When using PK11_FindCertFromNickname() with the softokn it seems that
using a raw nickname works fine (e.g. Server-Cert vs NSS Certificate
DB:Server-Cert).
Looking for a nickname on a PKCS#11 token seems to require the token
name in the nickname, "tokenname:Server-Cert".
Is it safe to assume that
Chris Tomlin wrote:
>
> Hello all,
>
> I'm getting an NSS error in my httpd logs and it's a bit strange. The error
> I'm getting is this:
>
> Misconfiguration of certificate's CN and virtual name. The certificate CN has
> server.name. We expected server.name as virtual name.
>
> In this erro
SSL_BYPASS_PKCS11 is marked as deprecated in ssl.h. What are the plans
on removing it?
rob
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Robert Relyea wrote:
On 10/21/2016 07:04 AM, Rob Crittenden wrote:
I'm trying to figure out how to dynamically enable FIPS support for
NSS Contexts.
I started with multinit.c and initialize FIPS right after calling
NSS_InitContext() using this:
So you can't change the state of
Robert Relyea wrote:
On 10/21/2016 07:04 AM, Rob Crittenden wrote:
I'm trying to figure out how to dynamically enable FIPS support for
NSS Contexts.
I started with multinit.c and initialize FIPS right after calling
NSS_InitContext() using this:
So you can't change the state of
I'm trying to figure out how to dynamically enable FIPS support for NSS
Contexts.
I started with multinit.c and initialize FIPS right after calling
NSS_InitContext() using this:
if (!PK11_IsFIPS()) {
fprintf(stderr, "Initializing FIPS\n");
SECMODModule *mod = SECMOD_GetInt
It looks like when multiple NSS databases are initialized using
NSS_InitContext() the nicknames can take multiple forms depending on
order of initialization. Using the multinit program and three NSS
certificate databases with identical nicknames I saw the following names
associated:
(first in
n Tue, Dec 1, 2015 at 6:53 AM, Rob Crittenden wrote:
Is ALPN supported on the server side? I can't tell from
the API and Julien asked in
https://bugzilla.mozilla.org/show_bug.cgi?id=959664 but never got an answer.
I'm looking to add HTTP/2.0 support to mod_nss and I need ALPN to do that.
I want to control the set of CA certificates available to authenticate
client certificates. AIUI I can use SSL_SetTrustAnchors() to do this but
it isn't working as I'd expect.
The code looks like:
CERTCertList * ca_list = CERT_NewCertList();
SSL_SetTrustAnchors(fd, ca_list); (returns SECSucces
I don't see a way to implement OCSP stapling on the server side.
SSL_SetStapledOCSPResponses() is I think what one would use to set the
response in the SSL session but I don't see a way to get the response
from the OCSP handler. At least, I don't see a way without implementing
my own status checke
Is there a reason that SSL_ENABLE_SERVER_DHE exists? Why not simply not
enable any DH ciphers?
I ask because I'm looking to add some DH support and want to know how
bad an idea it is to always enable this. I can't think of a downside as
long as the ciphers are disabled server-side. What am I missi
Is ALPN supported on the server side? I can't tell from
the API and Julien asked in
https://bugzilla.mozilla.org/show_bug.cgi?id=959664 but never got an answer.
I'm looking to add HTTP/2.0 support to mod_nss and I need ALPN to do that.
thanks
rob
--
dev-tech-crypto mailing list
dev-tech-crypto@
I'm considering how to handle SSL re-negotiation in the Apache NSS
provider mod_nss to handle the SSL client-initiated handshake bug.
NSS provides a callback, SSL_HandshakeCallback(), which according to the
docs is called when an SSL handshake has completed.
So let's say I have the following:
Sandeep Cavale wrote:
Hi,
I seem to be having the same issue as below...
