NSS Apache module - mod_nss

2006-05-18 Thread Rob Crittenden
A fair bit of work has been done to mod_nss, an SSL module for Apache that uses NSS instead of OpenSSL, since it was released last September. Changes since then include use the NSS OCSP client, addition of a FIPS mode (similar to modutil -fips true -dbdir /path/to/database), options to seed

Re: NSS Apache module - mod_nss

2006-05-19 Thread Rob Crittenden
Nelson B. Bolyard wrote: Rob Crittenden wrote: A fair bit of work has been done to mod_nss, an SSL module for Apache that uses NSS instead of OpenSSL, since it was released last September. Changes since then include use the NSS OCSP client, addition of a FIPS mode (similar to modutil -fips

NSS Cache question

2006-08-18 Thread Rob Crittenden
I'm having an issue with mod_nss, an Apache module I wrote that provides SSL using NSS. The way Apache loads modules is a tad strange. What it does is it loads them one time in order to get its list of configuration directives and it verifies that the configuration is ok. It also runs through

Re: NSS Cache question

2006-08-21 Thread Rob Crittenden
Nelson B wrote: Rob Crittenden wrote: I'm having an issue with mod_nss, an Apache module I wrote that provides SSL using NSS. The way Apache loads modules is a tad strange. I'd say it's more than a tad! What it does is it loads them one time in order to get its list of configuration

Forcing the SSL handshake

2006-11-02 Thread Rob Crittenden
In an SSL client I want to force the SSL handshake to take place instead of passively waiting for it to happen during the first write. Right after I connect to the server I'm currently doing this: SSL_ResetHandshake(ssl, /* asServer */ PR_FALSE); do { SSL_ForceHandshake(ssl);

Re: Forcing the SSL handshake

2006-11-02 Thread Rob Crittenden
Nelson B wrote: Rob Crittenden wrote: In an SSL client I want to force the SSL handshake to take place instead of passively waiting for it to happen during the first write. Right after I connect to the server I'm currently doing this: SSL_ResetHandshake(ssl, /* asServer */ PR_FALSE

Re: Forcing the SSL handshake

2006-11-03 Thread Rob Crittenden
Nelson B wrote: Rob Crittenden wrote: In an SSL client I want to force the SSL handshake to take place instead of passively waiting for it to happen during the first write. Right after I connect to the server I'm currently doing this: SSL_ResetHandshake(ssl, /* asServer */ PR_FALSE

API questions

2007-04-10 Thread Rob Crittenden
I've got a couple of API questions. I'm not sure if these are available or not: 1. Can I get the numeric value of the cipher that has been negotiated instead of just the character value (e.g. from SSL_SecurityStatus())? 2. If I call PR_Shutdown() on an SSL socket, is there a way later to see

Re: API questions

2007-04-12 Thread Rob Crittenden
Wan-Teh Chang wrote: Rob Crittenden wrote: Wan-Teh Chang wrote: Rob Crittenden wrote: 2. If I call PR_Shutdown() on an SSL socket, is there a way later to see the flags I called it with? For example, if I call it just with PR_SHUTDOWN_SEND is there a way I can find that out later? I don't

Re: SSL Certificate not found while starting apache with mod_nss

2009-09-02 Thread Rob Crittenden
Sandeep Cavale wrote: Hi, I seem to be having the same issue as below... In addition, after such a failure if I do cryptoadm list -v, the hardware provider fails to list my hardware accelerator card (mca0- Sun Crypto Accelerator) Further this is what the /var/adm/messages indicate: Aug 25

negotiation question

2009-11-30 Thread Rob Crittenden
I'm considering how to handle SSL re-negotiation in the Apache NSS provider mod_nss to handle the SSL client-initiated handshake bug. NSS provides a callback, SSL_HandshakeCallback(), which according to the docs is called when an SSL handshake has completed. So let's say I have the

ALPN server support

2015-12-01 Thread Rob Crittenden
Is ALPN supported on the server side? I can't tell from the API and Julien asked in https://bugzilla.mozilla.org/show_bug.cgi?id=959664 but never got an answer. I'm looking to add HTTP/2.0 support to mod_nss and I need ALPN to do that. thanks rob -- dev-tech-crypto mailing list

server-side OCSP stapling

2016-03-01 Thread Rob Crittenden
I don't see a way to implement OCSP stapling on the server side. SSL_SetStapledOCSPResponses() is I think what one would use to set the response in the SSL session but I don't see a way to get the response from the OCSP handler. At least, I don't see a way without implementing my own status

Re: ALPN server support

2016-03-18 Thread Rob Crittenden
015 at 6:53 AM, Rob Crittenden <rcrit...@redhat.com> wrote: Is ALPN supported on the server side? I can't tell from the API and Julien asked in https://bugzilla.mozilla.org/show_bug.cgi?id=959664 but never got an answer. I'm looking to add HTTP/2.0 support to mod_nss and I need ALPN to do that.

Understanding SSL_SetTrustAnchors

2016-03-15 Thread Rob Crittenden
I want to control the set of CA certificates available to authenticate client certificates. AIUI I can use SSL_SetTrustAnchors() to do this but it isn't working as I'd expect. The code looks like: CERTCertList * ca_list = CERT_NewCertList(); SSL_SetTrustAnchors(fd, ca_list); (returns

NSS db nicknames with NSS_InitContext()

2016-10-18 Thread Rob Crittenden
It looks like when multiple NSS databases are initialized using NSS_InitContext() the nicknames can take multiple forms depending on order of initialization. Using the multinit program and three NSS certificate databases with identical nicknames I saw the following names associated: (first

Re: NSS_Context and FIPS

2016-10-21 Thread Rob Crittenden
Robert Relyea wrote: On 10/21/2016 07:04 AM, Rob Crittenden wrote: I'm trying to figure out how to dynamically enable FIPS support for NSS Contexts. I started with multinit.c and initialize FIPS right after calling NSS_InitContext() using this: So you can't change the state of an already

NSS_Context and FIPS

2016-10-21 Thread Rob Crittenden
I'm trying to figure out how to dynamically enable FIPS support for NSS Contexts. I started with multinit.c and initialize FIPS right after calling NSS_InitContext() using this: if (!PK11_IsFIPS()) { fprintf(stderr, "Initializing FIPS\n"); SECMODModule *mod =

Re: mod_nss error in logs

2017-03-07 Thread Rob Crittenden
Chris Tomlin wrote: > > Hello all, > > I'm getting an NSS error in my httpd logs and it's a bit strange. The error > I'm getting is this: > > Misconfiguration of certificate's CN and virtual name. The certificate CN has > server.name. We expected server.name as virtual name. > > In this

SSL_BYPASS_PKCS11

2017-03-07 Thread Rob Crittenden
SSL_BYPASS_PKCS11 is marked as deprecated in ssl.h. What are the plans on removing it? rob -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto

PK11_FindCertFromNickname() nickname

2020-10-15 Thread Rob Crittenden
When using PK11_FindCertFromNickname() with the softokn it seems that using a raw nickname works fine (e.g. Server-Cert vs NSS Certificate DB:Server-Cert). Looking for a nickname on a PKCS#11 token seems to require the token name in the nickname, "tokenname:Server-Cert". Is it safe to assume