Re: Proposal to Change the Default TLS Ciphersuites Offered by Browsers
On 13/09/13 04:52, Julien Pierre wrote: snip Some servers also ignore the order of cipher suites in the Clienthelo anyway in some cases, and choose whatever they prefer among the client cipher suite list regardless of order, even though this doesn't follow the TLS specs. Julien, I disagree that this doesn't follow the TLS specs. RFC5246 (Section 7.4.1.2) says (emphasis mine): The cipher suite list, passed from the client to the server in the ClientHello... If the list contains cipher suites the server does not recognize, support, *or wish to use*, the server MUST ignore those cipher suites, and process the remaining ones as usual. -- Rob Stradling Senior Research Development Scientist COMODO - Creating Trust Online -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Proposal to Change the Default TLS Ciphersuites Offered by Browsers
On 2013-09-12 23:11, Stefan Arentz wrote: How about mobile? Mobile is not an issue. Updated table that contains speed test on Android with an ARMv7 (Galaxy S3): http://jve.linuxwall.info/ressources/taf/aesmeasurements.txt You can see that the ARM7 does AES-{128,256} in the 50 to 70MB/s range. I was actually surprised by the results, I had no idea ARMs cpus could compute AES that fast, and all in software since there's no AES-NI in ARM (yet...). What about the initial key exchange that SSL/TLS does? I thought that was the biggest CPU killer? Absolutely. And that's still true. I'm only discussing AES-128 vs AES-256 here. - Julien -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Need to use the main NSS module as a PKCS#11 module in IBM Notes
On 09/11/2013 05:52 PM, Kyle Hamilton wrote: Elio, Thanks for responding. IBM Notes reports that the path is invalid. Is there a requirement that softokn3.chk be in the current working directory? -Kyle H softokn3.chk should be in the same directory as softoken. Softoken asked the OS where it was loaded from and then looks for the .chk file in the same directory. NOTE: it's only needed when in FIPS mode. NOTE2: While it's possible to use softoken directly in your library, it's recommended that you actually use the NSS interfaces. NSS does not export a PKCS #11 interface, it uses it to get access to crypto. Softoken was written to support the NSS need for crypto and keys, and as such does not always have a compliant PKCS #11 interface. Direct access to to softoken from applications is a best effort sort of thing. Some apps (like Java) have special code that knows about softoken and works around it's vagaries. Fixes to softoken issues that don't effective NSS use of softoken is prioritized relatively low. bob On Tue, Sep 10, 2013 at 9:24 PM, Elio Maldonado Batiz elio.maldonado.ba...@gmail.com wrote: Hi Kyle, nss3.dll is a not PKCS #11 module as it has no crypto, softokn3.ddl (.so) and freebl3.sll (.so) do. softoken is nss's own internal PKCS #11 cryptographic module which nss loads just like any other pkcs #11 module, software or hardware based. Good starter documents are https://developer.mozilla.org/en-US/docs/NSS_reference and https://developer.mozilla.org/en-US/docs/NSS#Background_Information and https://developer.mozilla.org/en-US/docs/NSS/NSS_API_GUIDELINES has a layering diagram -Elio On Sat, Aug 24, 2013 at 6:02 PM, Kyle Hamilton aerow...@gmail.com wrote: Hi, I'm finding myself in a situation where I need to use the certificates and keys stored in my standard NSS profile in other applications. My initial, naïve idea was that NSS itself is a PKCS#11 module. Unfortunately, this appears to be not the case. When trying to find the right DLL to load into IBM Notes I found that nssckbi.dll is recognized as a valid PKCS#11 module, but nss3.dll is not. (Neither are nssdbm3 or nssutil.) Is there any plan to export the NSS softoken functionality as an actual full PKCS#11 token? Or is it intended never to actually operate as such? -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto smime.p7s Description: S/MIME Cryptographic Signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Need to use the main NSS module as a PKCS#11 module in IBM Notes
p11-kit will send all of the correct non-standard softokn3 initialization parameters for you, however I am uncertain if it compiles and links properly under windows: https://wiki.gnome.org/CryptoGlue/Integration#NSS_libsoftokn3 On Wednesday, September 11, 2013 10:09:37 PM UTC-4, Kyle Hamilton wrote: relyea or other contributors to https://developer.mozilla.org/en-US/docs/PKCS11_FAQ : Can you please give some references to the other products [which] have managed to get it to work in their environment? Thanks. -Kyle H On Wed, Sep 11, 2013 at 6:10 PM, Kyle Hamilton aerow...@gmail.com wrote: Is the PKCS #11 module supplied with NSS accessible through a shared library? Yes, the token is call softokn3 (softokn3.dll on windows, libsoftokn3.so on most unix platforms). The NSS softokn3 is not a complete PKCS #11 module, it was implemented only to support NSS, though other products have managed to get it to work in their environment. There are a number of bugs against softoken's non-compliance, but these bugs have lower priority than fixing NSS's non-complient uses of PKCS #11 or adding new features to NSS. On Tue, Sep 10, 2013 at 9:24 PM, Elio Maldonado Batiz elio.maldonado.ba...@gmail.com wrote: Hi Kyle, nss3.dll is a not PKCS #11 module as it has no crypto, softokn3.ddl (.so) and freebl3.sll (.so) do. softoken is nss's own internal PKCS #11 cryptographic module which nss loads just like any other pkcs #11 module, software or hardware based. Good starter documents are https://developer.mozilla.org/en-US/docs/NSS_reference and https://developer.mozilla.org/en-US/docs/NSS#Background_Information and https://developer.mozilla.org/en-US/docs/NSS/NSS_API_GUIDELINES has a layering diagram -Elio On Sat, Aug 24, 2013 at 6:02 PM, Kyle Hamilton aerow...@gmail.com wrote: Hi, I'm finding myself in a situation where I need to use the certificates and keys stored in my standard NSS profile in other applications. My initial, naïve idea was that NSS itself is a PKCS#11 module. Unfortunately, this appears to be not the case. When trying to find the right DLL to load into IBM Notes I found that nssckbi.dll is recognized as a valid PKCS#11 module, but nss3.dll is not. (Neither are nssdbm3 or nssutil.) Is there any plan to export the NSS softoken functionality as an actual full PKCS#11 token? Or is it intended never to actually operate as such? -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto