Bill Price wrote, On 2008-07-24 15:17 PDT: > I'm trying to do TLS using an ECC ciphersuite. I thought FF3 natively > supported it (ECC ciphersuites are enabled in about:config). Using normal > downloads of FF3 on either Linux or Windows I'm getting the error that > there's no common ciphersuite. Looking at SSLTap, both versions of FF3 > browser are not offering any of the ECC cipher suites.
Both versions? What versions are those? Did you download these from Mozilla? Or did you download these from some Linux distributor? If from some Linux distributor, I advise you to ask that distributor about any changes they may have made to the version of NSS they distribute. If your distributor tells you "we removed ECC support", please report that back to us here. If you see this problem with FF3 downloaded from mozilla.org, then please file a bug in bugzilla.mozilla.org, product "core", component "Security/PSM". > I tried a search but did not quickly find any references on how to enable > FF3 for ECC suites. Are there instructions on how to do so somewhere? Go to about:config filter on the string "ssl3.ecd" (without the quotes). All items should be non-bold, type binary, status "default". All items should have the value "true", except for those whose names include the string _null_, which should be false. If you filter on the string "ssl3.ecd*null", all the results should have the value false. If you filter on the string "ssl3.ecd*es", all the results should have the value true. If you filter on the string "ssl3.ecd*rc", all the results should have the value true. (From this you may correctly infer that preference filtering uses patterns similar to those used for file name "globbing" by the shell.) If you find your results are different from that, and you have not previously altered these preferences knowingly, please report to us what differences you found between your settings and those I described. > If the browser behavior is based on the NSS libraries, can I have the > browser reference an alternate set of libraries (I have ECC enabled > libraries in /usr/lib on a Fedora Core 8 Linux system)? Any help or > suggestions would be appreciated. Thanks. As I wrote in another posting to this newsgroup today, ECC is alive and well in NSS as found in the NSS sources that you can get from the Mozilla source repository, when built with NSS's own build system. Source code files obtained from other repositories or distributions may be different. Other Makefile systems than NSS's own may also be different. The NSS team would like to know of any distributions of NSS that have altered the basic set of capabilities from what the NSS team offers, so that we may handle support requests for those distributions accordingly. You can always add third party PKCS#11 modules to your browser and avail yourself of their capabilities, provided that your browser distribution has not been altered to disable those capabilities even when the underlying cryptographic algorithms are available. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
