Re: Cross-Compilation of NSS for MIPS platform fails.

2016-03-19 Thread Wan-Teh Chang
ader.c. I suspect the dlopen() call of libfreebl3.so failed because it could not find libfreebl3.so. I suggest you investigate in that direction. By the way, are you using a MIPS development board such as Creator Ci20 that I can easily buy to reproduce your problem? Wan-Teh Chang -- dev-tech-cry

Re: Verifying a signature using NSS

2016-02-12 Thread Wan-Teh Chang
On Wed, Feb 10, 2016 at 11:50 PM, WebDoctor wrote: > Hi, > > I'm working in a Firefox extension that will use some cryptographic > operations. > > The problem I found is that when I sign data using the private key in the > server-side, I couldn't find any appropriate

Re: AES-256 vs. AES-128

2015-12-01 Thread Wan-Teh Chang
On Tue, Dec 1, 2015 at 8:55 AM, Julien Vehent wrote: > > AES-NI is fast enough that we shouldn't have to care: > > $ openssl speed -evp aes-256-gcm > type 16 bytes 64 bytes256 bytes 1024 bytes 8192 bytes > aes-256-gcm 385250.93k 983154.24k

Re: Removing SSL 2.0 from NSS (was Re: Removing dead code from NSS)

2013-10-07 Thread Wan-Teh Chang
On Mon, Oct 7, 2013 at 11:17 AM, Brian Smith br...@briansmith.org wrote: I think it is likely that some vendors of NSS-based products with very conservative backward-compatibility guarantees, like Oracle and maybe Red Hat, may need to continue supporting SSL 2.0 in their products due to

Re: set default on for SHA2 for TLS1.1+ on firefox

2013-10-07 Thread Wan-Teh Chang
On Mon, Oct 7, 2013 at 12:02 PM, Brian Smith br...@briansmith.org wrote: If you are referring to something other than the TLS_*_SHA256 cipher suites, please be more specific as to what you are referring to. Brian, If you can enable TLS 1.2 by default in Firefox, that should make Mountie

Re: NSS documentation proposal

2013-09-05 Thread Wan-Teh Chang
/show_bug.cgi?id=912360 Wan-Teh Chang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Proposal to Change the Default TLS Ciphersuites Offered by Browsers

2013-08-16 Thread Wan-Teh Chang
On Fri, Aug 16, 2013 at 11:13 AM, Camilo Viecco cvie...@mozilla.com wrote: Hello Brian I think this proposal has 3 sections. 1. Unifing SSL behavior on browsers. 2. Altering the criteria for cipher suite selection in Firefox (actually NSS) 3. removing certain cipher suites from the default

Re: Proposal to Change the Default TLS Ciphersuites Offered by Browsers

2013-08-16 Thread Wan-Teh Chang
On Fri, Aug 16, 2013 at 3:36 PM, Rob Stradling rob.stradl...@comodo.com wrote: Wan-Teh, why do you think Firefox should specify a preference for ECDSA over RSA? Because ECDSA is more secure than RSA, and ECC implementations will become faster over time. The ordering of RSA and ECDSA is really

The NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option will be removed in NSS 3.15.1

2013-06-17 Thread Wan-Teh Chang
messages. If you are using the NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option, please let me know. If you call SSL_CanBypass before enabling the PKCS #11 bypass mode, you should not need the NSS_SURVIVE_DOUBLE_BYPASS_FAILURE build option. Thanks, Wan-Teh Chang -- dev-tech-crypto mailing list dev

Re: Fwd: Re: No such instruction building NSS

2013-06-10 Thread Wan-Teh Chang
On Mon, Jun 10, 2013 at 3:43 PM, Robert Relyea rrel...@redhat.com wrote: Yeah, you need to use the new assembler on RHEL-5: As root: yum install binutils220 As user: export PATH=/usr/libexec/binutils220:$PATH Then do you your build. Bob, could you add the above to the NSS build

Re: Changing the recommended list archive (as Google's archive is incomplete)

2013-05-28 Thread Wan-Teh Chang
Kai, Thank you for creating the NSPR 4.10 and NSS 3.15 releases. I have just announced the NSPR 4.10 release in the NSPR newsgroup: http://mozilla.6506.n7.nabble.com/ANNOUNCE-NSPR-4-10-Release-tc280660.html http://permalink.gmane.org/gmane.comp.mozilla.devel.nspr/1698

Re: SIGSEGV on 64bit HP-UX with shlibsign (NSS 3.14.3)

2013-05-21 Thread Wan-Teh Chang
On Tue, May 21, 2013 at 12:11 AM, Ashwani Kadian ashwani.kad...@oracle.com wrote: Hi All, In NSS 3.14.3 build process, shlibsign crashes while trying to sign libsoftokn3.sl on HP-UX 64 bit machine. It works fine on 32 bit HP-UX.

