On 02/08/2012 04:20 PM, Brian Smith wrote:
However, I don't think we should reject Google's improvement here because it
isn't perfect. OCSP fetching is frankly a stupid idea, and AFAICT, we're all
doing it mostly because everybody else is doing it and we don't want to look
less secure. In the
On 02/23/2012 11:52 AM, Kai Engert wrote:
As soon as the certificate has been revoked, the domain owner is able
to obtain an OCSP response for the rogue certificate. The domain owner
could configure their server to include this OCSP response in all TLS
handshakes, even though this OCSP respo
On 03/01/2012 02:07 PM, Christopher Howard wrote:
Quick Firefox question here from one of your non-developer users: Say I
try to connect to a site over HTTPS, but I am presented with a "This
Connection is Untrusted" dialogue due to an invalid certificate
(self-signed, non-matching, etc.) If I mak
On 03/10/2012 12:23 PM, VJ wrote:
Im porting all RSA encryption from the nss library.
Im a newbie, may I know where C_Encrypt function under
pk11_PubEncryptRaw() function is implemented.
Also, I would like to know if anyone has ever ported only RSA related
functions?
Regards,
Vejey
What do you
On 03/24/2012 03:05 PM, VJ wrote:
I'm trying to use RSA_HashCheckSign() function to verify the message.
How are you even Linking with RSA_HashCheckSign()? It's a completely
internal function to softoken. If you want verify an RSA signature you
can use PK11_Verify(), or better yet one of the VFY
On 03/27/2012 01:00 AM, helpcrypto helpcrypto wrote:
Cough, cough...exit(CKR_OK) != return CKR_OK...cough, cough
Now cert8 is modified always (with or without our module).
Anyway, can someone tell me why cert8 is rewrited on each run/close?
Because that's how the old berkeley DB works. It's weir
On 04/04/2012 04:30 PM, Brian Smith wrote:
helpcrypto helpcrypto wrote:
IMHO, this is some that needs some clarification, as Mozilla *IS*
supporting it developing JSS but at the same time saying "we do not
support it",
Some people who are part of the Mozilla project maintain JSS. I will help
r
On 04/04/2012 05:57 PM, Wan-Teh Chang wrote:
On Wed, Apr 4, 2012 at 4:39 PM, Brian Smith wrote:
I don't know what platform JV is on, but I know on Mac OS X,
all the internal symbols in FreeBL and maybe other libraries
are exported. This is how the Firefox Sync developers got
so far in developin
On 04/30/2012 02:22 AM, VJ wrote:
Hi,
I've tested encryption, decryption, signing and verification with public
(NSSLOWKEYPublicKey) and private keys (NSSLOWKEYPrivateKey) in low level.
Big question, Why are you using private interfaces? The low level
interfaces are only for specific operations,
On 05/01/2012 12:01 PM, VJ wrote:
On Tuesday, 1 May 2012 00:46:21 UTC+8, Robert Relyea wrote:
On 04/30/2012 02:22 AM, VJ wrote:
Hi,
I've tested encryption, decryption, signing and verification with public
(NSSLOWKEYPublicKey) and private keys (NSSLOWKEYPrivateKey) in low level.
Big que
On 05/25/2012 02:52 PM, Antonio Lobato wrote:
Hey everyone,
I've run into an issue using nss 3.13.1 when attempting to use
ldapsearch to connect to a TLS openldap server and get the following
errors:
TLS: certificate [XX] is not valid - CA cert is not valid
TLS: certificate [
On 06/04/2012 08:20 AM, David Dahl wrote:
- Original Message -
From: "Denis Cormier"
To: dev-tech-crypto@lists.mozilla.org
Sent: Monday, June 4, 2012 9:10:34 AM
Subject: Firefox profile encryption
1. Assuming the user does not enter a master password, would key3.db
require further encryp
have access to the key, but do have
access to the file. This is rare, but it's easier just to protect
against the attack than to analyze if you may be vulnerable to attack.
