Re: nss selfserv and extended_master_secret

2020-03-19 Thread Brian Reichert
On Thu, Mar 19, 2020 at 02:34:19PM -0700, Kevin Jacobs wrote: > There is no other mechanism for enabling it. You would need to go the > modify/rebuild route, or build with NSS 3.48+. So I feared; I'm doing that very thing, as we speak, rolling a 3.48 RPM. > Thanks, > Kevin -- Brian Reichert

Re: nss selfserv and extended_master_secret

2020-03-19 Thread Kevin Jacobs
There is no other mechanism for enabling it. You would need to go the modify/rebuild route, or build with NSS 3.48+. Thanks, Kevin On Thu, Mar 19, 2020 at 12:38 PM Brian Reichert wrote: > On Thu, Mar 19, 2020 at 12:00:32PM -0400, Brian Reichert wrote: > > On Thu, Mar 19, 2020 at 08:39:24AM -070

Re: nss selfserv and extended_master_secret

2020-03-19 Thread Brian Reichert
On Thu, Mar 19, 2020 at 12:00:32PM -0400, Brian Reichert wrote: > On Thu, Mar 19, 2020 at 08:39:24AM -0700, Kevin Jacobs wrote: > > SSL_OptionSet with SSL_ENABLE_EXTENDED_MASTER_SECRET will do the trick, but > > I'm not aware of a config file option for this. > > > > NSS 3.48 enabled this by defau

Re: nss selfserv and extended_master_secret

2020-03-19 Thread Brian Reichert
On Thu, Mar 19, 2020 at 08:39:24AM -0700, Kevin Jacobs wrote: > SSL_OptionSet with SSL_ENABLE_EXTENDED_MASTER_SECRET will do the trick, but > I'm not aware of a config file option for this. > > NSS 3.48 enabled this by default, so if you're able to use a newer version, > it should "just work". Th

Re: nss selfserv and extended_master_secret

2020-03-19 Thread Kevin Jacobs
SSL_OptionSet with SSL_ENABLE_EXTENDED_MASTER_SECRET will do the trick, but I'm not aware of a config file option for this. NSS 3.48 enabled this by default, so if you're able to use a newer version, it should "just work". Thanks, Kevin On Thu, Mar 19, 2020 at 8:08 AM Brian Reichert wrote: > O

Re: nss selfserv and extended_master_secret

2020-03-19 Thread Brian Reichert
On Thu, Mar 19, 2020 at 07:34:51AM -0700, Kevin Jacobs wrote: > Brian, > > Can you try again with the "-G" option added to selfserv? That indeed does the trick! Thanks! Now, since I have your attentive eye, so you know if there's something I need to do using mod_nss to enable this? > Thanks, >

Re: nss selfserv and extended_master_secret

2020-03-19 Thread Kevin Jacobs
Brian, Can you try again with the "-G" option added to selfserv? Thanks, Kevin On Thu, Mar 19, 2020 at 6:57 AM Brian Reichert wrote: > I'm trying to develop some tests for confirming a TLS server honors > the Extended Master Secret extension (RFC 7627). > > I've stood up a simple selfserv serv

nss selfserv and extended_master_secret

2020-03-19 Thread Brian Reichert
I'm trying to develop some tests for confirming a TLS server honors the Extended Master Secret extension (RFC 7627). I've stood up a simple selfserv server: /usr/lib/nss/selfserv -v -d /path/to/my/certdb/ -n MyCert -p 8000 -V tls1.0:tls1.2 But, when I run a test of that with OpenSSL's s_clien