Re: NSS - PKCS #11 Test Suites build problems (2013)

2013-02-15 Thread Wan-Teh Chang
Hi Tiago, On Fri, Feb 15, 2013 at 11:34 AM, TIAGO ALVES alvesfons...@ibest.com.br wrote: I saw previous messages that reported build problems in the NSS - PKCS #11 Test Suites. I would like to know if those issues have already been addressed? We never had the time to retrieve the source

[ANNOUNCE] NSS 3.14.2 Release

2013-02-04 Thread Wan-Teh Chang
[NOTE: NSS 3.14.2 does not include a fix for the attacks described in the paper Lucky Thirteen: Breaking the TLS and DTLS Record Protocols (http://www.isg.rhul.ac.uk/tls/). An upcoming NSS patch release will address the attacks.] Network Security Services (NSS) 3.14.2 is a patch release for NSS

Re: NSS 3.14.2 BETA 3 tagged ; NSS 3.14.2 BETA 3 + one patch now required to build mozilla-central

2013-01-28 Thread Wan-Teh Chang
On Mon, Jan 28, 2013 at 4:34 AM, Kai Engert k...@kuix.de wrote: I commented on the patch for bug 834091 that you included in mozilla-central in the bug. It seems you are adding a new API to mozilla desktop that hasn't been fully reviewed nor checked in to NSS yet.

Re: NSS 3.12.5 - Bug 665814 - (CVE-2011-3389) Rizzo/Duong chosen plaintext attack (BEAST) on SSL/TLS 1.0 (facilitated by websockets -76)

2013-01-24 Thread Wan-Teh Chang
On Thu, Jan 24, 2013 at 1:52 AM, Sergey Emantayev sergey.emanta...@gmail.com wrote: For the reference, I'm attaching the back ported fix for the 3.12.5, with no warranties. [...snipped] --- nss-3.12.5-orig/mozilla/security/nss/lib/ssl/sslimpl.h Tue Jan 15 16:40:47 2013 +++

Re: Attempting to Link to Mozilla NSS Libraries causes Undefined Reference Error

2012-11-27 Thread Wan-Teh Chang
2012/11/27 Brian Teh tehhzs...@gmail.com: THUNDERBIRD_LDFLAGS = -L$(THUNDERBIRD_OBJDIR_PATH)/mozilla/dist/lib \ -lxpcomglue_s\ -lxpcom \ -lmozalloc \ -lnss\

Re: NSS 3.14 release

2012-10-25 Thread Wan-Teh Chang
On Wed, Oct 24, 2012 at 10:19 PM, Julien Pierre julien.pie...@oracle.com wrote: The following changes may be problematic : 1) * New default cipher suites ( https://bugzilla.mozilla.org/show_bug.cgi?id=792681 ) The default cipher suites in NSS 3.14 have been changed to better reflect the

Re: libnss x86 DRNG

2012-10-02 Thread Wan-Teh Chang
On Tue, Oct 2, 2012 at 7:45 PM, Michael Demeter michael.deme...@intel.com wrote: Continuation would then be to eliminate any unnecessary work being done to increase the randomness..Since the HW generated values can be used directly. This could help a small little bit in performance (but that

Re: Creating PKCS7 object using NSS

2012-08-11 Thread Wan-Teh Chang
On Sat, Aug 11, 2012 at 5:37 AM, Gökçen Eraslan gokcen.eras...@gmail.com wrote: When I traced the code I see that sec_pkcs7_create_signed_data call returns successfully but sec_pkcs7_add_signer fails. Trace is like that: sec_pkcs7_add_signer - CERT_VerifyCertificate - CERT_VerifyCertChain

Re: Building NSS with VS2008, Statically Linking the CRT

2012-07-12 Thread Wan-Teh Chang
On Thu, Jul 12, 2012 at 3:20 AM, Sam Laidler sam.laid...@the-logic-group.com wrote: I want to distribute NSS without the MS redistribution package. When I read the following, I got the impression that it should be theoretically possible: https://developer.mozilla.org/en/USE_STATIC_LIBS

Re: Is there an ETA yet for when Firefox will use libpkix by default?

2012-06-08 Thread Wan-Teh Chang
Rob, Please fix the bug in the old certificate verification library. Thanks. Are you going to use the approach outlined by Nelson in bug 479508 and bug 482153? Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS 3.12.5.0: Error '-8152' (SEC_ERROR_INVALID_KEY) when connecting to ssl-enabled servers

2012-05-25 Thread Wan-Teh Chang
On Mon, May 21, 2012 at 5:21 AM, Bernhard Thalmayr bernhard.thalm...@painstakingminds.com wrote: Hi Wan-Teh, Nelson, could it be that this error is also raised by the client if the client can not 'participate' in ssl client-auth? Yes, this is possible. Unfortunately I only got a text-output

Re: NSS 3.12.5.0: Error '-8152' (SEC_ERROR_INVALID_KEY) when connecting to ssl-enabled servers

2012-05-09 Thread Wan-Teh Chang
On Tue, May 8, 2012 at 7:33 PM, Nelson B Bolyard nel...@bolyard.me wrote: Bernhard, I think the most likely explanations are these: 1) Server certificate has a public key that is too small, too large, has a too small public exponent (if RSA), an unknown key type, or a key for an Elliptic

Re: Provide own CA

2012-05-07 Thread Wan-Teh Chang
On Mon, May 7, 2012 at 9:20 AM, Marc Patermann hans.mo...@ofd-z.niedersachsen.de wrote: Hi, I posted my issue on Thunderbird-Enterprise before and Ludovic Hirlimann sent me here. I created an own CA and put the cert in cert8.db by GUI in Thunderbird 10 ESR. As far as I understand it, the

Re: Feedback on DOMCryptInternalAPI

2012-05-03 Thread Wan-Teh Chang
interface, so that we can implement the verify() method with constant time byte comparison. Wan-Teh Chang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: cert8.db rewrite reasons and exceptions?