Also don't use a stream cipher to encrypt the files (RC-4, AES-CTR,
AES-OFB, etc).
bob
On Wed, Jun 6, 2012 at
I've gotten NSS to build and mostly run the tests for Android. There are
still a number of tests failing, so the work isn't all done, but it was
a good point to snapshot what I had.
I've stuck some very rough instructions on
https://wiki.mozilla.org/NSS:Android . I'm move them to
https://deve
s. This is for 2 reasons 1) to have a
big endian platform in our regular tinderbox, and 2) have a tinderbox
test for one of the major platforms FF is already supporting.
bob
On 2012-07-06 12:54, Anders Rundgren wrote:
On 2012-07-06 10:29, ianG wrote:
On 6/07/12 16:14 PM, Anders Rundgren
On 07/12/2012 03:20 AM, Sam Laidler wrote:
Hello, hope all is well.
I want to distribute NSS without the MS redistribution package. When I read the
following, I got the impression that it should be theoretically possible:
https://developer.mozilla.org/en/USE_STATIC_LIBS
USE_STATIC_LIBS
On 07/25/2012 03:02 AM, David Woodhouse wrote:
O³.
So what I actually want is
- To fix the API to the NSS system database so it isn't insane.
Do you have any suggestions on how the API would be changes. One thing
I'm always fighting is providing an API for apps without breaking
existing apps
So what I actually want is
- To fix the API to the NSS system database so it isn't insane.
Do you have any suggestions on how the API would be changes. One thing=20
I'm always fighting is providing an API for apps without breaking=20
existing apps.
Well, *not* having to grub around for 'lib
On 07/27/2012 10:25 AM, David Woodhouse wrote:
On Fri, 2012-07-27 at 10:08 -0700, Robert Relyea wrote:
Oh, so you switch between sql:/etc/pki/nssdb and sql:$HOME/.pki/nssdb=20
depending on whether libnsssysinit.so exists.
It's worse than that. It's not just whether libnsssysinit.
On 07/24/2012 11:19 AM, Vasantharangan, Shruthi M. wrote:
Hi,
We require a random number generator that's FIPS2 complaint on RedHat Linux
5.6.
In the linux rpm for NSS nss-3.12.8-1.el5. I find random generation api's in
pkcs11f.h.
If I use them can I be sure that the random data generat
On 07/25/2012 02:00 PM, Vasantharangan, Shruthi M. wrote:
HI,
I am using the NSS Cryptographic Module document to use the random number
generator for FIPS2 random number. If I use the FC_GetFunctionList fpr
PK11_GenerateRandom and initialise with slotid as 0, then is the Mode set to
FI
On 07/25/2012 02:32 PM, Vasantharangan, Shruthi M. wrote:
Hi,
How can run drbg test vectors provided by NIST to validate the response of
the random output for the various algorithms on NSS.
Rgds
Shruthi
Softoken 3.11.4 uses the DSA RNG and not the DRBG (that would be RHEL 6
and Softoken
to-bounces+svasantharangan=idirect@lists.mozilla.org]
On Behalf Of Robert Relyea
Sent: Friday, 27 July, 2012 3:25 PM
To: dev-tech-crypto@lists.mozilla.org
Subject: Re: RandomNumberGenerator that is FIPS2complaint
On 07/25/2012 02:32 PM, Vasantharangan, Shruthi M. wrote:
Hi,
How can run drbg te
angan=idirect@lists.mozilla.org]
On Behalf Of Robert Relyea
Sent: Friday, 27 July, 2012 6:50 PM
To: dev-tech-crypto@lists.mozilla.org
Subject: Re: RandomNumberGenerator that is FIPS2complaint
On 07/27/2012 12:34 PM, Vasantharangan, Shruthi M. wrote:
We would like to use a randomNumberGenerator on
On 07/28/2012 06:45 AM, Vasantharangan, Shruthi M. wrote:
So is the GenerateRandom which internally uses softtoken of NSS 3.11.4
generate a FIPS 140-2 level 2 random number ? I would like to make sure it's
not FIPS 140-2 level 1.
