Nelson B Bolyard wrote:
Sreedhar Kamishetti wrote on 2009-01-29 16:28 PST:
I just started to use JSS/NSS. So, if hope some one will reply to this
post.
We use SSL_DH_anon_WITH_3DES_EDE_CBC_SHA” as cipher suite for
communication between SSL Peers. Client is in Java and Server is in C
(uses OpenSSL).
I am trying to use JSS/NSS for Client side SSL Provider for supporting
FIPS, but I am not able to do it easily as Diffie Hellman protocol for
Key exchange is not implemented by JSS/NSS.
That's not exactly correct. NSS implements DH for SSL clients, but it
does not implement *anonymous* cipher suites at all, not for Diffie Hellman
or any other flavor of key agreement algorithm.
We are having problems communicating to Server by writing Java SSL Client
from scratch using JSS API. Can I use the Sun JSSE provider along with
Mozilla-JSS provider so that my existing code will not change except for
initializing the Mozilla-JSS provider so that SSL Context from Sun JSSE
provider internally uses all the services of Mozilla-JSS provider?
Which Cipher suite is recommended with minimal changes to use between
JSS/NSS client and OpenSSL Server.
I think that any cipher suites that are supported by both NSS/JSS and
Java's SSL classes will require about the same amount of adaptation to
switch from one implementation to the other. But I don't know how much
that will be. Hopefully one of this list's Java gurus can help answer
that.
You'll find the list of cipher suites supported by NSS at
http://mxr.mozilla.org/security/source/security/nss/lib/ssl/sslenum.c#48
JSS supports all NSS ciphersuites.
For recommend ciphersuites, how about:
TLS_RSA_WITH_AES_128_CBC_SHA
TLS_DHE_RSA_WITH_AES_128_CBC_SHA
There is a sample "JSSE Server using Mozilla-JSS" test in our automated
tinderbox QA.
To see the output search for JSSE Server using Mozilla-JSS
http://tinderbox.mozilla.org/showlog.cgi?tree=NSS&errorparser=unix&logfile=1233326113.1233332216.20828.gz&buildtime=1233326113&buildname=trunk%20standard%20dositups%20SunOS%2fi386%2064bit%20OPT&fulltext=1
The above link will expire, but you get the link by going to the
http://tinderbox.mozilla.org/showlog.cgi?tree=NSS selecting a succesful
"green" run, and viewing the Full log.
Test:
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSSE_SSLServer.java
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/JSSE_SSLClient.java
The above code is test/sample code. Cleanup or additional functionality
contributions are welcomed.
-glen
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