2012-04-04 Thread Wan-Teh Chang
On Wed, Apr 4, 2012 at 12:47 PM, Anders Rundgren anders.rundg...@telia.com wrote: Mozilla should IMO rather hook into the other vendors cryptographic solution, possibly at the expense of NSS. According to a [colleage] of mine Chrome even use the platform's SSL implementation!  Well, not in

Re: Alternative for SGN_DecodeDigestInfo

2012-04-04 Thread Wan-Teh Chang
On Wed, Apr 4, 2012 at 4:39 PM, Brian Smith bsm...@mozilla.com wrote: I don't know what platform JV is on, but I know on Mac OS X, all the internal symbols in FreeBL and maybe other libraries are exported. This is how the Firefox Sync developers got so far in developing their JavaScript

Certificate verification regression in NSS 3.13.2

2012-03-28 Thread Wan-Teh Chang
?id=608587 Thanks to Rob Stradling of Comodo for reporting the bug and providing a patch. Wan-Teh Chang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Mozilla Team-about the upcoming branding changes at Symantec/VeriSign, and working to implement them in Mozilla/Firefox

2012-03-09 Thread Wan-Teh Chang
On Fri, Mar 9, 2012 at 9:56 AM, Brian Smith bsm...@mozilla.com wrote: The second question is: Should we change the string in the display of the *root* certificate from VeriSign, Inc. to Norton. Ideally this string should come from the certificate. The fundamental purpose of a certificate is

Re: Review of changes to the HTTP spec

2012-01-19 Thread Wan-Teh Chang
On Thu, Jan 19, 2012 at 1:43 AM, Brian Smith bsm...@mozilla.com wrote: HTTPbis seems to be in its final stages. Although it is supposed to be a somewhat minor revision, quite significant changes have been made to the spec. We should review the changes and make sure we provide our feedback

Re: Removal of NSS and/or NSPR from the API exposed to addons

2012-01-18 Thread Wan-Teh Chang
On Wed, Jan 18, 2012 at 2:44 PM, Brian Smith bsm...@mozilla.com wrote: Mike Hommey wrote: Please note that this is going to be a problem on systems that have system nspr and nss libraries that other system libraries use. I am intending to avoid changing how NSS is linked on Linux, at least at

Re: What exactly are the benefits of libpkix over the old certificate path validation library?

2012-01-04 Thread Wan-Teh Chang
On Wed, Jan 4, 2012 at 3:51 PM, Brian Smith bsm...@mozilla.com wrote: But, it is a little distressing that Google Chrome seems to avoid libpkix whenever possible, ... This is not true. In fact, Google Chrome is an early adopter of libpkix, and works very hard to fix or work around the bugs in

Re: NSS 3.13.1 release to fix regression caused by NSS 3.13 bug 693228

2011-10-18 Thread Wan-Teh Chang
On Tue, Oct 18, 2011 at 2:41 PM, Brian Smith bsm...@mozilla.com wrote: Will we release a special update to NSS 3.13 to fix the regression bug 693228, or will we wait until the next release? NSS 3.13.1 will be that special update to NSS 3.13 to fix bug 693228 and any other regressions we know

Re: [ANNOUNCE] NSS 3.13 Release

2011-10-17 Thread Wan-Teh Chang
On Mon, Oct 17, 2011 at 1:11 AM, Gen Kanai gka...@gmail.com wrote: 4. Ported to iOS. (Requires NSPR 4.9.) Hi Wan-Teh, Thank you for this notice. I'm more just curious but do we know of any publicly software shipping for iOS that uses NSS 3.13? I don't know of any. FYI, here is the bug:

[ANNOUNCE] NSS 3.13 Release

2011-10-14 Thread Wan-Teh Chang
to return the NSS version string. 7. Added experimental support of RSA-PSS to the softoken only (by Hanno Böck, http://rsapss.hboeck.de/). Wan-Teh Chang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: How is the official for NSS in coverity?

2011-10-14 Thread Wan-Teh Chang
On Fri, Oct 14, 2011 at 10:14 AM, Elio Maldonado emald...@redhat.com wrote: Hi all, NSS is listed as its own project and as a rung 1 project at http://scan.coverity.com/rung1.html if I understand correctly means there is an official contact for nss. I need to see the results of the nss

Re: Mozilla NSS and DANE

2011-10-13 Thread Wan-Teh Chang
On Thu, Oct 13, 2011 at 3:54 AM, Pontus Ericson kpc.eric...@gmail.com wrote: Hi I mailed this mailinglist a few weeks ago regarding the development of DNS-based certification authentication for S/MIME. I am now starting the project fully and I'm going to use Thunderbird/Mozilla NSS in the

Explicitly distrusted certificates in certdata.txt (NSS built-in root CA certificate list)