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2
On 07/31/2012 09:08 AM, Vasantharangan, Shruthi M. wrote:
Hi,
I have downloaded the source for 3.12.9 which supports the DRBG. The
fipstest tool which uses the private interface for random number generation
which calls from ~lib/freebl/drbg.c.
I notice that for a DRBG input file (got from D
On 08/26/2012 06:20 PM, Vasantharangan, Shruthi M. wrote:
Apologize. Bug number is 695571.
https://bugzilla.mozilla.org/show_bug.cgi?id=695571
Thanks
Shruthi
-Original Message-
From: Kai Engert [mailto:k...@kuix.de]
Sent: Saturday, 25 August, 2012 5:05 AM
To: mozilla's crypto code dis
On 10/02/2012 05:42 PM, Wan-Teh Chang wrote:
On Tue, Oct 2, 2012 at 7:45 PM, Michael Demeter
wrote:
Continuation would then be to eliminate any unnecessary work being
done to increase the randomness..Since the HW generated values
can be used directly. This could help a small little bit in perf
On 10/06/2012 03:34 AM, tehhzstar wrote:
Hi,
Currently, are there any code samples available that uses
PK11_SetSymKeyUserData, PK11_GetSymKeyUserData? I am trying to store
information relating to PK11SymKey:
- Start Date of when the keys were created
- End Date of when the keys will expire (t
On 11/14/2012 11:33 AM, Gustavo Homem wrote:
Hi,
There is another NSS tool named "sdrtest". Maybe that tool can help
you?
After preparing a fresh database, I ran:
sdrtest -t foo -d /tmp/sdr/ -o /tmp/bar
Afterwards symkeyutil listed a key, I'd hope that key has the correct
type, could you test
On 11/27/2012 06:11 AM, Brian Teh wrote:
Hi,
Here is the posting of partial Makefile:
# Change this to point at Thunderbird source's directory.
THUNDERBIRD_SOURCE ?= $(HOME)/comm-beta18.0-hg/src
PYTHON_PATH?= $(THUNDERBIRD_SOURCE)/mozilla/config/pythonpath.py
XPIDL_HEADER ?=
$(THUNDERBI
On 01/13/2013 02:51 AM, Sergey Emantayev wrote:
Hi all,
We are using NSS 3.12.5 in our security project. I'm interested in applying the
fix of CVE-2011-3389 in this version. Due to the project requirement we are
obligated to use a FIPS certified NSS module so we cannot move to NSS 3.13
there
On 02/14/2013 07:54 AM, David Dahl wrote:
- Original Message -
From: "Gervase Markham"
To: mozilla-dev-tech-cry...@lists.mozilla.org
Cc: "Eric Rescorla", "Brian Smith", "Brendan
Eich", "Ben
Adida", "Brian Warner"
Sent: Thursday, February 14, 2013 5:22:41 AM
Subject: Re: Web Crypto API(s
- Original Message -
> Hello,
>
> I am using NSS 3.12.6. I am trying to add different certs (with
> slightly) different nickname in my db using certutil. However I
> found, that certutil adds them with the same nick name. I have about
> 130 certificates in database and it is happening on
Whether or not ECC works is a function of the version of NSS you have. If built
by Mozilla, ECC works for signature verification and client auth out of the
box. The NSS built by red hat will not do any ECC unless you supply your own
ECC PKCS #11 module. In the latter case, then all the ECC funct
- Original Message -
> On Tue, 2013-02-26 at 17:05 -0500, Robert Relyea wrote:
> > Whether or not ECC works is a function of the version of NSS you
> > have.
> > If built by Mozilla, ECC works for signature verification and
> > client
> > auth out of
On 02/27/2013 06:26 AM, marathi...@gmail.com wrote:
On Monday, February 25, 2013 1:44:15 PM UTC-5, Robert Relyea wrote:
- Original Message -
Hello,
I am using NSS 3.12.6. I am trying to add different certs (with
slightly) different nickname in my db using certutil. However I
found
On 03/23/2013 12:00 AM, Sachin Shetty wrote:
Hi,
We are using Apache HttpClient to download files from remote server, the files
are encrypted, so we wrap a CipherOutputStream around the InputStream returned
from HttpClient.
