On Wed, Jul 8, 2020 at 2:36 AM Daiki Ueno wrote:
>
> Martin Thomson writes:
>
> > I think that we considered this when we first landed this code, but
> > deferred adding any callbacks until it was clear what the right answer
> > was. As you say, you get the callbac
Daiki might have some ideas about how to approach this.
I think that we considered this when we first landed this code, but
deferred adding any callbacks until it was clear what the right answer
was. As you say, you get the callback, but you might not if the
request is rejected.
On Tue, Jul 7, 2
On Fri, Jun 12, 2020 at 1:16 AM Robert Relyea wrote:
>
> On 6/10/20 10:48 PM, Martin Thomson wrote:
> > Is there an automated check we can run that will help us remember to
> > do this properly in future? I really don't like having to remember
> > this sort of thing
Is there an automated check we can run that will help us remember to
do this properly in future? I really don't like having to remember
this sort of thing.
On Thu, Jun 11, 2020 at 3:52 AM Robert Relyea wrote:
>
> On 6/1/20 5:18 PM, JC Jones wrote:
> > The NSS team released Network Security Servi
You shouldn't need to start the mozilla-build shell from within a VS
shell. Our build uses vswhere and the registry to find the necessary
pieces. That might be where things are going awry.
From looking at your output, you might want to check this path:
"/c/apps/MVS15/VC/Tools/MSVC/14.10.25017 /"
Moved to dev-tech-crypto.
NSS has some limited certificate validation code, but you have to roll it
in. You can take a look at either tstclnt or firefox code to see how to put
something together. The firefox code is much more complex.
On Mon, 14 Oct. 2019, 12:37 R.Wieser, wrote:
> Hello all,
>
Hi Paul,
I don't want to answer specific questions here, but I did want to address
the higher level point.
Integrating all the pieces for a new cipher suite is a major project. I
strongly suggest that you work on doing this in pieces. If you intend to
present a single patch that adds all the pr
https://bugzilla.mozilla.org/show_bug.cgi?id=1561510 is where we should
keep discussing this.
On Wed, Jun 26, 2019 at 4:19 PM Martin Thomson wrote:
> OK, this looks like I hit a problem in my system (which I only use
> rarely). I am now hitting your issue.
>
> This is a failure in
work here if these arguments are at the end of the string. Maybe
it is because the version of make we now have on mac quotes the arguments
(as it should). The fix is simple enough; I'll get something in review soon.
On Wed, Jun 26, 2019 at 3:30 PM John Jiang wrote:
> Hi Martin,
> Tha
I had trouble myself, but it turns out that even if you are all up to date,
XCode isn't upgraded. The error I get is the result of XCode being out of
date.
Confirm by looking for a config.log in the NSPR directory. If it contains
a message like the one below, the outdated XCode is the problem.
On Thu, May 16, 2019 at 2:03 PM Miklos Vajna wrote:
> Is it possible to use this static mode when building via the provided
> Makefile?
>
No. We're gradually phasing out support for Makefiles. They are very hard
to maintain.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
ht
+Dustin Mitchell who might have some insight into this.
On Tue, Mar 19, 2019 at 6:03 AM Robert Relyea wrote:
> I've been trying to get an nss-try builds with nss-tools for a couple of
> days now, but it looks like both nss-try and nss are not properly
> running any tests. Is there an outage, or
We routinely run similar checks on our builds and track the changes that
libabigail reports. We require that ABI changes, even of the benign sort
you found are reviewed and accepted. The set of expected changes between
releases is found here:
https://hg.mozilla.org/projects/nss/file/tip/automati
You need to build a debug build with -DDEBUG. Disabling optimization is a
different thing.
The default build with build.sh or make nss_build_all should be fine.
On Sat, 5 Jan. 2019, 11:40 John Jiang I had read that page. In fact, SSLDEBUG and SSLTRACE were used in my last
> try.
> My NSS was bui
Try exporting SSLTRACE=100.