2011-10-10 Thread Wan-Teh Chang
attributes. Wan-Teh Chang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: NSS patch for TLS timing attack on elliptic curve cyrptography

2011-09-26 Thread Wan-Teh Chang
On Fri, Sep 23, 2011 at 2:02 PM, Douglas Stebila doug...@stebila.ca wrote: Perhaps someone will take a look at this forlorn bug and patch? https://bugzilla.mozilla.org/show_bug.cgi?id=660394 Yes, I can take a look at the patch. Wan-Teh -- dev-tech-crypto mailing list

Re: Thunderbird/Mozilla NSS and DANE

2011-09-22 Thread Wan-Teh Chang
On Thu, Sep 22, 2011 at 5:22 AM, Pontus Ericson kpc.eric...@gmail.com wrote:  Hi. My name is Pontus Ericson and I'm a computer science student at the Royal Institute of Technology in Stockholm, Sweden. I am currently doing my master thesis where I will explore the possibility of deploying

[ANNOUNCE] NSS 3.12.11 Release

2011-08-15 Thread Wan-Teh Chang
/buglist.cgi?list_id=1105376resolution=FIXEDclassification=Componentsquery_format=advancedtarget_milestone=3.12.11product=NSS plus the following bug: Bug 668397: Crash when verifying certificate chain containing Fortezza certificates (the smaller patch for NSS_3_12_BRANCH only) Wan-Teh Chang

Re: Protecting PRNG against malicious users / multiple independent PRNG states

2011-08-01 Thread Wan-Teh Chang
my objection to this proposal before I forget again. I won't repeat the arguments given by Nelson Bolyard and Marsh Ray. Wan-Teh Chang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: nss build on windows

2011-04-29 Thread Wan-Teh Chang
On Fri, Apr 29, 2011 at 6:30 AM, Nate Hoellein natehoell...@gmail.com wrote: Hi - I'm attempting to build nss on windows and getting the following output: code $ make nss_build_all cd ../coreconf ;  make make[1]: Entering directory `/c/mozilla/security/coreconf' cd nsinstall; make export

Re: Policy Update Discussion: Third-Party SubCAs

2011-04-28 Thread Wan-Teh Chang
On Thu, Apr 28, 2011 at 4:50 AM, Jean-Marc Desperrier jmd...@gmail.com wrote: BTW isn't there somewhere a page with the corespondance between NSS and Firefox version ? I believe there is one, but can't find it again. The page is

Re: Policy Update Discussion: Third-Party SubCAs

2011-04-27 Thread Wan-Teh Chang
On Wed, Apr 27, 2011 at 6:42 AM, Jean-Marc Desperrier jmd...@gmail.com wrote: Jean-Marc Desperrier wrote: Johan Sys wrote: [...] We did some tests with name constraints with positive results: SubCA with name constraint as follows : Permitted [1]Subtrees (0..Max): DNS

Re: NSS 3.12.5 'libssl3:SSL_OptionGet' not returning?

2011-04-22 Thread Wan-Teh Chang
On Mon, Apr 11, 2011 at 1:45 AM, Bernhard Thalmayr bernhard.thalm...@painstakingminds.com wrote: Hi experts, I'm experiencing an interesting issue. OpenAM url-policy agent, which is using NSS/NSPR, 'hangs' when trying to establish a connection to an SSL-enabled server. OS: Solaris10

Re: Initialization of PKCS#11 crypto module changed since NSS 3.12.5?

2011-04-21 Thread Wan-Teh Chang
On Thu, Apr 21, 2011 at 1:06 PM, Bernhard Thalmayr bernhard.thalm...@painstakingminds.com wrote: Hi experts, according to 'https://developer.mozilla.org/en/NSS_reference/NSS_environment_variables' PKCS#11 crypto module will throw an error if not initialized by the process which will use it

Re: NSS 3.9.12 core-dump in SSL_OptionGet

2011-04-20 Thread Wan-Teh Chang
On Wed, Apr 20, 2011 at 3:27 AM, Bernhard Thalmayr bernhard.thalm...@painstakingminds.com wrote: Hi experts, it would be great if some could shed some light on the following OpenAM web-agents are using NSS/NSPR for outbound connections. I get a core-dump of Apache http server when agent

Re: NSS 3.9.12 core-dump in SSL_OptionGet

2011-04-20 Thread Wan-Teh Chang
On Wed, Apr 20, 2011 at 7:46 AM, Bernhard Thalmayr bernhard.thalm...@painstakingminds.com wrote: Thanks for the pointer Wan-Teh meanwhile I already used dbx and got this ... You're right. I haven't used Solaris for a long time. If you compile the code with Sun Studio compilers, you should

Re: Certificate Problem in FF 4

2011-04-08 Thread Wan-Teh Chang
On Fri, Apr 8, 2011 at 12:50 PM, Honza Bambas hon...@allpeers.com wrote: I'm getting the no issuer chain error even when I first visit the https://crm.ausnetservers.net.au link with an empty (clean) profile - so there is certainly no cert exception nor any additional certificates. I don't

Re: CERT_PKIXVerifyCert does not recognize bogus certificates contained in nssckbi.dll

2011-04-07 Thread Wan-Teh Chang
On Thu, Apr 7, 2011 at 5:26 AM, Joachim Lingner joachim.ling...@oracle.com wrote:  Hi, I am testing NSS 3.9.12 with CKBI 1.82 on Windows. To verify that the bogus certificates are recognized as such I run vfychain. The certificates are exported from the Windows certificate store. Having

Re: Promote performance improvements from #559508 and #559510 to 3.12.10?

