See responses in line below. "Nelson B Bolyard" <[EMAIL PROTECTED]> wrote in message news:[EMAIL PROTECTED] > Bill Price wrote, On 2008-07-24 15:17 PDT: >> I'm trying to do TLS using an ECC ciphersuite. I thought FF3 natively >> supported it (ECC ciphersuites are enabled in about:config). Using normal >> downloads of FF3 on either Linux or Windows I'm getting the error that >> there's no common ciphersuite. Looking at SSLTap, both versions of FF3 >> browser are not offering any of the ECC cipher suites. > > Both versions? What versions are those? > Did you download these from Mozilla? > Or did you download these from some Linux distributor? [bp] The Windows version 3.0.1 was downloaded from the mozilla.com download site today (7/24/08). The Linux FF3 version was not so clean. There's apparently been a decision not to have FC8 suppport FF3. The Linux version came from a private package. I doubt that any changes were made to NSS in the Linux download. > > If from some Linux distributor, I advise you to ask that distributor about > any changes they may have made to the version of NSS they distribute. > If your distributor tells you "we removed ECC support", please report that > back to us here. > > If you see this problem with FF3 downloaded from mozilla.org, then please > file a bug in bugzilla.mozilla.org, product "core", component > "Security/PSM". > [bp] done: 447911 >> I tried a search but did not quickly find any references on how to enable >> FF3 for ECC suites. Are there instructions on how to do so somewhere? > > Go to about:config > filter on the string "ssl3.ecd" (without the quotes). > All items should be non-bold, type binary, status "default". > All items should have the value "true", except for those whose names > include the string _null_, which should be false. [bp] In the original post, I said that the ECC suites where enabled in the about:config. They are enabled in the Windows and Linux versions as you describe below. The strong versions are enabled and the weak versions are disabled. > > If you filter on the string "ssl3.ecd*null", all the results should > have the value false. > If you filter on the string "ssl3.ecd*es", all the results should > have the value true. > If you filter on the string "ssl3.ecd*rc", all the results should > have the value true. > (From this you may correctly infer that preference filtering uses patterns > similar to those used for file name "globbing" by the shell.) > > If you find your results are different from that, and you have not > previously altered these preferences knowingly, please report to us > what differences you found between your settings and those I described. > >> If the browser behavior is based on the NSS libraries, can I have the >> browser reference an alternate set of libraries (I have ECC enabled >> libraries in /usr/lib on a Fedora Core 8 Linux system)? Any help or >> suggestions would be appreciated. Thanks. > > As I wrote in another posting to this newsgroup today, ECC is alive and > well in NSS as found in the NSS sources that you can get from the Mozilla > source repository, when built with NSS's own build system. Source code > files obtained from other repositories or distributions may be different. > Other Makefile systems than NSS's own may also be different. > > The NSS team would like to know of any distributions of NSS that have > altered the basic set of capabilities from what the NSS team offers, so > that we may handle support requests for those distributions accordingly. [bp] I have built a version of NSS that supports ECC and it appears to be working well. > > You can always add third party PKCS#11 modules to your browser and avail > yourself of their capabilities, provided that your browser distribution > has not been altered to disable those capabilities even when the > underlying > cryptographic algorithms are available.
[bp] If I want the browser to use the NSS PKCS#11 token embedded in the ECC enabled NSS and clicked the load button in the browser's encryption tab, what file do I browse to load the token from? the libnss3.so?? Thanks. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
