Patrick wrote: >About cert approval callback in JSS: >the approval callback (see >org\mozilla\jss\ssl\SSLCertificateApprovalCallback.html) is good for both >client and server side, correct? The documentation still talks only about >client approving the server cert...I hope it it's only a case of the doc >being outdated... > Yes, it can be used with both SSLSocket and SSLServerSocket.
> > >And more generally about callbacks in JSS: >NSS has a few callbacks (see >http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1089578 >), JSS seems to have only 2 for dealing with certs (the 2 in >org\mozilla\jss\ssl\), am I correct? > NSS has three callbacks related to certificates. JSS has two. But JSS combines two of the NSS callbacks into one. NSS's three SSL cert callbacks are: 1. SSL_AuthCertificateHook sets a callback to authenticate the peer's certificate. It is called instead of NSS's routine for authenticating certificates. 2. SSL_BadCertHook sets a callback that is called when NSS's routine fails to authenticate the certificate. 3. SSL_GetClientAuthDataHook sets a callback to return the local certificate for SSL client auth. JSS's two callbacks are: 1. SSLCertificateApprovalCallback is a combination of SSL_AuthCertificateHook and SSL_BadCertHook. It runs NSS's cert authentication check, then calls the callback regardless of whether the cert passed or failed. The callback is told whether the cert passed, and then can do anything extra that it wants to do before making a final decision. 2. SSLClientCertificateSelectionCallback is analogous to SSL_GetClientAuthDataHook.
