Wan-Teh Chang wrote: > On 8/23/07, Steffen Schulz <[EMAIL PROTECTED]> wrote: >> Hi, >> >> I want to test DSA ciphersuites, but 'server' and 'selfsrv' seem to be >> unable to handle them. >> >> I changed the source to enable some TLS-DSA suites but it seems >> the ssl library is not being supplied with a valid certificate. >> >> I created the dsa certificates with: >> >> openssl pkcs12 -export -in dsa.crt -inkey dsa.key -out dsa.p12 -name dsa_srv >> pk12util pk12util -i dsa.p12 -d certs >> >> Is usage of DSA-suites disencouraged? How can I test them? > > No, the use of DSA ciphersuites is not discouraged. But we haven't > implemented DSA ciphersuites on the server side. They are only > implemented on the client side. I believe this is the problem you're > running into.
IIRC, the problem is not DSA but rather DHE. NSS does not presently support any DHE cipher suites on the server side, and it so happens that all the DSA cipher suites are also DHE cipher suites. IIRC, the missing code is not for DSA but for DHE. The issue is the sharing of a server session cache key among multiple processes sharing the same SSL server session cache. This is the subject of Bugzilla bug https://bugzilla.mozilla.org/show_bug.cgi?id=102794 A solution to this was devised (IIRC) for ECDSA_ECDHE, but was not also applied to DSA_DHE. -- Nelson B _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
