Hi all, I would like to ask for advise. We are building a firefox extension and we are using our own implementation of SSL server and client implemented closely to the ssl sample (security\nss\cmd\SSLsample). We are not using PSM socket provider implementation.
All certificates (CAs and client/server) are RSA/SHA1 signed. We are using a root CA + several intermediate CAs to sign user's certificates. The user's certificates are used for SSL server and SSL client authentication too. All CAs are added to the software token and marked as trasted CA. The user certificate is also added to the software token and marked as SSL client and server cert, email signer, email recipient, SSL CA (users sign other certs using its private key) and also is visible as Status Responder Certificate. The server is configured to request client authentication. We are using SSL socket prototypes to setup client and server sockets. Just a few cipher suits are selected to be used by clients and the same set (+ few more) accepts the server socket. This all is working very well with Firefox 1.5 (NSS 3.10). Now we have moved to Firefox 2.0 and NSS 3.11 and experience the following problem: Two peers tries to connect each other. On the server I read from the socket with error SSL_ERROR_HANDSHAKE_FAILURE_ALERT. It is described on http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslerr.html as "SSL peer was unable to negotiate an acceptable set of security parameters." I traced the code on the client and the negotiation is probably broken in ssl3con.c line 4498 (the cipher suite was not found). What is strange, that the cipher suite sent from the server is c014 - TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA. This suite is disabled on the server. The client socket gets to state with error SSL_ERROR_NO_CYPHER_OVERLAP and send to the server our SSL_ERROR_HANDSHAKE_FAILURE_ALERT alert. The connection is then broken. Other curious think is, that connection to and also from (!) Firefox 1.5 is established correctly. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
