Geoff, Just wanted to provide some additional info to Bob's reply.
There are three ways to configure NSS in the FIPS mode. In our FIPS Security Policy, we describe the low-level method for people who use only the NSS software cryptographic module (i.e., libsoftokn3.so/softokn3.dll only). Most of our users use the whole NSS and can use the other two methods to enable FIPS mode. We decided not to describe these two methods in our FIPS Security Policy for fear that they may confuse people to think the entire NSS is the validated module. 1. Use the modutil command-line utility, as Bob said. 2. Call NSS SECMOD_xxx functions to *toggle* the FIPS mode, as Firefox does here: http://lxr.mozilla.org/security/source/security/manager/ssl/src/nsPKCS11Slot.cpp#534 534 /* void toggleFIPSMode (); */ 535 NS_IMETHODIMP nsPKCS11ModuleDB::ToggleFIPSMode() 536 { 537 nsNSSShutDownPreventionLock locker; 538 // The way to toggle FIPS mode in NSS is extremely obscure. 539 // Basically, we delete the internal module, and voila it 540 // gets replaced with the opposite module, ie if it was 541 // FIPS before, then it becomes non-FIPS next. 542 SECMODModule *internal; 543 544 // This function returns us a pointer to a local copy of 545 // the internal module stashed in NSS. We don't want to 546 // delete it since it will cause much pain in NSS. 547 internal = SECMOD_GetInternalModule(); 548 if (!internal) 549 return NS_ERROR_FAILURE; 550 551 SECStatus srv = SECMOD_DeleteInternalModule(internal->commonName); 552 if (srv != SECSuccess) 553 return NS_ERROR_FAILURE; 554 555 return NS_OK; 556 } Wan-Teh _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
