On 11.04.11 19:30, Helge Bragstad wrote:
Could anybody provide, or point to some info regarding the support for ECDSA in TLS client authentication in Firefox as well as for S/MIME in Thunderbird? (Curves and hash functions being used etc.)
Vanilla NSS builds with ECC support turned on (NSS_ENABLE_ECC=1, aka "Basic ECC") support three curves granted by Certicom for free use in TLS: NIST-P256 NIST-P384 NIST-P521 (see mozilla/security/nss/lib/freebl/ecl-curve.h) General ECDSA-sign doesn't work (affects Thunderbird), only TLS. If you build NSS on your own, with "Extended ECC" (NSS_ECC_MORE_THAN_SUITE_B=1), you get more curves (see same ecl-curve.h), ability to sign with ECDSA and ability to compose CMS 'signed data' messages with ECDSA. Don't forget to ask Certicom for permission :-) ECDH is only directly inlined in the SSL/TLS code, so that you can not compose CMS ECDH-enveloped (encrypted) messages anyway (affects Thunderbird). The only hash type supported in TLS is SHA-1 (see mozilla/security/nss/lib/ssl2con.c`ssl3_VerifySignedHashes() ... case ecKey:...) Keep well, Konstantin -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
