably doesn't matter as much, but ssl_SecureConnect sets the
handshake function using
Hello,
I have a question about something I don't understand in the SSL
implementation of NSS.
When ssl_Do1stHandshake is called, it checks three handshake function
pointers in the sslSocket struct: handshake, nextHandshake and
securityHandshake. What is the difference between the three?
I can
Hello Carlos,
I don't claim to be the authority on this, but you can read the last
three messages of this thread:
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/298e0723330e9697
From what Anders and Kyle say, I get the impression that signText is
the only
Nelson Bolyard написа:
I would expect that these details all go on beneath the PKCS#11 API layer,
and are all hidden inside of the PKCS#11 module. I suspect that the wrapped
keys (wherever they physically reside) still appear as PKCS#11 objects in
the PKCS#11 slot or token, and would be
Oh, well, I understood that Dave used his Mozilla browser only to
navigate to the CA website and click the Buy Now button, not to
generate his own private key and CSR.
Can Firefox generate private keys? I though that none of the NSS
functionality (except for signing and verifying text) was
Nelson Bolyard wrote:
You generated the key pair on a PC that didn't have the TPM chip.
So the private key couldn't have been generated in the TPM chip,
and when you generated it, mozilla (FF/TB/SM) didn't ask you which
device you wanted to use to generate the keypair because, on that
More information on how the TPM enables protected storage can be found
starting on p. 145 of the TCPA specification (v. 1.1):
https://www.trustedcomputinggroup.org/specs/TPM/TCPA_Main_TCG_Architecture_v1_1b.pdf
Regards,
Peter
___
dev-tech-crypto
More information on how the TPM enables protected storage can be found
starting on p. 145 of the TCPA specification (v. 1.1):
https://www.trustedcomputinggroup.org/specs/TPM/TCPA_Main_TCG_Architecture_v1_1b.pdf
Regards,
Peter
___
dev-tech-crypto
ftp://ftp.compaq.com/pub/products/security/embedded_security_-_implementation.pdf
...and as the ProtectTools implementation white-paper explains, their
Embeded Security Manager uses the TPM to create wrapping keys, which
are then used to encrypt the private keys of the user. The wrapped
keys are
I am modifying mod_nss to implement TLS upgrades (RFC2817) to use in a
special-purpose web client-server system. In fact, I think the
modifications to mod_nss are done, but I am not yet done with
implementing TLS upgrades in Firefox, so I haven't tested the mod_nss
modifications.
As we discussed
So there is patch for including the Hello extension? Where can I find it?
Is it in some kind of a nightly build or in the CVS directory?
Thanks :)))
Peter
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
Before, I heard somebody talking on this mailing list about developing a
framework for using TLS extensions within the NSS implementation of TLS.
Does anybody know how this is going? Do the ECC cipher suites for TLS and
the Server Name Indication mentioned about use this framework or do they use
Hello,
I see in the NSS code that RedoHandshake, for example, sends a Hello
request handshake message, but some handshake-initiating functions
(e.g. ForceHandshake) do not. Instead, the server just starts waiting
to receive data from the client (I assume a Client hello message).
Why is the
Hello,
I am having an issue with SSL_ConfigMPServerSIDCache on a Fedora Core 5
with 2.6.16 kernel.On a Unix machine, SSL_ConfigMPServerSIDCache
calls LaunchLockPoller, which starts LockPoller() in another thread to
poll the cache for expired locks. However, the cache pointer that
LockPoller
I think this deserves a new topic :)
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
The goal of this topic to get a wide range of opinions about the
current status/problems of SSL/TLS upgrades. I saw an old, very
long discussion about TLS upgrades as specified by the much disliked
RFC2817 :) I have been meaning to post something here to see if
the same arguments and concerns
Well, let me see if I can explain it better:The Apache web server is sending a certificate request handshake message. The client receives it, calls the certificate callback function (which fails) and then sends and empty certificate, which is handled on the server side.
(I was wrong before when I
Hello Aditya,What problems exactly are you having?Did you see the Build documentation?http://www.mozilla.org/projects/security/pki/nss/nss-3.9/nss-3.9-build.html
You can either follow this documentation or you can just download the NSPR and NSS source code tarballs
Hello,Has anybody tried to verify under NSS the signature of data signed under OpenSSL and vice versa? Assuming the same RSA public key (modulus and public exponent) and the same signature algorithm (RSA signature with PKCS#1 padding and SHA-1 message digest), we should be able to sign a buffer of
77 matches
Mail list logo