2011-04-07 Thread Wan-Teh Chang
On Thu, Apr 7, 2011 at 3:02 PM, Robert Relyea rrel...@redhat.com wrote: I had thought these were in, but I was thinking of a different bug with a patch by Aleksey. I've marked these as target 3.12.10. I just checked in the patches in NSS bugs 559508 and 559510 on the NSS_3_12_BRANCH. Wan-Teh

Re: Problems Building NSS on Mac OS X 10.6 (64-bit)

2011-03-30 Thread Wan-Teh Chang
On Wed, Mar 30, 2011 at 6:45 AM, Kaspar Brand m...@velox.ch wrote: Sounds good. security/nss/lib/jar is currently the other place which also depends on the NSS_X* macros, i.e. it should be a header file which can be used by files outside freebl, too. I see. security/nss/lib/util/secport.h is

Re: Problems Building NSS on Mac OS X 10.6 (64-bit)

2011-03-29 Thread Wan-Teh Chang
On Tue, Mar 29, 2011 at 11:21 AM, Mark Mentovai m...@chromium.org wrote: I would avoid this. -Xarch_arch is implemented as an Apple GCC driverdriver option and isn’t available in mainline GCC or even the Apple GCC’s CPU-specific frontends (such as i686-apple-darwin10- gcc-4.2.1). -Xarch_arch

Re: NSS in Summer of Code?

2011-03-02 Thread Wan-Teh Chang
On Wed, Mar 2, 2011 at 3:23 AM, Gervase Markham g...@mozilla.org wrote: Usually, we prefer mentors to propose projects because then we know that the project is something the mentor is interested in mentoring, and we can assess the project as being of an appropriate size and complexity. Hi

Re: Freezing and making available to js the mp_int bignum package API

2011-03-02 Thread Wan-Teh Chang
The inability to allocate mp_int variables on the stack is not as bad as it seems. This is because the 'dp' array inside an mp_int still needs to be allocated from the heap. An mp_new function can allocate the mp_int structure and the 'dp' array in one shot if the number of digits needed is

Re: NSS in Summer of Code?

2011-03-01 Thread Wan-Teh Chang
On Wed, Feb 23, 2011 at 3:26 AM, Gervase Markham g...@mozilla.org wrote: Hi NSS team, Are any of you interested in submitting a proposal for a Summer of Code project for Bugzilla this year, and mentoring it? https://wiki.mozilla.org/Community:SummerOfCode11:Brainstorming Hi Gerv, I just

Re: Freezing and making available to js the mp_int bignum package API

2011-02-28 Thread Wan-Teh Chang
On Mon, Feb 28, 2011 at 9:03 AM, Jean-Marc Desperrier jmd...@gmail.com wrote: Hi, There was some talk last october about accessing the mp_int API from javascript, and so freezing it in order to make it available as a frozen API. Nelson concluded that the one difficult point would be to

Re: Path building in Thunderbird

2011-02-18 Thread Wan-Teh Chang
On Thu, Feb 17, 2011 at 7:10 AM, Stephen Hanna sha...@juniper.net wrote: Does Thunderbird support certification path building? If so, how is it enabled and configured? Hi Steve, I am confused by your question. An S/MIME client obviously must support certification path building by default.

Re: JSS socket closing fix?

2011-02-15 Thread Wan-Teh Chang
On Tue, Feb 15, 2011 at 8:19 AM, David B Hinz dbh...@raytheon.com wrote: Was there a bug fix to JSS 4.2.5, 4.3, or 4.3.1 that dealt with a problem with sockets not being closed properly when a client application was shutting down? I don't know which bug you're referring to. This Bugzilla

Re: Support for TLS snap start and next-protocol-negotiation extensions in NSS

2011-02-01 Thread Wan-Teh Chang
On Mon, Jan 31, 2011 at 1:55 AM, mandeep alluru reddy.mand...@gmail.com wrote: Hello Everyone, I am new to using NSS and have been exploring the features of NSS for the past two weeks. I would like to know if NSS supports TLS Next- Protocol-Negotiation and TLS snap start extensions. I would

Re: FireFox v3.0.1 of Windows uses SSLv2 Record Layer even when SSLv2 is disabled

2011-01-30 Thread Wan-Teh Chang
On Sun, Jan 30, 2011 at 1:32 AM, Nelson B Bolyard nel...@bolyard.me wrote: Firefox doesn't send TLS client hellos to servers that fail to complete ANY handshake with ANY version of SSL or TLS some number of times in a row when it has tried sending TLS client hellos.  Once it decides the server

Re: Force usage of a certificate for client authentication

2011-01-27 Thread Wan-Teh Chang
On Thu, Jan 27, 2011 at 6:06 AM, Martin Boßlet martin.boss...@googlemail.com wrote: But I again checked the trust settings for the CA certificates. They're fine... Did you check your client certificate in Firefox 4 to make sure it's imported correctly? In Firefox 4, open Options (or