While doing this, we always see this error this error the first time
On 04/01/2013 02:46 PM, Brian Smith wrote:
See https://bugzilla.mozilla.org/show_bug.cgi?id=524664 (bug 524664) and
See
https://developer.mozilla.org/en-US/docs/JavaScript_crypto/generateCRMFRequest
My understanding is that is supposed to replace
window.crypto.generateCRMFRequest.
So keygen w
On 04/15/2013 02:34 PM, Matt Yakel wrote:
Hi all, Is the "certutil" a linux tool only? I am needing to deploy
Local Security Certs to our work network (windows).
No, it can be built for pretty much any NSS supported platform. We use
it as part of the NSS tests. However, I know of no one who is
On 04/17/2013 06:28 PM, Bharath wrote:
Hi ,
We were planning on using the nss drbg model for validating the HASH_DRBG
implementation inside (nss-3.14.3/mozilla/security/nss/cmd/fipstest) .
The fipstest.c needs updating for FIPS SP800-90A testing to validate drbg .
Please refer to the followi
On 04/17/2013 06:38 PM, bratchan...@gmail.com wrote:
Hi,
The fipstest.c does not seem to support the scenario with prediction resistance
= true . The case statement for function drbg has to change if prediction
resistance is true and also the NIST request file has an additional parameter
Entr
On 04/22/2013 04:16 PM, bratchan...@gmail.com wrote:
I may have the required fipstest changes on the NSS 3.12.9.1 branch in
CVS. Your best best is to write a bug and attach a patch to it, and
request me to review it. That will put it on a list that will eventually
get my attention.
bob
On 04/30/2013 02:28 PM, Brian Smith wrote:
Hi all,
I propose we remove the "Revocation Lists" feature (Options -> Advanced ->
Revocation Lists). Are there any objections? If so, please explain your objection.
Let me check with our group that works with the DoD. My guess is it's
probably OK.
On 05/01/2013 03:07 PM, Sean Leonard wrote:
Please, do not remove this important feature.
On 4/30/2013 2:28 PM, Brian Smith wrote:
Hi all,
I propose we remove the "Revocation Lists" feature (Options ->
Advanced -> Revocation Lists). Are there any objections? If so,
please explain your object
On 05/01/2013 08:40 PM, Brian Smith wrote:
Robert Relyea wrote:
Brian, I was under the impression you wanted to remove the CRL
autofetching feature (where you enter a URL and a fetching time and
the CRL will automatically be fetched). When I looked at the UI, it
looked like it had both the URL
On 05/02/2013 02:02 PM, Brian Smith wrote:
Robert Relyea wrote:
Oh, in that case I can say we have customers that definately need to
use CRLs that have been loaded and stored in the database.
To be clear, I don't know of any reason to consider the processing
of already-loaded CRLs
On 05/09/2013 03:47 PM, Brian Smith wrote:
Robert Relyea wrote:
On 05/02/2013 02:02 PM, Brian Smith wrote:
So are you actually going to ship a different version of NSS with the
default Firefox, or are you going to create a switch that changes the
behavior of NSS with respect to stored CRLs (and
On 06/10/2013 02:50 PM, Gregory Szorc wrote:
- Original Message -
From: "Gregory Szorc"
To: "Christopher Howard"
Cc: "Mozilla Dev Builds" , "Brian
Smith"
Sent: Monday, June 10, 2013 6:32:14 AM
Subject: Re: No such instruction building NSS
On 6/5/13 11:46 AM, Christopher Howard wrot
On 06/17/2013 10:58 AM, Chris Newman wrote:
I'll mention one other usability issue. I am getting pressure from my
employer to stop using NSS due to the MPL 2 license. I got less
pressure when I could use NSS under the LGPL 2.1 branch of the
tri-license. Switching to OpenSSL has been suggested.
On 06/20/2013 02:56 PM, Rodney Simioni wrote:
I'm trying to setup LDAP/SSL/TLS. Somebody told me that PKCS is a moznss
issue and I should ask this question with you guys and not the openssl
group.
