Re: nss selfserv and extended_master_secret
On Thu, Mar 19, 2020 at 02:34:19PM -0700, Kevin Jacobs wrote: > There is no other mechanism for enabling it. You would need to go the > modify/rebuild route, or build with NSS 3.48+. So I feared; I'm doing that very thing, as we speak, rolling a 3.48 RPM. > Thanks, > Kevin -- Brian Reichert BSD admin/developer at large -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: nss selfserv and extended_master_secret
There is no other mechanism for enabling it. You would need to go the modify/rebuild route, or build with NSS 3.48+. Thanks, Kevin On Thu, Mar 19, 2020 at 12:38 PM Brian Reichert wrote: > On Thu, Mar 19, 2020 at 12:00:32PM -0400, Brian Reichert wrote: > > On Thu, Mar 19, 2020 at 08:39:24AM -0700, Kevin Jacobs wrote: > > > SSL_OptionSet with SSL_ENABLE_EXTENDED_MASTER_SECRET will do the > trick, but > > > I'm not aware of a config file option for this. > > > > > > NSS 3.48 enabled this by default, so if you're able to use a newer > version, > > > it should "just work". > > > > This says is was supported as of 3.2.1: > > > > > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes > > > > For 3.48 to be enabled by default, but it was introduced in 3.2.1, > > implies to me that when it was introduced, it was not enabled, but > > enableable. I have no idea what that mechanism might be. > > > > Anyway, I guess the next step is to engage the mod_nss people > > directly. > > And they've responded: > > There is no config setting for this option. The only way to enable > it if the underlying nss does not enable it by default would be > to modify and rebuild the package. > > So - mozilla-nss-3.45 supports EMS, but does not enable it by default. > > You've showed me how to enable it for the selfserv utility. > > Is there some out-of-band way I can coerce /usr/lib64/libnss3.so, or > whatever the operational binaries are, to enable this? Config file, > environment, anything... > > I'm pawing through the docs here for clues, but am not getting any > traction yet. > > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS > > > > > > > > > I appreciate the pointers! > > > > > > > > Thanks, > > > Kevin > > > > -- > > Brian Reichert > > BSD admin/developer at large > > -- > > dev-tech-crypto mailing list > > dev-tech-crypto@lists.mozilla.org > > https://lists.mozilla.org/listinfo/dev-tech-crypto > > -- > Brian Reichert > BSD admin/developer at large > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: nss selfserv and extended_master_secret
On Thu, Mar 19, 2020 at 12:00:32PM -0400, Brian Reichert wrote: > On Thu, Mar 19, 2020 at 08:39:24AM -0700, Kevin Jacobs wrote: > > SSL_OptionSet with SSL_ENABLE_EXTENDED_MASTER_SECRET will do the trick, but > > I'm not aware of a config file option for this. > > > > NSS 3.48 enabled this by default, so if you're able to use a newer version, > > it should "just work". > > This says is was supported as of 3.2.1: > > > https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes > > For 3.48 to be enabled by default, but it was introduced in 3.2.1, > implies to me that when it was introduced, it was not enabled, but > enableable. I have no idea what that mechanism might be. > > Anyway, I guess the next step is to engage the mod_nss people > directly. And they've responded: There is no config setting for this option. The only way to enable it if the underlying nss does not enable it by default would be to modify and rebuild the package. So - mozilla-nss-3.45 supports EMS, but does not enable it by default. You've showed me how to enable it for the selfserv utility. Is there some out-of-band way I can coerce /usr/lib64/libnss3.so, or whatever the operational binaries are, to enable this? Config file, environment, anything... I'm pawing through the docs here for clues, but am not getting any traction yet. https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS > > I appreciate the pointers! > > > > > Thanks, > > Kevin > > -- > Brian Reichert > BSD admin/developer at large > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto -- Brian Reichert BSD admin/developer at large -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: nss selfserv and extended_master_secret
On Thu, Mar 19, 2020 at 08:39:24AM -0700, Kevin Jacobs wrote: > SSL_OptionSet with SSL_ENABLE_EXTENDED_MASTER_SECRET will do the trick, but > I'm not aware of a config file option for this. > > NSS 3.48 enabled this by default, so if you're able to use a newer version, > it should "just work". This says is was supported as of 3.2.1: https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes For 3.48 to be enabled by default, but it was introduced in 3.2.1, implies to me that when it was introduced, it was not enabled, but enableable. I have no idea what that mechanism might be. Anyway, I guess the next step is to engage the mod_nss people directly. I appreciate the pointers! > > Thanks, > Kevin -- Brian Reichert BSD admin/developer at large -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: nss selfserv and extended_master_secret
SSL_OptionSet with SSL_ENABLE_EXTENDED_MASTER_SECRET will do the trick, but I'm not aware of a config file option for this. NSS 3.48 enabled this by default, so if you're able to use a newer version, it should "just work". Thanks, Kevin On Thu, Mar 19, 2020 at 8:08 AM Brian Reichert wrote: > On Thu, Mar 19, 2020 at 07:34:51AM -0700, Kevin Jacobs wrote: > > Brian, > > > > Can you try again with the "-G" option added to selfserv? > > That indeed does the trick! Thanks! > > Now, since I have your attentive eye, so you know if there's something > I need to do using mod_nss to enable this? > > > Thanks, > > Kevin > > -- > Brian Reichert > BSD admin/developer at large > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: nss selfserv and extended_master_secret
On Thu, Mar 19, 2020 at 07:34:51AM -0700, Kevin Jacobs wrote: > Brian, > > Can you try again with the "-G" option added to selfserv? That indeed does the trick! Thanks! Now, since I have your attentive eye, so you know if there's something I need to do using mod_nss to enable this? > Thanks, > Kevin -- Brian Reichert BSD admin/developer at large -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: nss selfserv and extended_master_secret
Brian, Can you try again with the "-G" option added to selfserv? Thanks, Kevin On Thu, Mar 19, 2020 at 6:57 AM Brian Reichert wrote: > I'm trying to develop some tests for confirming a TLS server honors > the Extended Master Secret extension (RFC 7627). > > I've stood up a simple selfserv server: > > /usr/lib/nss/selfserv -v -d /path/to/my/certdb/ -n MyCert -p 8000 -V > tls1.0:tls1.2 > > But, when I run a test of that with OpenSSL's s_client: > > openssl s_client -connect 10.200.192.68:8000 > > I get the diagnostic 'Extended master secret: no'. > > Via Wireshark, I can confirm that s_client does include the extension > in the Client Hello, but I don't see it in the Server Hello. > > I'm using mozilla-nss-tools-3.45-58.31.1.x86_64 under SLES 12 SP3. > > I acknowledge that I may be misinterpreting Wireshark, as I can find no > example captures on the net of a Server Hello providing the extension. > > Is this an appropriate mechanism for testing for this feature? > > -- > Brian Reichert > BSD admin/developer at large > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
