Nelson B wrote:
So, at this point, the only remaining untested hypothesis I have is that
this is a difference between 3.11.2 and 3.11.3.
Or that Dave is an idiot...
I was running through all the commands here on a brand new set of db
files and it wouldn't let me change the password to "password". I
started scratching my head and then wondered if I had done the password
changing on the samba server. I tried the same command on the other
system and was greeted by a "token not found" so I ran modutil -list and
noticed a "NSS FIPS-140-1 Certificate DB" versus a "NSS FIPS 140-2
Certificate DB" which led me to question what version of NSS was in use
on the samba server and ldd showed me I was using the 3.11.2 version of
modutil but it was linking to 3.10 versions of the .so's. On an
unrelated note, I don't recommend using Eclipse with your workspace on a
Samba share.
If a database has a non FIPS-compliant password set when it is put into
FIPS mode it appears the old password will work just fine from then on
if you need to access the database. Attempting to change it with
modutil from that point on *will* enforce the stronger requirements.
The only thing that makes sense is that I was changing the password with
the older version of the library that didn't enforce the FIPS
requirements but the non-compliant password was still being accepted to
access the database using NSS 3.11.2. Bob Relyea wrote earlier:
> I believe the check is only made when the password is being set or
> changed, not in normal use
and he appears to be correct. So you were close, Nelson. It wasn't 2
sets of databases it was 2 sets of NSS. I'm very sorry for the wild
goose chase.
Dave
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