That might be too much detail, but lower numbers are still useful. I find
that 20-ish gets some fairly useful logging.
On Thu, Jan 3, 2019 at 6:12 PM John Jiang wrote:
> Can NSS tools, like selfserv and tstclnt, output debug info?
> My NSS binary is built with debug
On Fri, Dec 7, 2018 at 12:26 PM Paul Smith wrote:
> Another thing that I didn't bring up: I need to implement this in other
> languages (at least Java and Python), so clients can connect to the
> service. So I need to consider availability in other crypto libraries
> like Python ssl and javax cry
Hi Paul,
I think NSS has all you need here. Including TLS 1.3 should you
prefer that. Unfortunately, we can't say that we have a PAKE, so I
appreciate that you aren't able to just drop that in. In the
meantime,,,
On Fri, Dec 7, 2018 at 9:18 AM Paul Smith wrote:
> I have a session key from SRP
The current process is a bit broken. See
https://bugzilla.mozilla.org/show_bug.cgi?id=1434943 for more. Some
people report success with the patch there, but it's not completely
ready.
On Tue, Aug 14, 2018 at 6:00 AM Will Barnz wrote:
>
> I'm trying to build NSS 3.38. I've downloaded and installe
This was a feature we supported, but we have an open item to restore
full PSS support for TLS after some changes in TLS 1.3 reassigned the
meaning of the codepoints. (It's been a few months, and a low
priority item, but it is still on my todo list). Getting selfserv and
tstclnt to use those keys
In the gecko tree, there is a file called TAG-INFO that lists the exact NSS
revision.
On Fri, May 18, 2018 at 7:21 AM Jonathan Wilson wrote:
> I have an NSS source tree (that is, the contents of security\nss as seen
in
> a Gecko source tree), how can I figure out what version of NSS or what NSS
>
That looks like you haven't got a c++ compiler that supports c++11. You
can disable building the tests with NSS_DISABLE_GTESTS.
On Fri, May 18, 2018 at 3:30 AM Usha Nayak wrote:
> Hi Wan-Teh
> Thanks for replying and appreciate your help.
> Modifying the file as you suggested did get us furthe
Yes, aside from the version number the two versions are identical.
On Mon, 14 May 2018, 21:51 Kai Engert, wrote:
> On 14.05.2018 13:24, Kai Engert wrote:
> > On 14.05.2018 11:11, Kurt Roeckx wrote:
> >> On 2018-05-08 22:49, Kai Engert wrote:
> >>> Notable changes:
> >>> * The TLS 1.3 implementat
These sound like simple bugs. Most are probably good first bugs for
someone looking to contribute.
On Thu, Feb 8, 2018 at 6:13 PM, John Jiang wrote:
> Hi,
> Using NSS 3.35.
>
> It looks tstclnt always send SNI extension, even though no option "-a".
> As for selfserv, I suppose it should have an
We do this probing in NSS because we can't guarantee that the softoken
implementation matches the libssl implementation version. Yeah,
strange world we live in, right?
The probe is a little ugly, because there isn't a straight function
you can call that says "this algorithm is supported":
This i
See SSL_AlertReceivedCallback().
On 20 Dec. 2017 6:22 am, "Johann 'Myrkraverk' Oskarsson"
wrote:
> Hi,
>
> Is it really impossible to verify if the server sent close_notify in a
> normal NSS client application?
>
> In both cases, PR_Read() returns zero with no error messages or status
> differen
I think that Alex and Kurt partially answered your questions.
On Wed, Oct 18, 2017 at 8:27 PM, Gregory Szorc wrote:
> I'm very naive about how TLS libraries are implemented and how the TLS
> handshake works.
The basic design is that the client decides what to offer and then the
server picks. Yo
This should be defined in ecl-exp.h, which is transitively included
from ec.c via blapi.h and blapit.h.
On Thu, Sep 28, 2017 at 10:10 AM, Captain Wiggum wrote:
> I build nss and nss-softokn on a regular basis and follow periodic updates.