Re: Force usage of a certificate for client authentication

2011-01-26 Thread Wan-Teh Chang
On Wed, Jan 26, 2011 at 4:38 AM, Martin Boßlet martin.boss...@googlemail.com wrote: I want to authenticate to a server using TLS client authentication, so I imported a PKCS#12 file for this purpose. Unfortunately the certificate is from an internal CA that does neither issue keyUsage,

Re: Problems Building NSS on Mac OS X 10.6 (64-bit)

2011-01-20 Thread Wan-Teh Chang
On Wed, Jan 19, 2011 at 8:08 PM, Nathan Craike ncra...@gmail.com wrote: Is it possible to build the 32-bit version on a 64-bit Mac? The Mac OS X man page for gcc describes an Apple only option -arch: -arch arch            Compile for the specified target architecture arch.  The allowable

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

2011-01-13 Thread Wan-Teh Chang
On Wed, Jan 12, 2011 at 2:38 PM, Robert Relyea rrel...@redhat.com wrote: On 01/12/2011 01:26 PM, Bernhard Thalmayr wrote: 331569088[1bd1610]: C_UnwrapKey 331569088[1bd1610]:   hSession = 0x6 331569088[1bd1610]:   pMechanism = 0x7fffcd592ea0 331569088[1bd1610]:   hUnwrappingKey = 0x8

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

2011-01-13 Thread Wan-Teh Chang
On Thu, Jan 13, 2011 at 2:53 AM, Bernhard Thalmayr bernhard.thalm...@painstakingminds.com wrote: It might be helpfull if SSLTRACE and PKCS#11 could log a timestamp to help in correlation. You can add 'timestamp' to the NSPR_LOG_MODULES environment variable. See

Re: NSS 3.12.5: Error '-8023' ... how to track it down?

2011-01-12 Thread Wan-Teh Chang
On Wed, Jan 12, 2011 at 2:02 PM, Bernhard Thalmayr bernhard.thalm...@painstakingminds.com wrote: Am'I wright that 'C_DeriveKey' is actually 'NSC_DeriveKey' in http://mxr.mozilla.org/security/source/security/nss/lib/softoken/pkcs11c.c ? Yes. C_DeriveKey is a function pointer. It points to the

Re: Firefox PSM locks NSS

2011-01-12 Thread Wan-Teh Chang
On Tue, Jan 11, 2011 at 4:48 AM, Irune Prado Alberdi ipr...@zylk.net wrote: Up to this point I can properly work with my certificates in firefox but when I try to simultaneously access it via certutil I get blocked pre ~/.pki/nssdb$ certutil -d sql:. -K -h izenpe /pre This doesn't block

Re: Firefox PSM locks NSS

2011-01-12 Thread Wan-Teh Chang
On Tue, Jan 11, 2011 at 4:48 AM, Irune Prado Alberdi ipr...@zylk.net wrote: While if I terminate the pkcs11 session in firefox I can successfully acces the token pre $ certutil -d sql:. -K -h izenpe certutil: Checking token Builtin Object Token in slot NSS Builtin Objects certutil: no keys

Re: NSS meeting.

2010-12-16 Thread Wan-Teh Chang
Bob, Thank you for writing the meeting notes. I will also be out next week. NSPR 4.8.7 Beta 2 looks good. The only additional patch I may include in NSPR 4.8.7 is the second patch in https://bugzilla.mozilla.org/show_bug.cgi?id=604263. Re: NSPR IPv6: for reasons I don't remember and can't

Re: importing leaf cert into NSS db via JSS

2010-12-09 Thread Wan-Teh Chang
Dave, I can help you write a patch to fix this problem. The (-8157) Certificate extension not found part in the error message: org.mozilla.jss.crypto.NoSuchItemOnTokenException: Expected user cert but no matching key?: (-8157) Certificate extension not found is most likely wrong (a stale error

Re: NSS ss-sec.uncache is NULL

2010-11-24 Thread Wan-Teh Chang
Hi passfree: On Wed, Nov 24, 2010 at 9:32 AM, passfree passf...@googlemail.com wrote: I am developing a generic SSL pipe XPCOM component which can be used on any Input/Output stream pair. So far it sort of works but I am facing one problem and I am not sure how to deal with it. The problem

Re: Plan B for J-PAKE in Fennec B3 / Firefox B9 -- exposing MPI to Firefox for one beta cycle

2010-11-18 Thread Wan-Teh Chang
On Thu, Nov 18, 2010 at 3:08 PM, Brian Smith bsm...@mozilla.com wrote: (Note that this is to: dev-tech-crypto) Short Version: We are looking at taking a private patch for one Firefox beta cycle in mozilla-central to export the MPI functions from FreeBL on all platforms in our private copy

Re: Can a ssl3.ca_list be configured on a model file descriptor?

