Bob Relyea wrote:
David Stutzman wrote:
In FIPS mode, the NSS cryptographic module imposes the following
requirements on the password.
* The password must be at least seven characters long.
* The password must consist of characters from three or more
character classes. We define five character classes: digits (0-9),
ASCII lowercase letters, ASCII uppercase letters, ASCII
non-alphanumeric characters (such as space and punctuation marks),
and non-ASCII characters. If an ASCII uppercase letter is the first
character of the password, the uppercase letter is not counted toward
its character class. Similarly, if a digit is the last character of
the password, the digit is not counted toward its character class.
Hrm...NSS 3.11.2 is *definately* not enforcing this. Today I went
through our code and changed the password from "test" (which was
working just fine) to "password" (which is now working just fine) on
all of our databases. I'll wait for Wan-Teh to chime in before I go
changing to the even stricter version. Maybe this is something that
will only happen once 3.11.5 (The wiki says that's the version
reserved for FIPS approval) is out.
Are you making the change through the FIPS interface? I believe the
check is only made when the password is being set or changed, not in
normal use.
bob
I'm doing it like this:
modutil -changepw "NSS FIPS 140-2 Certificate DB" -dbdir .
Dave
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