> I am seeing this new error with nss-softokn-3.28.3.tar.gz
The NSS team has released Network Security Services (NSS) 3.29.2
No new functionality is introduced in this release.
This is a patch release to fix an issue with TLS session tickets.
The full release notes are available at
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/NSS_3.29.2_r
On Sat, Feb 18, 2017 at 8:59 AM, Jeremy Rowley
wrote:
> It's still permitted in the policy.
>
> https://www.mozilla.org/en-US/about/governance/policies/security-group/certs
> /policy/#inclusion
Yes, well... The policy says P-512, which doesn't actually exist.
The intent is clear though. I've as
On Thu, Feb 16, 2017 at 4:22 AM, Gervase Markham wrote:
> Did things break when we disabled it?
A few things. It lasted less than a day in Nightly before we got
multiple bug reports.
> Do we know why Chrome decided not to support it? Two NIST curves is enough?
That's my understanding. P-521 i
On Thu, Feb 16, 2017 at 3:44 AM, Gervase Markham wrote:
> There seemed to be some confusion recently in m.d.s.policy about whether
> NSS, and then Firefox, supported P-521 for server auth certs. Can
> someeone clear it up for me and tell me what the situation is? :-)
Sure. Both NSS and Firefox s
On Wed, Feb 15, 2017 at 7:59 PM, Miklos Vajna wrote:
> To avoid solving multiple problems at once, probably I'll go for an
> other ECDSA testcase first where the parameter is supported by NSS. :-)
The best supported curve is P-256 (i.e., secp256r1), but P-384
(secp384r1) and P-521 (secp521r1) are
On Wed, Feb 15, 2017 at 7:37 PM, Franziskus Kiefer wrote:
> NSS currently doesn't support secp256k1 and there are no plans to implement
> it afaik. I know that it's popular in certain circles but as far as I know
> those don't often overlap with scenarios in which NSS is used.
> That said patches
You might also find this useful
(https://searchfox.org/nss/rev/d4fc405cac1d3da3b7285342b5c70e10b4dae734/lib/ssl/ssl3con.c#1358).
It uses the PK11 interface to verify a signature in TLS. You might
have to walk backwards to see how inputs are constructed.
On Wed, Feb 15, 2017 at 4:07 AM, Robert Rel
The NSS team has released Network Security Services (NSS) 3.28.2, which is a
minor release.
This is a stability and compatibility release. Below is a summary of
the changes.
Please refer to the full release notes for additional details:
https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NS
The details of how NSS constructs these values is internal to a given
NSS version and might change in different versions. For instance, the
indices and what they mean are highly likely to change in an upcoming
version.
On Wed, Jan 25, 2017 at 4:11 AM, Maxim Rise wrote:
> Hello.
>
> I am trying t
Are you certain that you configured the socket? If you can run the
debugger, you should be able to drop a breakpoint in
ssl3_SendClientHello and examine ss->cipherSuites. If that shows more
than two entries with the enabled field equal to 1, you probably
didn't correctly configure the socket.
On
Hi John,
Could you open a bug?
https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=Libraries
On Thu, Dec 29, 2016 at 5:19 PM, John Jiang wrote:
> Hi,
> I tried to build NSS 3.27.1 [1] on Mac OS X 10.10, but the building ended
> with the following message:
> ocsp.c:2200:32: error: un
You can compile with
make nss_build_all NSS_SSL_ENABLE_ZLIB=
To disable zlib. It's not a feature you want, we just keep it because
some existing users depend on it.
On Thu, Oct 20, 2016 at 11:10 PM, Kai Engert wrote:
> On Thu, 2016-10-20 at 10:13 +, Ding Yangliang wrote:
>> ssl3con.c:36:18
On Mon, May 23, 2016 at 7:29 PM, Julien Pierre wrote:
> Will the deprecated functions stop working right away ? Or is there a
> scheduled time at which they won't be supported anymore in the future ?
