Thanks for the information, these are very good news.
After reading your explanation, I found it is nicely documented at
SSL_OptionSet:
http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1086543
May I ask several more questions?
1.
Our current server is a multi-threaded application (using pthreads),
running on a Red Hat Linux machine. It uses regular TCP socket
communcation in the clear, in full duplex. My intention is to add an SSL
handshake for every new connection, and then simply replace the blocking
calls to read() and write() with their SSL equivalents.
Do we have to create the listening socket using PR_NewTCPSocket rather
than socket()?
Do we have to use NSPR threads instead of Pthreads?
Do you see any other problem with this approach?
2.
We loaded NSS 3.11.4 on a Red Hat Linux with kernel 2.4.
How do I enable valgrind to a similar memory-check tool in the build?
By the way -
2.1 - If I would like to to avoid CVS, I can simply download the
binaries "with nspr" and build, correct?
2.2 - it seems like the in 3.11.4 build instructions
(http://www.mozilla.org/projects/security/pki/nss/nss-3.11.4/nss-3.11.4-build.html)-
CVS checkout of NSPR should use label NSPR_4_6_4_RTM rather than
NSPR_4_6_4_RELEASE.
3.
I started by attempting to run the "client" and "server" applications in
directory "mozilla/security/nss/cmd/SSLsample", which returned "Error in
function NSS_Init: -8174 - security library: bad database." Then I
followed the instructions in "Getting Strated with SSL"
(http://www.mozilla.org/projects/security/pki/nss/ref/ssl/gtstd.html#1005439)
- however, at the step "Creating the Databases and Generating the Keys"
(3), running "certutil -L -d server_db" did not display anything. Any
idea what is missing here?
4.
I tried to proceed to "Creating the CA Certificate and Adding It to the
Database". Using the string "f7c1" returned an error, so I changed to
"rsa". But at step (2), certutil complained "certutil: self-signing a
cert request is not supported". Suggestions?
.
Thanks,
Yahel Zamir.
Nelson B wrote:
Yahel Zamir wrote:
Hi Everyone,
I have noted an important limitation of OpenSSL, and I would like to make
sure that this limitation does not exist with NSS.
What I need is the ability to use one thread for writing to an SSL socket in
blocking mode, and another thread for reading from the same socket, and let
them run without synchronization (no mutex).
The OpenSSL API says that in blocking mode, two threads are not allowed to
use the same SSL connection object at the same time (for instance, for read
and write). This is mentioned in their FAQ -
http://www.openssl.org/support/faq.html#PROG1, and it is discussed here -
http://www.mail-archive.com/openssl-users@openssl.org/msg46791.html
Some context - I am a SW Engineer at a cmpany named CWNT, developing HW+SW
device that needs secure connectivity, and we would like to use Mozilla NSS
for that purpose, rather than OpenSSL - mainly because of the reason
mentioned above.
NSS's SSL library was written to be able to handle two-way-simultaneous
(or so-called "full duplex" or FDX) operation, on blocking or non-blocking
sockets. NSS's "selfserv" and "strsclnt" test programs have code to test
this feature.
See http://lxr.mozilla.org/security/search?string=SSL_ENABLE_FDX
But I am not aware of any real products that presently use the feature.
I doubt that our nightly QA testing tests it. So I cannot say with great
confidence that it is 100% OK. But it should work, and should be
fixable if it doesn't.
The feature must be enabled on the socket as an SSL socket option.
Look at how strsclnt does it.
Yahel.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
