Viktor TARASOV wrote, On 2009-01-05 08:53: > is it normal that, during the SSL handshake, the disabled removable > token is asked for the authentication certificate/key, please?
The feature that allows slots to be disabled is intended to be a configuration feature, not intended for dynamic use during the lifetime of a process. NSS checks the disabled bit on each slot when it starts up, and (IINM) may also check it on removable slots when the token is inserted or a new slot becomes available (that is, a slot appears that was not present when NSS was initialized). If the disabled flag is set when the token is already in use, I would not expect the disabled flag to have any effect on objects or sessions that are already known to NSS at the time it is disabled. I would not expect the disabled flag to have much effect on a slot with a removable token unless/until the next time a token is inserted. > Looking though the sources, it appears that, when getting the client > authentication data, the 'disabled' flag is ignored for the removable > tokens . (For the permanent tokens, the 'disabled' flag is checked in > nssToken_IsPresent()) . Well, it's checked at startup time for slots with removable tokens. But perhaps disabling a token might be expected to prevent new objects from being found in a removable token. If you file a bug about that, I will discuss the subject with the other NSS developers. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