What OS are you running? I does look like you are using NSS..
TLS: certdb config: configDi
ldap_start_tls: Connect error (-11)
additional info: TLS error -8172:Peer's certificate issuer
has been marked as not trusted by the user.
This means that the given cert wasn't signed by any trusted certificate.
[[Rod's comment]] Can I sign it by using the CA I downloaded from
Geot
On 06/21/2013 08:13 AM, John Dennis wrote:
On 06/20/2013 01:20 PM, Johan Dahlin wrote:
[Sorry if this appears twice, the first copy got stuck in the moderation queue]
I'm investigating the use of smart card readers for my application[1],
which is also free software.
As part of the brazilian el
Third, you may need to hook the client_auth_callback as John describes
below. If your server sends the list of trusted CA's in it's client
auth request, then the default client_auth_callback should be able to
find the cert on your smartcard without requiring the use of any
special hooks, bu
On 07/01/2013 03:53 AM, Stefan Scheidewig wrote:
Hello,
I added a smart card PKCS#11 module to my certdb (without specifying
any mechanisms) and I am able to list the certificates as well as the
keys within the sole token of this smart card. Within the program I am
able to login to the smart
On 05/30/2013 01:45 PM, prax.xyzc...@gmail.com wrote:
Platform/OS: CentOS release 6.3 (Final)
Linux x 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64
x86_64 x86_64 GNU/LinuxLinux
NSS Version:
nss.x86_643.13.3-6.el6
nss-softokn.x86_64
On 07/08/2013 12:00 PM, Rick Andrews wrote:
I need to remove some 1024-bit roots from Firefox’s trust store, but I realize
that these trusted roots are part of the NSS library, and that the NSS library
is used by lots of other software, not just Firefox. Removing these roots may
have far-reach
On 07/24/2013 10:55 AM, David Widen wrote:
Hi,
I'm trying to generate a certificate for an RSA key and then put it onto a
smart card using NSS. I can successfully generate the RSA key and a
self-signed certificate as well as putting that certificate on the card.
However, I am unable to stor
On 07/29/2013 06:00 PM, John wrote:
Hi,
Is is possible to import a symmetric key such that it is persisted in the
database?
Short answer: use PK11_ImportSymKeyWithFlags().
Set flags=0, and isPerm to PR_TRUE.
Longer answer:
NOTE: neither PK11_ImportSymKey() nor PK11_ImportSymKeyWithFlags() work
On 07/30/2013 02:58 PM, hv wrote:
Hi,
I was not able to open NSS on FF android. Is NSS available on FireFox on
Android?
I tried the follwing:
var ds = Services.dirsvc.get("GreD", Components.interfaces.nsILocalFile);
var libName = ctypes.libraryName("nss3");
ds.append(libName);
var nsslib = ct
On 07/30/2013 04:27 PM, Brian Smith wrote:
See
https://mxr.mozilla.org/mozilla-central/source/services/crypto/modules/WeaveCrypto.js#123
and https://bugzilla.mozilla.org/show_bug.cgi?id=583209
and https://bugzilla.mozilla.org/show_bug.cgi?id=648407
Oh, I didn't get that it was a call from insid
On 07/30/2013 05:34 PM, John wrote:
Thank you.
FIPS is not enabled so PK11_ImportSymKeyWithFlags() works for me. However
I'm unable to export the imported key using PK11_ExtractKeyValue() and
PK11_GetKeyData(). I suspect this is by design - keys are protected from
being exported?
keys that are m
On 07/30/2013 06:37 PM, John wrote:
At this point I usually ask, what is it you are trying to do? usually
when I see someone trying to import or export keyblobs, they are coding
at the wrong level and we should be pushing more of whatever protocol
you are running into NSS.
I'm developing a One T
On 08/06/2013 09:41 AM, epva...@gmail.com wrote:
I am using the NSS certutil.exe app command line to add a self-signed certificate to Firefox. Using the command line I'm able to
get my certificate to show up in the Certificate Manager under the "Authorities" and "Others" tabs. I have
even gotte
On 08/07/2013 10:31 AM, james.burt...@btconnect.com wrote:
I software i want to download is the NSS version 1.2
Really? Do you mean NSS used in Firefox 1.2?
