William Brown wrote:
https://fedorahosted.org/389/ticket/48798
https://fedorahosted.org/389/attachment/ticket/48798/0001-Ticket-48798-Enable-DS-to-offer-weaker-DH-params-in-.patch
https://fedorahosted.org/389/attachment/ticket/48798/0001-Ticket-48798-lib389-add-ability-to-create-nss-ca-and.patch
I don't understand why you are linking enabling weak DH params with
enabling DHE on the server side, or are you just forcing server-side DH
if the weak params are enabled? Is there some other switch to enable
server-side DH too? What about the managing the DH ciphers?
You should check for the existence of SSL_ENABLE_SERVER_DHE if you want
to be able to build with older NSS.
In the second patch there is no context why creating your own CA is
linked in any way with testing DH params, plus the "This is a trick"
code is duplicated between the patches. I think I'd just revise the
commit message on the second patch saying it is code to generate an RSA
CA and leave it at that.
There is a comment that the "shipped" NSS db is broken but no
explanation of how.
rob
--
389-devel mailing list
389-devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/389-devel@lists.fedoraproject.org
