I'm guessing my previous submission was eaten by the terrible list
monster due to having an attachment...
As usual, you appear to be correct Nelson, I figured out the proper
cipher string format for vfyserv and enabled ALL ecc ciphers and it
didn't work. So I set about recompiling NSS again and vfyserv was able
to make a connection but I couldn't generate an EC key. Before I could
generate a key but not make SSL connection. So I tried again tweaking
the process slightly and now I can both generate an EC key and make an
SSL connection using vfyserv. Then I moved on to attempting to use the
new NSS libraries in our application via JSS and I got another SSL error:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
(-8157) Certificate extension not found.
Google brings up a couple forum posts about Sun Access Manager and
enabling a setting to trust all certs. I already have the Issuing CA of
the EC server cert in the local DB marked "CT,C,C". The CA and SSL cert
are not expired, the SSL server cert has the dns hostname of the server
as the CN in the DN and I'm accessing it as such.
vfyserv output:
vfyserv -d sql:. -p 9444 -C :C00A ferret.pki
Connecting to host ferret.pki (addr 192.168.1.171) on port 9444
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
Handshake Complete: SERVER CONFIGURED CORRECTLY
bulk cipher AES-256, 256 secret key bits, 256 key bits, status: 1
subject DN:
CN=ferret.pki,O=Ferret ECC Test Domain
issuer DN:
CN=Ferret ECC FC12 Dogtag CA,O=Ferret ECC Test Domain
0 cache hits; 0 cache misses, 0 cache not reusable
***** Connection 1 read 109 bytes total.
In my JSS code for setting up the SSL sockets I'm enabling 8 EC ciphers:
AES 128/256, 3DES and RC4 each in ephemeral and non-ephemeral flavors.
Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