NSS 1.2 wasn't even called NSS at the time, and was never released as
open source. I think NSS 3.0 or 3.2 was the first open source rele
On 08/07/2013 10:38 PM, Augustin Wolf wrote:
Hi List,
I have a Centos 6.4, fresh install, and I'm trying to configure
OpenLDAP with moznss. For now, self signed certificate is sufficient
for my needs. But when I try to search using secure connection (-Z
option), I got error:
ldap_start_tls: Conn
On 08/09/2013 02:57 AM, Gervase Markham wrote:
Can an NSS hacker please tell me, in the fashion of the attempt by the
IE representative below, what types of certificate NSS accepts for
making SSL connections? What features must the cert or chain have or not
have?
Or, if this is a PSM question, t
On 08/09/2013 10:12 AM, Brian Smith wrote:
On Fri, Aug 9, 2013 at 3:27 AM, Gervase Markham wrote:
* Can you provide some background or references on exactly how
ciphersuite construction and choice works? Can I invent e.g.
TLS_DHE_ECDSA_WITH_AES_128_MD5 or some other random combination of
eleme
On 08/14/2013 10:45 AM, Daniel Jackoway wrote:
Hi all,
With the guidance of Trevor Perrin (cc-ed), I have put together the beginnings
of a patch to allow clients of the NSS library to implement support for
arbitrary TLS extensions. The motivation is to allow clients of NSS to
implement new pr
On 08/15/2013 03:21 AM, Gervase Markham wrote:
On 15/08/13 01:19, Robert Relyea wrote:
On 08/09/2013 02:57 AM, Gervase Markham wrote:
Can an NSS hacker please tell me, in the fashion of the attempt by the
IE representative below, what types of certificate NSS accepts for
making SSL connections
Time_Stamp == EKU_Time_Stamp // 597-601
Technically this is EXT_KEY_USAGE_TIME_STAMP || EKU_TIME_STAMP.
What is the difference between these two? Looking at the wording, they
seem identical - EKU stands for EXT_KEY_USAGE...
One is the bit set in the Netscape C
On 08/19/2013 11:06 AM, Kurt Roeckx wrote:
> On 08/09/2013 04:30 AM, Brian Smith wrote:
>> Please see https://briansmith.org/browser-ciphersuites-01.html
>>
>> First, this is a proposal to change the set of sequence of ciphersuites
>> that Firefox offers.
>
> So I think there are a whole bunch of t
On 08/16/2013 03:05 PM, Wan-Teh Chang wrote:
> On Fri, Aug 16, 2013 at 11:13 AM, Camilo Viecco wrote:
>> Hello Brian
>>
>> I think this proposal has 3 sections.
>> 1. Unifing SSL behavior on browsers.
>> 2. Altering the criteria for cipher suite selection in Firefox (actually
>> NSS)
>> 3. removin
On 08/23/2013 02:03 AM, Gervase Markham wrote:
> On 22/08/13 19:21, Robert Relyea wrote:
>> The attack profile protection of PFS versus non-PFS is basically two points:
>> 1) some government agency could force a server to give up it's private
>> keys and decrypt all the t
On 08/26/2013 02:24 PM, Brian Smith wrote:
> On Thu, Aug 22, 2013 at 11:21 AM, Robert Relyea wrote:
>
>> So looking at this list, I think we have a major inconsistency.
>>
>> We put Ephemeral over non-ephemeral, but we put 128 over 256.
>>
>> While I'm
On 09/11/2013 05:52 PM, Kyle Hamilton wrote:
> Elio,
>
> Thanks for responding.
>
> IBM Notes reports that the path is invalid. Is there a requirement that
> softokn3.chk be in the current working directory?