2010-11-15 Thread Wan-Teh Chang
On Tue, Nov 9, 2010 at 9:23 PM, Wolter Eldering wolter.elder...@vanad.com.cn wrote: Hi Wan-Teh, I was wondering if you found my patches useful? Or maybe I can help in any way. Hi Wolter, Thank you for attaching your patches and test results to bug 595134:

Re: Fennec M8 Code - HTTPS Links not working

2010-10-28 Thread Wan-Teh Chang
On Wed, Oct 27, 2010 at 10:25 PM, Ashok Subash subash.as...@gmail.com wrote: Now i could initialize NSS successfully and created the cert and key db using SQL Lite as the database. Now am getting a SSL Connect error when browsing secure site like gmail.com What's the error code when SSL

Re: Fennec M8 Code - HTTPS Links not working

2010-10-23 Thread Wan-Teh Chang
On Sat, Oct 23, 2010 at 5:06 AM, Ashok Subash subash.as...@gmail.com wrote: Hi Wan-Teh, I hope i can disable the NSSDBM module without affecting anything else in static DLL approach. I'm assuming it will be then SQLite for storing all the certs and keys. Yes, that's correct. I'm planning

Re: Fennec M8 Code - HTTPS Links not working

2010-10-22 Thread Wan-Teh Chang
On Fri, Oct 22, 2010 at 8:33 AM, Ashok Subash subash.as...@gmail.com wrote: Is there any other files that i need to port other than NSPR. Probably not. NSS depends on the following: - Standard C Library - NSPR Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org

Re: Usage of FreeBL and FreeBL/mpi through JavaScript in Firefox 4 Sync

2010-10-22 Thread Wan-Teh Chang
On Thu, Oct 21, 2010 at 3:53 PM, Nelson B Bolyard nel...@bolyard.me wrote: I'd say the interfaces to those functions (more precisely, their signatures) are quite frozen.  The mp_int bignum package API is so frozen as to have become something of a standard of its own.  There are now at least 3

Re: NSS and PKCS#11 Certificate+Private key

2010-10-13 Thread Wan-Teh Chang
On Sun, Oct 10, 2010 at 7:45 AM, Matej Kurpel mkur...@gmail.com wrote: What turned out to be the problem, was that the CK_BBOOL values were 4-bytes and not 1 byte in size. Took some hours and some hair to discover, but hopefully someone finds this if he has the same problem and solves it

Re: to make all libraries static

2010-10-08 Thread Wan-Teh Chang
Hi Dmitry, I published unsupported patches for using NSS as static libraries in https://bugzilla.mozilla.org/show_bug.cgi?id=534471. (Please do not post questions in that bug report. I want to keep the bug report focused on the patches.) You're welcome to try them. Note that I didn't go all

Re: Support for SSL False Start in Firefox

2010-10-05 Thread Wan-Teh Chang
=525092#c24 making it minimally available requires one call to set the SSL_ENABLE_FALSE_START option, and a preference to optionally disable it. Handling the black list is more work, I don't know if Google plans to make their list a public resource, maybe Wan-Teh Chang can tell) It was added

Re: Can a ssl3.ca_list be configured on a model file descriptor?

2010-09-25 Thread Wan-Teh Chang
On Fri, Sep 24, 2010 at 11:12 PM, Wolter Eldering wolter.elder...@vanad.com.cn wrote: I've added my patches and some test results to bug: https://bugzilla.mozilla.org/show_bug.cgi?id=595134 Thank you very much! I needed to start chrome like this: chrome-linux/chrome-wrapper --single-process

Re: Can a ssl3.ca_list be configured on a model file descriptor?

2010-09-20 Thread Wan-Teh Chang
On Sun, Sep 19, 2010 at 12:39 AM, Wolter Eldering wolter.elder...@vanad.com.cn wrote: Because we deal with a large number of certificates I've also have some patches to reduce the number of queries to the sql: type database. And a patch that will make the NSS_SDB_USE_CACHE=yes perform much

Re: Proposal to remove SSL 2.0 support from NSS trunk (NSS 3.13)

2010-08-30 Thread Wan-Teh Chang
On Mon, Aug 30, 2010 at 8:12 AM, Brian Smith br...@briansmith.org wrote: Wan-Teh Chang wrote: I propose that we remove SSL 2.0 support from the NSS trunk (NSS 3.13). Would this include support for SSLv2-v3 upgrade hellos? I forgot to talk about this issue. We'll need to keep the server-side

Re: How important is FIPS-140 compliance and PKCS#11 interoperability to Firefox, Chrome, etc.?

2010-08-27 Thread Wan-Teh Chang
On Fri, Aug 27, 2010 at 2:05 PM, Brian Smith br...@briansmith.org wrote: In accepting patches to implement TLS 1.2 and/or AES-GCM cipher suites, is a (potentially-)FIPS-140-compliant implementation required? Or, would it be acceptable in the short-term to have an implementation that is known to

Proposal to remove SSL 2.0 support from NSS trunk (NSS 3.13)

2010-08-27 Thread Wan-Teh Chang
I propose that we remove SSL 2.0 support from the NSS trunk (NSS 3.13). SSL 2.0 is an old and insecure protocol. No products should be using SSL 2.0 today. But removing the SSL 2.0 code from NSS has one major benefit to the continual development of NSS's SSL library: it'll make the code base