In addition, after such a failure if I do "cryptoadm list -v", the hardware
provider fails to list my hardware accelerator card (mca0- Sun Crypto
Accelerator)
Further this is what the /var/adm/messages indicate:
Aug 25 1
Wan-Teh Chang wrote:
> As part of the work to include NSS in LSB 4.0, I created a list
> of NSPR functions required for using the NSS SSL functions at
> http://developer.mozilla.org/En/NSS_reference/NSPR_functions
>
> I generated this list by inspecting the source code of libcurl,
> nss_compat_oss
Eddy Nigg (StartCom Ltd.) wrote:
Rob Crittenden wrote:
Yes, mod_nss supports the same environment variables as mod_ssl.
http://directory.fedoraproject.org/wiki/Mod_nss
I couldn't figure (explicit) from that page that this is the case
http://directory.fedoraproject.org
Eddy Nigg (StartCom Ltd.) wrote:
> Nelson Bolyard wrote:
>>
>> Does serf use "modSSL"? If so, there is a "modNSS" that causes Apache to
>> use NSS instead of OpenSSL. That might be an easy change for you.
>>
>>
> Nelson, what about the env variables as in
> http://httpd.apache.org/docs/2.0/mo
Wan-Teh Chang wrote:
> Rob Crittenden wrote:
>> Wan-Teh Chang wrote:
>>> Rob Crittenden wrote:
>>>> 2. If I call PR_Shutdown() on an SSL socket, is there a way later to
>>>> see the flags I called it with? For example, if I call it just with
>>&g
Wan-Teh Chang wrote:
> Rob Crittenden wrote:
>> I've got a couple of API questions. I'm not sure if these are
>> available or not:
>>
>> 1. Can I get the numeric value of the cipher that has been negotiated
>> instead of just the ch
I've got a couple of API questions. I'm not sure if these are available
or not:
1. Can I get the numeric value of the cipher that has been negotiated
instead of just the character value (e.g. from SSL_SecurityStatus())?
2. If I call PR_Shutdown() on an SSL socket, is there a way later to see
t
Nelson B wrote:
Rob Crittenden wrote:
In an SSL client I want to force the SSL handshake to take place instead
of passively waiting for it to happen during the first write.
Right after I connect to the server I'm currently doing this:
SSL_ResetHandshake(ssl, /* asServer */ PR_
Nelson B wrote:
Rob Crittenden wrote:
In an SSL client I want to force the SSL handshake to take place instead
of passively waiting for it to happen during the first write.
Right after I connect to the server I'm currently doing this:
SSL_ResetHandshake(ssl, /* asServer */ PR_
In an SSL client I want to force the SSL handshake to take place instead
of passively waiting for it to happen during the first write.
Right after I connect to the server I'm currently doing this:
SSL_ResetHandshake(ssl, /* asServer */ PR_FALSE);
do {
SSL_ForceHandshake(ssl);
PR_Rec
Nelson B wrote:
Rob Crittenden wrote:
I'm having an issue with mod_nss, an Apache module I wrote that provides
SSL using NSS.
The way Apache loads modules is a tad strange.
I'd say it's more than a tad!
What it does is it loads them one time in order to get its list o
I'm having an issue with mod_nss, an Apache module I wrote that provides
SSL using NSS.
The way Apache loads modules is a tad strange. What it does is it loads
them one time in order to get its list of configuration directives and
it verifies that the configuration is ok. It also runs through
Nelson B. Bolyard wrote:
Rob Crittenden wrote:
A fair bit of work has been done to mod_nss, an SSL module for Apache
that uses NSS instead of OpenSSL, since it was released last September.
Changes since then include use the NSS OCSP client, addition of a FIPS
mode (similar to modutil -fips
Wan-Teh Chang wrote:
Rob Crittenden wrote:
A fair bit of work has been done to mod_nss, an SSL module for Apache
that uses NSS instead of OpenSSL, since it was released last September.
Changes since then include use the NSS OCSP client, addition of a FIPS
mode (similar to modutil -fips true
A fair bit of work has been done to mod_nss, an SSL module for Apache
that uses NSS instead of OpenSSL, since it was released last September.
Changes since then include use the NSS OCSP client, addition of a FIPS
mode (similar to modutil -fips true -dbdir /path/to/database), options
to seed th
28 matches
Mail list logo