Update on my NSS + PKCS11 troubles: I finally got my NSS client app to work with the PKCS11 crypto module and the smartcard, and use the client cert on the card for SSL client auth. The problem was my use of SSL_ForceHandshake...I was using it before any data exchange between client and server, and for some unexplained reason, that was preventing the cert on the card from being used...Isn't that odd? The SSL handshake was able to complete (SSL_ForceHandshake returned with no error) but client was not able to use cert on the card (If you recall, NSS balked at the attempt because "The key does not support the requested operation")??
Speaking of SSL handshakes, when and why is SSL_ResetHandshake used? Is that the first before redoing a full SSL handshake (with SSL_RedoHandshake)? -- P "Patrick" <[EMAIL PROTECTED]> wrote in message 3c14987e$[EMAIL PROTECTED]">news:3c14987e$[EMAIL PROTECTED]... > Regarding the use of NSS and PKCS#11 crypto modules: > > I have talked about this earlier, where I had an NSS *3.1*-enabled app > trying to use a certificate stored on a smartcard for SSL authentication, > but NSS would balked at my attempt because "The key does not support the > requested operation". It was thought that maybe the PKCS#11 module supported > an old version of Communicator and therefore may have had a subset of > PKCS#11 implemented... > > Well, I tried the same PKC#11 module with the latest Communicator (6.2), > which is very cool, by the way. I first added the PKCS#11 crypto module to > the browser (Edit Preferences->Privcay&Security->Certificates->Manage > Security Devices), and then attempted to access a Web server which requires > client SSL authentication. > > The Communicator 6.2 browser behaved just fine: I was able to see the certs > on the card in my certificate list, and more importantly, I was able to *use > the cert on the card for SSL client authentication* at the Web site. I > believe this proves that the PK11 crypto module works just fine with NSS3.x, > correct? Didn't we say Communicator 6.2 uses NSS3.x? In which case why > would'nt my NSS 3.1-enabled app not able to do the same? > > BTW, the way I add the crypto module in my NSS-enabled app is via > SECMOD_AddNewModule(modName, libFile, 0, 0 ), where the last 2 parameters > (cipherString and mechanismString) are zero. I believe doing so, means that > NSS will use NSS-provided ciphers and crypto mechanisms, as opposed to the > ones that the crypto module may have implemented. Maybe I should be adding > the module with different cipherString, mechanismString strings? > More generally, when a new crypto module is added via the Communicator > interface (Edit Preferences->Privcay&Security->Certificates->Manage Security > Devices), what does NSS use then for cipherString, mechanismString > parameters?? > > -- P > > > > >
