Claes Jakobsson wrote, On 2008-10-04 06:10: > Hi, > > I'm writing a test-case for the Perl bindings that basically is just > server from SSLsample. However when I try to connect to it I get an > assertation failure: PR_Assert (s=0x86d2c "numPresent > 0 || > numEnabled == 0", file=0x86ced "ssl3con.c", ln=670). My NSS is 3.12
That assertion means that there are NO SSL "cipher suites" that are able to be used, for one of the following reasons (in no particular order): a) No cipher suites have been enabled by (user) preference. b) No cipher suites have been enabled by application policy. c) No PKCS#11 module is available that supports all of the necessary ciphers for any one of the enabled cipher suites. Every cipher suite has two ways of being enabled/disabled by the application. They can be enabled/disabled by (user) preference, and they can be enabled/disabled by application policy. To actually be used, it must be enabled both ways. Typically, the "policy" controls are hard coded into the application, and the user preferences are user configurable. This system allows the user to express his choices and also allows the application to disallow certain cipher suites that may be disallowed by law or regulation in the country where the application is used. The defaults for the user preferences are that some cipher suites are enabled, but most are not. The set that is enabled by default is a set of quite old cipher suites. None of the new cipher suites that have been devised in the last 8 years is enabled by default in preferences. This is necessary to maintain backwards binary compatibility. The defaults for policy are that NO cipher suites are enabled until the application enables them. The c language APIs for controlling these flags allow each cipher suite to be configured separately, but there are also some functions that set all the cipher suites according to some preset configurations. One of those enables all cipher suites. I'd guess that the most likely explanation is that your code is not setting any policy flags on cipher suites, and so they're all disabled by policy. That's just a guess. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
