Re: Custom TLS Extensions in NSS (Patch in Progress)

[Daniel Jackoway]

Hi,

I have submitted an updated patch that is more-or-less complete. Feedback is 
the main thing I need to make further progress. Specific questions that I need 
feedback on can be found in the bugzilla comment.

https://bugzilla.mozilla.org/show_bug.cgi?id=905848#c1

Best,
Daniel

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Custom TLS Extensions in NSS (Patch in Progress)

[Daniel Jackoway]

I have opened an issue on bugzilla, with patch attached: 
https://bugzilla.mozilla.org/show_bug.cgi?id=905848

On Aug 14, 2013, at 6:05 PM, Daniel Jackoway dani...@matasano.com wrote:

 Ok, I'll get a patch on bugzilla soon.

-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Custom TLS Extensions in NSS (Patch in Progress)

[Robert Relyea]

On 08/14/2013 10:45 AM, Daniel Jackoway wrote:

Hi all,

With the guidance of Trevor Perrin (cc-ed), I have put together the beginnings 
of a patch to allow clients of the NSS library to implement support for 
arbitrary TLS extensions. The motivation is to allow clients of NSS to 
implement new proposals that bolster the CA trust model, such as TACK[1] and 
Certificate Transparency[2]. However, the goal is to make a broadly-useful 
patch allowing for a wide array of TLS extensions.

I have the beginnings of the patch on GitHub[3]. It is not done, but the major 
functionality is more-or-less all there. There are still some needed changes 
that I know aren't implemented, a number of test failures I need to hunt down, 
and a number of style problems. But I'm getting close, and for some of what I 
still need to do (especially defining some parts of the public interface), 
feedback would be very useful.

So I'd love to hear any feedback and guidance, as well as any concerns that 
might prevent this from eventually getting committed.

I'm happy to take feedback anywhere; GitHub may be the best place for 
line-level code comments since it has a nice interface for that, but I'd guess 
the list is a better for high-level discussion. I'm also happy to open an issue 
on bugzilla, but I thought it might be better to wait until the patch is 
functional.

Thank you,
Daniel


First I was excited because I thought it was something I  wanted to get 
into NSS for a while (dynamically adding cipher suites... though that 
probably causes problems for Brian's attempt to standardize on cipher 
suites).


That being said, Adding dynamically added extensions sounds like a 
reasonable addition. The main question that comes to mind is:


Are you adding the extensions programmatically (that is an application 
can add extensions by making various calls to do so) or are you adding 
extensions dynamically through some sort of configuration. Both are 
useful, though the latter may be more interesting.


Also, NSS lives in the mozilla Hg repository, The NSS team usually share 
uncommitted patches through bugzilla as straight patch files. This let's 
the team members use the tools they prefer to review them..


bob

[1] http://tack.io/
[2] http://www.certificate-transparency.org/
[3] https://github.com/jackowayed/mozilla-nss/pull/1





smime.p7s
Description: S/MIME Cryptographic Signature
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Re: Custom TLS Extensions in NSS (Patch in Progress)

[Daniel Jackoway]

On Aug 14, 2013, at 5:39 PM, Robert Relyea rrel...@redhat.com wrote:

 Are you adding the extensions programmatically (that is an application can 
 add extensions by making various calls to do so) or are you adding extensions 
 dynamically through some sort of configuration. Both are useful, though the 
 latter may be more interesting.

The way I've implemented it, an application makes a function call to NSS and 
passes in callbacks to define the implementation of the extension. But I'm open 
to other ideas.

 
 Also, NSS lives in the mozilla Hg repository, The NSS team usually share 
 uncommitted patches through bugzilla as straight patch files. This let's the 
 team members use the tools they prefer to review them..

Ok, I'll get a patch on bugzilla soon. I've realized that I ended up basing 
everything on somewhat stale code (the most-visible docs on 
developer.mozilla.org suggested that CVS was still the way to get the code; I 
edited things to fix that), so I'm in the midst of moving everything over. Once 
I have it all based on tip, I'll put up a patch and post a link here.
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto