On 03/15/2010 10:03 AM, Gregory BELLIER wrote: > > > Robert Relyea a écrit : >>> In sslsock.c, I print ssl3_CipherPrefSetDefault and I can see that my >>> cipher is not enabled. >>> >>> Do you have any hints/tests which could help me ? Some tests I could >>> do ? >>> What am I missing ? >>> >> >> OK, this is your overall problem. If NSS does not have a cipher enabled, >> it will neither advertise it nor select it, no matter where it is on the >> list. >> >> There are two possible reasons for this: >> >> 1) New Ciphers are not enabled by default, you need to explicitly turn >> on that cipher in the application. >> (you can do this in selfserv and tstclnt with just by cipher suite >> number). Some applications query the available ciphers and turn them on >> automatically, others will need to be modified. >> 2) All ciphers are checked to make sure there is an implementation for >> the cipher (that is there is a PKCS #11 module that implements that >> cipher). If your PKCS #11 module is not loaded, the cipher will never be >> enabled. Since you got S/MIME to work, I'm presuming you have a PKCS #11 >> mechanism number for the cipher already and that mechanism is already >> implemented in some PKCS #11 module. > I finally managed to have my cipher enabled. However it is still not > picked at the negociation. I did my tests and build OpenSSL several > times with Camellia enabled and as a priority and the same thing with > NSS. It works. > I did it one more time with SEED. Each time I manage to achieve what I > want with other ciphers. > > As I said I would do, I looked every where in the code where the word > "camellia" appears and my code is very much alike. I really don't know. > > What's your opinion ? I think you should try to get it to work with only your cipher enabled first. Once you know that both sides and talk your cipher correctly, then you can start looking at priority issues.
I'd also try to get it working between NSS and an NSS server first before adding a third variable (openSSL) to the mix. bob > > Gregory. > >
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