There are no plans to remove these. Since they are so widely used, I
expect that we may never g
On Sun, May 22, 2016 at 5:16 PM, RJT wrote:
> `certutil -L -d sql:${HOME}/.pki/nssdb`
That lists the names, then you can dump the details:
`certutil -L -d sql:${HOME}/.pki/nssdb -n `
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/lis
On Mon, May 23, 2016 at 1:55 AM, Trick, Daniel
wrote:
> make BUILD_OPT=1
Try: make BUILD_OPT=1 nss_build_all
You have to build NSPR first, and this does that for you.
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
cd .. Then try again.
On 21 May 2016 11:05 PM, "Rajiv Reddy" wrote:
> I am following the instructions given on
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/SSL_functions/gtstd.html#1012301
> for getting started with SSL. As given in step 1, I successfully set up the
> CA DB and
On Wed, May 11, 2016 at 11:08 PM, Hubert Kario wrote:
> I haven't tested it, but I don't think that will stop NSS trusting RSA
> certificates signed by ECC CAs.
There are plenty of things that NSS will still do with ECC if you
disable ECC cipher suites. That's for sure. If you are scared of
ECC
On Fri, May 6, 2016 at 10:12 AM, Peter Bowen wrote:
> Is a reasonable path to implement
> https://tools.ietf.org/html/draft-ietf-tls-negotiated-ff-dhe-10 and
> treat ECDHE suites as being DHE using a Supported Group? This would
> avoid new cipher suite IDs and accomplish the same result.
I'm imp
On Fri, May 6, 2016 at 9:33 AM, Brian Smith wrote:
> So, I don't think that dropping AES-256 is the right thing to do. Instead,
> the ECDHE-AES-256-GCM cipher suites should be added to Firefox. Note that
> they were just recently added to Google Chrome.
These are also coming to NSS, likely in 3.2
At the TLS layer, you can disable all suites that require ECC.
On Sat, Apr 30, 2016 at 4:40 AM, Franziskus Kiefer wrote:
> there's no runtime option but you can disable it at compile time with
> NSS_DISABLE_ECC, see [1]
>
> [1]
> https://developer.mozilla.org/en-US/docs/Mozilla/Projects/NSS/Refer
AIUI, support for stapling in NSS is pretty primitive. You are expected to
make the OCSP query yourself and use the API to configure the server.
On Mar 2, 2016 7:42 AM, "Rob Crittenden" wrote:
> I don't see a way to implement OCSP stapling on the server side.
>
> SSL_SetStapledOCSPResponses() is
Hi Shaun,
As the documentation suggests, this is very likely a server problem. We
have recently audited the NSS state machine and I think it would be
unlikely that this is a client issue.
I would definitely look at the servers. Old versions of openssl are full of
holes anyway.
If you are able to
e,
>
> Don't rebuilt Firefox, except as an experiment. I suggest you file an
> NSS bug report to request to have PK11_Verify added to
> config/external/nss/nss.symbols:
>
> https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS
>
> Click the "Show Advanced Fields&quo
= tls13_EncodeUintX(labelLen + kLabelPrefixLen, 1, ptr);
> ^
> tls13hkdf.c:142:9: error: assignment makes pointer from integer without a
> cast [-Werror]
> ptr = tls13_EncodeUintX(handshakeHashLen, 1, ptr);
> ^
> cc1: all warnings being treated as errors
>
> T
Hi Thomas,
Do you think that you could push these patches to bugzilla? See
https://bugzilla.mozilla.org/enter_bug.cgi?product=NSS&component=Libraries
And it would be easier to review this as a single patch, I think,
since all the changes are fairly simple.
On Sat, Jan 30, 2016 at 11:40 PM, Thom
Yeah, NSS supports ALPN server side.
On Tue, Dec 1, 2015 at 6:53 AM, Rob Crittenden wrote:
> Is ALPN supported on the server side? I can't tell from
> the API and Julien asked in
> https://bugzilla.mozilla.org/show_bug.cgi?id=959664 but never got an answer.
>
> I'm looking to add HTTP/2.0 support
53 matches
Mail list logo