Re: Port Mozilla NSS/JSS to smart phone platform

2010-08-25 Thread Wan-Teh Chang
On Wed, Aug 25, 2010 at 1:39 PM, msm Li mlim...@gmail.com wrote: First thing first, does Mozilla have such plan to port NSS/JSS to smart phone platform ? Mozilla doesn't use JSS, so Mozilla is unlikely to work on porting JSS to new platforms. Mozilla is porting NSS to Android. I have not

Re: JSS and EC Signature algorithms

2010-08-19 Thread Wan-Teh Chang
On Wed, Aug 18, 2010 at 3:47 AM, David Stutzman david.stutz...@nospam.dstutz.com wrote: If I query the Mozilla-JSS provider for the algorithms it supports, I get the following EC Signature algorithms: SHA1withEC SHA256withEC SHA384withEC SHA512withEC Is there any way to change/add some

Re: PKCS#11 module: C_GetAttributeValue problems

2010-08-11 Thread Wan-Teh Chang
On Wed, Aug 11, 2010 at 1:18 PM, Matej Kurpel mkur...@gmail.com wrote:  Hello, I am trying to implement a PKCS#11 module for my diploma thesis. It is intended to be used with thunderbird. I am using opensc pkcs11-spy module to debug it. I have a problem for quite some days I don't seem to be

Re: PKCS#11 header files: license and updating to the newest version

2010-08-02 Thread Wan-Teh Chang
On Mon, Aug 2, 2010 at 12:10 PM, Brian Smith br...@briansmith.org wrote: I read a rumor that Mozilla received explicit permission from RSA labs to distribute the PKCS#11 header files under the Mozilla tri-license. Does anybody know anything about that, and how I can verify it? That's also what

Re: Assertion when using SEC_ASN1EncodeItem with subtemplate

2010-07-30 Thread Wan-Teh Chang
On Fri, Jul 30, 2010 at 11:29 AM, Nelson B Bolyard nel...@bolyard.me wrote: I think you're right.  I filed https://bugzilla.mozilla.org/show_bug.cgi?id=583308 with a patch to fix at least one problem. I ran Hanno's test program in a debugger. I saw the problem that Hanno reported, that the

Re: Assertion when using SEC_ASN1EncodeItem with subtemplate

2010-07-29 Thread Wan-Teh Chang
On Mon, Jul 26, 2010 at 6:07 AM, Hanno Böck ha...@hboeck.de wrote: Hi, Just recently, the templates for decoding the RSA-PSS ASN1 parameters got added to cvs head (in cryptohi/seckey.c). Currently I'm working on implementing the creation of PSS signatures, so I need them also to encode. My

Re: Need help troubleshooting TLS Handshake error: CKR_ATTRIBUTE_VALUE_INVALID

2010-07-29 Thread Wan-Teh Chang
On Tue, Jul 27, 2010 at 10:09 AM, Pat lync...@gmail.com wrote: Hello, Can anyone explain what is going wrong with the following scenario? Using NSPR 4.8, NSS 3.12.6, JSS 4.3.1 with JDK 1.6_21 on Windows XP Professional SP 3.  FIPS mode is enabled. I'm trying to open an LDAP connection to

Re: JSS/NSS library dependencies on Windows XP

2010-07-19 Thread Wan-Teh Chang
I can suggest two things to help track this down. 1. Find out which DLLs require IESHIMS.DLL and WER.DLL. This should be a chain of DLL dependencies that ultimately leads to an NSS or NSPR DLLs (the culprit). Right now I don't know what the culprit is. The NSPR DLLs are: nspr4.dll, plc4.dll,

Re: JSS/NSS library dependencies on Windows XP

2010-07-19 Thread Wan-Teh Chang
Hi Cad, On Mon, Jul 19, 2010 at 10:56 AM, Caden.smith Smith caden.smith...@gmail.com wrote: Just for your information, here is the tree: JSS4.DLL  NSPR4.DLL    ADVAPI32.DLL      SECUR32.DLL        NETAPI32.DLL          DNSAPI.DLL            MPRAPI.DLL              SETUPAPI.DLL        

Re: JSS/NSS library dependencies on Windows XP

2010-07-15 Thread Wan-Teh Chang
Hi Paul, IESHIMS.DLL, WER.DLL, NCRYPT.DLL, and BCRYPT.DLL are all Windows system DLLs. So you cannot copy them from one version of Windows to another version of Windows. System DLLs should already be installed on a system. In particular, NCRYPT.DLL and BCRYPT.DLL are newly added in Vista, so

Re: Problem building NSS with mozilla-build and mozillatools

2010-07-14 Thread Wan-Teh Chang
Hi Cad, If you use MozillaBuild, do not use Netscape's wintools. MozillaBuild is a one-stop shopping package and gives you everything you need (except the compiler) to build NSS. To fix your build problem: 1. Remove Netscape's wintools from your computer. 2. Use make instead of gmake. Details:

Re: Problem building NSS with mozilla-build and mozillatools

2010-07-14 Thread Wan-Teh Chang
Hi Cad, Make sure you type make nss_build_all in the mozilla/security/nss directory. If the missing 'plarena.h' problem persists, remove the following directories in your source tree, and try make nss_build_all again: mozilla/dist mozilla/nsprpub/WIN954.0_DBG.OBJ Wan-Teh -- dev-tech-crypto

  1   2   3   4   >