>
> -Kyle H
softokn3.chk should be in the same directory as softoken. Softoken
asked the
On 09/27/2013 05:01 PM, Ryan Sleevi wrote:
> On Fri, September 27, 2013 4:09 pm, Eddy Nigg wrote:
>> On 09/28/2013 01:59 AM, From Ryan Sleevi:
>>> If your site requires a client certificate, and you know that a client
>>> certificate is stored in a smart card, then you also know that when
>>> us
On 09/28/2013 12:17 PM, Brian Smith wrote:
> On Sat, Sep 28, 2013 at 7:52 AM, Sean Leonard wrote:
>> On 9/27/2013 5:51 PM, Robert Relyea wrote:
>>> I don't have a problem with going for an industry standard way of doing
>>> all of these things, but it's ce
On 10/04/2013 06:52 PM, Ludovic Hirlimann wrote:
> Hi,
>
> AFAIK NSS still contains code for SSL2 , but no product uses it. SSL2
> has been turned off at least 2 years ago. By removing SSL2 code we get :
>
> Smaller librarie
> faster compile time + test time
>
> What do you guys think ?
On 10/07/2013 11:19 AM, Ryan Sleevi wrote:
> On Mon, October 7, 2013 11:07 am, Robert Relyea wrote:
>> On 10/04/2013 06:52 PM, Ludovic Hirlimann wrote:
>>> Hi,
>>>
>>> AFAIK NSS still contains code for SSL2 , but no product uses it. SSL2
>>> has been
On 10/07/2013 12:01 PM, Kurt Roeckx wrote:
> On Mon, Oct 07, 2013 at 11:17:46AM -0700, Brian Smith wrote:
>> On Fri, Oct 4, 2013 at 6:52 PM, Ludovic Hirlimann
>> wrote:
>>> Hi,
>>>
>>> AFAIK NSS still contains code for SSL2 , but no product uses it. SSL2
>>> has been turned off at least 2 years ag
On 10/07/2013 12:44 PM, Wan-Teh Chang wrote:
> On Mon, Oct 7, 2013 at 11:17 AM, Brian Smith wrote:
>> I think it is likely that some vendors of NSS-based products with very
>> conservative backward-compatibility guarantees, like Oracle and maybe
>> Red Hat, may need to continue supporting SSL 2.0
On 11/01/2013 01:43 AM, Brian Smith wrote:
> On Fri, Nov 1, 2013 at 1:28 AM, Jeff Hodges wrote:
>> /* New non-experimental openly spec'ed versions of those cipher suites. */
>> #define SSL_RSA_FIPS_WITH_3DES_EDE_CBC_SHA 0xfeff
>> #define SSL_RSA_FIPS_WITH_DES_CBC_SHA 0xfefe
>>
>> Does
On 11/18/2013 07:00 AM, Gervase Markham wrote:
> Hi everyone,
>
> Following Microsoft's announcement re: SHA-1, some CAs are asking
> browser and OS vendors about the ubiquity of SHA-256 support. It would
> be a help to them if we could say:
>
> - Which version of NSS first supported SHA-256
I quic
-256, SHA-384 and SHA-512. Unsurprisingly, these 3
> functions from the SHA-2 family are what the Windows CryptoAPI
> actually supports (since XP SP3).
>
My evaluation on when we supported SHA-2 covers all 3 hash functions.
> On 19/11/13 02:20, Robert Relyea wrote:
>> I thi
On 11/19/2013 10:40 AM, Wan-Teh Chang wrote:
> Bob's answer is accurate.
>
> Note that CAs are more interested in SHA-2 based signature support
> rather than plain SHA-2 support. So another way to track down the NSS
> version is to look at the CVS history of the secvfy.c file:
>
> http://bonsai.moz
On 12/14/2013 06:28 PM, Brian Smith wrote:
> Kurt,
>
> Thanks for your suggestions.
>
> On Sat, Dec 14, 2013 at 12:46 PM, Kurt Roeckx wrote:
>
>> I think we need to come up with a plan to improve security in the
>> long run. I think what we would like to see in general is:
>> - Only SHA256 or bet
On 03/03/2014 04:31 AM, Raad Bahmani wrote:
> Hello together,
>
> I need to implement a PKCS11-library which simulates a smart-card and
> responds to login attempts with SSL certificates.
