Hi all,
In a script, I need to know what the “best” certificate is in the NSS database
for a given host.
The “best” certificate is
- A valid certificate by all the usual definitions of valid; and
- Matches the hostname provided either by using the subject or the
subjectAltName (with optional wi
Hi all,
I have some code that initialises using NSS_InitReadWrite(), which is failing
with the result code SEC_ERROR_LEGACY_DATABASE (-8015). After this failure
NSS_IsInitialized() returns false as expected.
Valgrind however reports a number of leaks at the end of the code, showing that
NSS_In
Hi all,
During a recent Firefox upgrade, all my digital certificates and keys vanished
(as well as all saved passwords, but that is a separate problem).
The cert8.db and key3.db files are still there, however I am struggling to find
a version of certutil that can read them. Using certutil from
On 25 Oct 2014, at 2:01 AM, sdjfhas dufh wrote:
> How do I use pbkdf2 in lib nss? It appears to be supported but I can not find
> a useable example. The api page list functions but I don't know what to do
> with them
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Reference#PKC
Hi all,
I am currently trying to get some code working that will ultimately encrypt
video for HLS. In this case the key is supplied over an out-of-band secure
channel to the client by the protocol.
>From trawling the net I found this message which describes what I am trying to
>do, and the pro
Eddy Nigg wrote:
Just to reiterate, that the missing SNI support has been a pain for a
huge number of web site operators needing to buy additional IP addresses
for every secured web site.
StartCom Linux released yesterday a patched version of Apache with SNI
support (on the AS-5.0.2 release)
Kaspar Brand wrote:
If you're too tired to do this, then just wait until httpd v2.4 is
released, as the patch is on trunk.
That reflects the status of the code as of April 2008, and doesn't
include any of the later improvements. But if the key httpd people
aren't willing to invest time in revi
Kaspar Brand wrote:
And you've kept chasing this issue up on the dev list?
Graham, I'm getting tired of this conversation. Of course I brought up
SNI repeatedly on httpd-dev - in January, April, June, and August. But
if the feedback on the list is almost zero with each additional attempt,
then
Kaspar Brand wrote:
I'm quite familiar with that file, thanks for the pointer. Perhaps you
should have a look at
http://mail-archives.apache.org/mod_mbox/httpd-dev/200806.mbox/[EMAIL PROTECTED]
and
http://mail-archives.apache.org/mod_mbox/httpd-dev/200810.mbox/[EMAIL PROTECTED]
before advisi
Kaspar Brand wrote:
Not really true, actually... for a fuller version of the story, see e.g.
The authoritative status of the httpd-2.2 backport is in the STATUS file
in the httpd v2.2 branch, and that currently says this:
Backport version for 2.2.x of updated patch:
http://pe
Ian G wrote:
Albeit, only to those interested in SSL certs. Conceivably this would
be made a lot more fluid if Apache were to release TLS/SNI, and to a
lesser extent, Microsoft's IIE.
My understanding is that SNI is supported in httpd-trunk, soon to become
httpd v2.3.0. The people who creat
Ian G wrote:
That wasn't my question. Here's my question again: How do you show any
person afterwards that the person signed it?
I mean: how does Alice look tomorrow in this system to see what she
signed? Next year? How does Bob look next year to see what Alice
signed? How does Trent, s
Ian G wrote:
OK, that's interesting but equally worrying that the business people
were asking that question, above all others. If so, this would suggest
to me that your business people had spent too long in the fluffy "do
what lawyers say" world, and had forgotten they had a business to run?
Ian G wrote:
Um. So these tools organise a signature from a client cert over the
text in the form text box, and then post the signature up to the server?
The crypto.signtext() function is given a text string, and the browser
UI pops up a dialog box that invites the user to read the text, and
Anders Rundgren wrote:
I also understand your worries regarding what to sign and I would
be very dishonest if I said I have "solved" it. In fact, my design
doesn't even address this issue (!) except that if of course builds
on the assumption that at least the "viewer" works as expected.
Now, w
Kyle Hamilton wrote:
'content checking' is to verify that no secrets are included in
anything sent somewhere unapproved. For example, banks and other
fiduciaries need to ensure that private financial data isn't released,
educational institutions need to ensure that educational data isn't
releas
Anders Rundgren wrote:
There is no such thing as secure email at the server level.
For an *organization* this is statement is principally wrong. For an
organization the server is the only place where you actually can perform
security operations including content checking in a cost-efficient w
Anders Rundgren wrote:
Secure e-mail should have been put at the server-level, then we would have
had some base-level security that would cover 99% of all uses. But it
didn't and therefore 80% of all messages are not even coming from the
domain they claim. How very useful.
There is no such t
Nelson Bolyard wrote:
I haven't followed this lengthy discussion in detail but I have for a long
time wondered how DNSSEC and SSL-CA-Certs should coexist.
Which one will be the "most" authoritative?
Could DNSSEC (if it finally succeeds) be the end of SSL-CA-certs?
DNSSEC only attempts to ens
Bernie Sumption wrote:
The problem as I see it is that the same warning UI is shown whenever
there is a less than perfect certificate. Let us assume that 99.99% of
the time, this either a misconfigured web server or a homebrew site
that is using self-signed certs because they only care about
enc
David E. Ross wrote:
I visit some Web sites with self-signed certificates. None of those
sites request any input from me. The only reason they have site
certificates is that the site owners want to show off how technically
astute they are. Hah! However, those sites do indeed contain
informat
Michael Leupold wrote:
I'm the maintainer of the KDE Wallet system and I'm currently in
process of starting a freedesktop.org specification for storage for
secret information like passwords or certificates. Other people
involved in this project are the gnome keyring developer and
developers of o
Hi all,
I am having a dilemma that I am trying to find a solution for.
