Re: Unable to add module, but why?
Thanks for the reply, and yes, it's a module that others have repported working fine with Firefox, but I and some other people can't get it loaded for some reason. Might be some sort of incompability between the module and my build of Firefox, but without more informative feedback from FF and/or NSS that's a bit of hard to know. // L On Tue, Jan 25, 2011 at 1:17 AM, Daniel Veditz dved...@mozilla.com wrote: Forwarding question to the mozilla.dev.tech.crypto group. Is this a module you're creating yourself, or one you know works fine with Firefox for other people? On 1/21/11 6:21 PM, Lbm wrote: Hi, first of all I hope I'm posting this question in the right place. Anyway, I've been trying to add a specific PKCS#11 module to Firefox and keep getting the, rather uninformative, message Unable to add module. What I'd like to know is how one might be able to get some more info on _why_ the module can't be loaded? Also noticed that one can debug modules using a specific environment variable, but since the actual module is never loaded at all that's pretty much a no go. Any info would be really appreciated! ___ dev-security mailing list dev-secur...@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Setting the hostname to verify the cert against
Ben, proxy info (the last argument) could make a trick for you. Fill proxy info with host:port of the server (as it actually stands as a proxy between the two clients). Let host name passed to createTransport() be the name of the client. This will make the underlying TCP socket connect to the server and expect to get updated to SSL later (as you already do with StartTLS()) and talk to the 'real' host then. However, I'm not sure how to resolve a problem when a client is already behind a proxy server. -hb- On 1/24/2011 1:56 AM, Ben Bucksch wrote: I am trying to implement XMPP, in chrome-JS. XMPP resolves the server hostname using DNS SRV lookups, so if I want to get the server for foo.com, I may end up with e.g. abcdxmpp.foo.com as hostname. The user opened the connection to foo.com, though, and the SSL certificate is for foo.com, not abcdxmpp.foo.com (that's how all the clients apparently work). I open a socket (nsISocketTransport) with SSL/STARTTLS, i.e. Ci.nsISocketTransportService.createTransport(starttls, 1, abcdxmpp.foo.com, 5222, proxyInfo); Now, how do I set the hostname to check the cert against? By default, it uses the hostname that I open the socket to, but in my case of course that gives a bad_cert_domain error. Of course I took socket.securityInfo.QueryInterface(Ci.nsISSLSocketControl), I need that to start STARTTLS anyway, but I don't see any way there to set the hostname to check again. From what I understand, the app should be able to tell the security lib which hostname to check against, because we're supposed to check against what the user entered originally, not necessarily what we end up with. Most libs, e.g. java and Python, even require the app author to explicitly set this. So, I assume that possibility is somewhere, I just didn't find the API. Can somebody help? Ben -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Setting the hostname to verify the cert against
On 01/23/2011 05:56 PM, Ben Bucksch wrote: I am trying to implement XMPP, in chrome-JS. XMPP resolves the server hostname using DNS SRV lookups, so if I want to get the server for foo.com, I may end up with e.g. abcdxmpp.foo.com as hostname. The user opened the connection to foo.com, though, and the SSL certificate is for foo.com, not abcdxmpp.foo.com (that's how all the clients apparently work). I open a socket (nsISocketTransport) with SSL/STARTTLS, i.e. Ci.nsISocketTransportService.createTransport(starttls, 1, abcdxmpp.foo.com, 5222, proxyInfo); Now, how do I set the hostname to check the cert against? By default, it uses the hostname that I open the socket to, but in my case of course that gives a bad_cert_domain error. Of course I took socket.securityInfo.QueryInterface(Ci.nsISSLSocketControl), I need that to start STARTTLS anyway, but I don't see any way there to set the hostname to check again. From what I understand, the app should be able to tell the security lib which hostname to check against, because we're supposed to check against what the user entered originally, not necessarily what we end up with. Most libs, e.g. java and Python, even require the app author to explicitly set this. So, I assume that possibility is somewhere, I just didn't find the API. Can somebody help? You might also be able to provide a cert verify callback. Not sure how it would work in JSS, but OpenLDAP does something similar with C code. See http://www.openldap.org/devel/cvsweb.cgi/~checkout~/libraries/libldap/tls_m.c?rev=1.27hideattic=1sortbydate=0 The two main entry points are SSL_BadCertHook and SSL_AuthCertificateHook - these give you the ability to intercept the SSL_ERROR_BAD_CERT_DOMAIN error and handle it the way you want to. Ben -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
