On 2010-04-29 11:34 PST, David Stutzman wrote: > Sorry I keep having so many issues with EC :) > > Using vfyserv from nss-3.12.6 built using mozilla-build on Vista32. > > C:\usr\mozilla>vfyserv.exe -d . -p 9444 ferret.pki > Connecting to host ferret.pki (addr 192.168.1.171) on port 9444 > Error in function PR_Write: -12286 > - Cannot communicate securely with peer: no common encryption > algorithm(s). > > C:\usr\mozilla>vfyserv.exe -d . -p 9444 -C :c005 ferret.pki > Connecting to host ferret.pki (addr 192.168.1.171) on port 9444 > Error in function PR_Write: -12268 > - Cannot connect: SSL is disabled. > > Ok, the first one makes sense. On a previous posting a little over a > year ago Nelson told me NSS won't enable, by default, ciphers added > since 3.0. What's up with the second one?
When you use an SSL socket, first you configure it, implicitly or explicitly. You choose the version(s) of SSL/TLS you wish to enable, and you choose the cipher suites you wish to enable. When you go to actually use the SSL socket, the ssl library goes through the list of cipher suites you've chosen and looks to see if you have the necessary means with which to actually implement it. For example, if you've chosen a Diffie-Hellman cipher suite, do you have a PKCS#11 slot that can do Diffie-Hellman key derivation? If you've chosen RSA, do you have a slot that can do it? If you've chosen ECDSA, do you have a slot that can do it? If you've chosen AES 256, do you have a slot that can do it? If you've chosen SHA1, do you have a slot that can do it? etc. If you're a server, it also checks to see if you have a certificate of the necessary type for your cipher suite. For example, if you've chosen a cipher suite that requires a certificate with an RSA public key, do you have a certificate with an RSA public key? and so on. Any cipher suite for which you don't have all the necessary support components will be disabled, even though you've said to enable it. When it gets all done with this process, if all the cipher suites are disabled, it reports "SSL is disabled". I'm guessing that's what happened to you. You told tstclnt to enable only one cipher suite, one that uses ECDH (not ECDHE), ECDSA, AES256 and SHA1. If the version of Softoken that your tstclnt was using doesn't support one or more of those algorithms, then that one cipher suite would be disabled, and since its the only one you allowed, the SSL library would report "SSL is disabled". I'm guessing your program used a version of softoken that doesn't support all the necessary EC algorithms. > I *can* reach the server in question with my downloaded from mozilla.org > copy of Firefox 3.6.whatever-is-current. > > Looking around it seems "SSL is disabled" has to do with ssl cert issues > and in the context of firefox some sites say to add exceptions. I have > already added the certificate of the CA that issued the SSL cert for > this server to the DB and it's marked "CT,C,C". > > Thanks, > Dave -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
