Re: nss selfserv and extended_master_secret

Thu, 19 Mar 2020 14:35:25 -0700 

There is no other mechanism for enabling it. You would need to go the
modify/rebuild route, or build with NSS 3.48+.

Thanks,
Kevin

On Thu, Mar 19, 2020 at 12:38 PM Brian Reichert <reich...@numachi.com>
wrote:

> On Thu, Mar 19, 2020 at 12:00:32PM -0400, Brian Reichert wrote:
> > On Thu, Mar 19, 2020 at 08:39:24AM -0700, Kevin Jacobs wrote:
> > > SSL_OptionSet with SSL_ENABLE_EXTENDED_MASTER_SECRET will do the
> trick, but
> > > I'm not aware of a config file option for this.
> > >
> > > NSS 3.48 enabled this by default, so if you're able to use a newer
> version,
> > > it should "just work".
> >
> > This says is was supported as of 3.2.1:
> >
> >
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.21_release_notes
> >
> > For 3.48 to be enabled by default, but it was introduced in 3.2.1,
> > implies to me that when it was introduced, it was not enabled, but
> > enableable.  I have no idea what that mechanism might be.
> >
> > Anyway, I guess the next step is to engage the mod_nss people
> > directly.
>
> And they've responded:
>
>   There is no config setting for this option. The only way to enable
>   it if the underlying nss does not enable it by default would be
>   to modify and rebuild the package.
>
> So - mozilla-nss-3.45 supports EMS, but does not enable it by default.
>
> You've showed me how to enable it for the selfserv utility.
>
> Is there some out-of-band way I can coerce /usr/lib64/libnss3.so, or
> whatever the operational binaries are, to enable this?  Config file,
> environment, anything...
>
> I'm pawing through the docs here for clues, but am not getting any
> traction yet.
>
>   https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS
>
>
>
>
>
> >
> > I appreciate the pointers!
> >
> > >
> > > Thanks,
> > > Kevin
> >
> > --
> > Brian Reichert                                <reich...@numachi.com>
> > BSD admin/developer at large
> > --
> > dev-tech-crypto mailing list
> > dev-tech-crypto@lists.mozilla.org
> > https://lists.mozilla.org/listinfo/dev-tech-crypto
>
> --
> Brian Reichert                          <reich...@numachi.com>
> BSD admin/developer at large
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
-- 
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto

Reply via email to