>
> I have found out that SSL needs the following mechanisms, so the
> "C_GetMechanismList" of my library speci
On 03/04/2014 03:54 PM, Julien Pierre wrote:
> Did anyone ever write a script that measures the performance of all
> the low-level algorithms in freebl, and collects the data in a way
> that's easy to compare ? This would probably be using bltest.
> This is for the purpose of evaluating different c
On 03/05/2014 01:21 AM, Raad Bahmani wrote:
> Hello Robert,
>
> thank your for your answer !
>
>
>>> 3) Which algorithm is used for login with SSL ?
>> I'm not sure what you mean by 'login with
On 03/07/2014 07:02 AM, Leon Brits wrote:
> Hi,
>
> We have a security device which is used via cryptoki (PKCS#11) to perform
> cryptographic operations such as sign/verify and en/decrypt of emails.
> Sign works via our device while Verify and Encrypt is done by the PC. Our
> problem is with Decr
On 03/10/2014 12:48 AM, Leon Brits wrote:
> Hi Robert,
>
> Thanks for the reply.
>
>> ...I'm assuming we are talking
>> about an RSA operation here and not an symetric key operation like AES or
>> DES.
> Yes RSA.
>
>> Yes, I just checked. We we are unwrapping a key (which is what the logical
>> fun
On 03/10/2014 08:50 PM, Dave wrote:
> I'm having trouble initializing the nss soft token when linking against it
> directly. The function _NSSUTIL_EvaluateConfigDir (utilpars.c) is
> segfaulting when passing the following initialization arguments to
> C_Initialize:
>
> CK_CHAR * configStr
On 03/13/2014 05:12 AM, Leon Brits wrote:
> Robert,
>
> Attached is a log of the backtrace when I try to use Thunderbird to decrypt
> an email. As you can see in the log it reaches C_DecryptUpdate(), but then
> asserts at cmscipher.c:452.
I don't see the attachment? did you forget or did the mai
On 03/14/2014 04:42 AM, Leon Brits wrote:
> Robert,
>
> Thanks for your time.
>
>> cmscipher does call DecryptUpdate, but for the symmetric portion, not the
>> asymmetric portion. We were talking about key unwrapping/decrypt in RSA.
>> This is clearly an symmetric operation (DES3 or AES or somethin
On 03/18/2014 04:29 AM, Leon Brits wrote:
> Robert,
>
> Thanks for your help. This discussion has helped me to find the error in our
> padding implementation for symmetric ciphers using OpenSSL which defaults to
> "always pad".
>
> Encryption and decryption via thunderbird now works just fine.
g
On 04/08/2014 06:31 AM, Alan Braggins wrote:
> On 08/04/14 13:11, Jean-Marc Desperrier wrote:
>> Ryan Sleevi a écrit :
>>> reliance on PKCS#11 means that there are non-trivial overheads when
>>> doing something as "simple" as hashing with SHA-1. For something
>>> that is
>>> such a "simple" transfo
On 04/17/2014 04:46 PM, james brown wrote:
> Hi
>
> I'm a little bit confused about the differences in implementation of SSL v3
> and TLS 1.2
>
> In Firefox when you visit a website with SSL v3 the data sent through
> PR_Write is in plaintext and later to be encrypted in Ssl_Write (as far as
> I kn
On 05/13/2014 03:42 AM, Vicente Olivert Riera wrote:
> Hi Paul,
>
> I think I have fixed the problem.
>
> The failure comes from this file
> "mozilla/security/nss/lib/freebl/drbg.c" on the line #512, which has
> an assert of the size of "size_t":
>
> PR_STATIC_ASSERT(sizeof(size_t) > 4)
>
> That li
On 05/14/2014 03:57 AM, Vicente Olivert Riera wrote:
> On 05/13/2014 07:20 PM, Robert Relyea wrote:
>> On 05/13/2014 03:42 AM, Vicente Olivert Riera wrote:
>>> Hi Paul,
>>>
>>> I think I have fixed the problem.
>>>
>>> The failure comes from
401 - 500 of 583 matches
Mail list logo