In the httpd webserver, if the mod_nss module is loaded, the mod_nss
module will try and initialise NSS. If mod_authnz_ldap is loaded into
the same server, and mod_authnz_ldap depends on the Mozilla LDAP code
that supports
Nelson B Bolyard wrote:
I think this may only be true because of the involvement of PKCS5v2.
If PKCS5v2 was not part of the problem space, I would have said that
there was no need to use OIDs at all, none whatsoever. I would have
said that PK11_ interfaces exist that can do everything you need
Wan-Teh Chang wrote:
I don't know either. Does anyone know?
Does the lack of a SECOidTag for CKM_DES3_ECB prevent
you from using some NSS functionality?
I did some web searches for the OID. The OID for DES-EDE is
"1.3.14.3.2.17":
http://www.alvestrand.no/objectid/1.3.14.3.2.17.html
But I'm
Wan-Teh Chang wrote:
For questions like this, you can sometimes find the answers in
the PKCS #11 standard.
Searching for the string "CKM_AES_ECB" in PKCS #11 v2.20,
I found Section 12.12.4 AES-ECB on page 270, and its Table
86 shows that for C_Encrypt, the input must be a multiple of
block size
Hi all,
Using PK11_GetPadMechanism(), and passing it a cipher mechanism, it as I
understand returns a variation of the mechanism capable of supporting
padding.
Is this understanding correct?
I have noticed that when CKM_AES_ECB is passed to PK11_GetPadMechanism,
I get the same mechanism in
Hi all,
In my epic quest to make NSS encrypt a string, I have managed to
successfully create a key from a passphrase, and I have successfully
managed to call PK11_CreateContextBySymKey to create an encryption context.
The next error happens at the PK11_CipherOp stage, and resolves to
SEC_ERR
Hi all,
I am struggling to understand the relationship between a
CK_MECHANISM_TYPE and a SECOidTag and how they relate to one another.
For example, CKM_AES_ECB and SEC_OID_AES_[128|192|256]_ECB constants
seem to be related to one another.
Another thing I don't fully understand is that in th
Wan-Teh Chang wrote:
Yes, NSS 3.12 works on Mac OS X Leopard. I am using Mac OS X 10.4
Tiger. I just downloaded
https://ftp.mozilla.org/pub/mozilla.org/security/nss/releases/NSS_3_12_RTM/src/nss-3.12-with-nspr-4.7.tar.gz
I built it successfully with these commands:
512 gunzip nss-3.12-wit
Hi all,
I just downloaded and attempted to build nss+nspr v3.12 as per the
following instructions:
http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html
When an attempt is made to run "make nss_build_all", the build fails
almost immediately with the following erro
Robert Relyea wrote:
Does NSS support RFC2898 (derivation of keys from a passphrase), and
if so, what set of functions should I be looking at to use this?
Yes, The standard NSS PBE interface supports PBKDF2 automatically on
reading if the algid specifying the PBE is PBEDKF2. On generation, if
Robert Relyea wrote:
Does NSS support RFC2898 (derivation of keys from a passphrase), and
if so, what set of functions should I be looking at to use this?
Yes, The standard NSS PBE interface supports PBKDF2 automatically on
reading if the algid specifying the PBE is PBEDKF2. On generation, if
Hi all,
Does NSS support RFC2898 (derivation of keys from a passphrase), and if
so, what set of functions should I be looking at to use this?
Regards,
Graham
--
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-tech-crypto mailing list
Robert Relyea wrote:
How do I set up the symmetrical key, cipher and digest for
PK11_CipherOp to replace the OpenSSL EVP_BytesToKey function?
That would be PK11_ImportSymKey(). NOTE: this function is available
mostly for compatiblity, it will not work in all cases (hardware tokens,
for instanc
Nelson B Bolyard wrote:
Please file a bug in bugzilla.mozilla.org about that.
Product: NSS
Component: Libraries
Version: whatever version you're using
I just added the bug here:
https://bugzilla.mozilla.org/show_bug.cgi?id=453364
The gdb trace of how I got there is included, along with the k
Graham Leggett wrote:
I am trying to call PK11_CreateContextBySymKey and it is returning NULL.
Using PORT_GetError, the error code returned is zero.
Reverse engineering the PK11_CreateContextBySymKey function, I have
found that the function returns NULL in a number of locations, many
Hi all,
I am trying to call PK11_CreateContextBySymKey and it is returning NULL.
I understand that if I called the PORT_GetError function, I would get
the error that occurred, but that is still of no use as it is just a number.
I found a function called SECU_Strerror that seems to be used to
Subrata Mazumdar wrote:
Apache XML Security C++ library
(http://xml.apache.org/security/c/index.html) provides single C++ based
cryptographic interface with multiple Crypto API (OpenSSL, NSS, MS-CAPI)
based implementation. The Apache XML Security C++ library implements
signing, encryption as
Hi all,
I am trying to port some symmetrical encryption / decryption code using
OpenSSL's EVP_CipherUpdate function to NSS, and I am running into
trouble trying to find the API documentation for NSS.
So far, the closest to documentation that I have found is a list of the
API functions, but n
40 matches
Mail list logo