Re: Where is NSS used?
On 07/08/2013 12:00 PM, Rick Andrews wrote: I need to remove some 1024-bit roots from Firefox’s trust store, but I realize that these trusted roots are part of the NSS library, and that the NSS library is used by lots of other software, not just Firefox. Removing these roots may have far-reaching consequences. I understand that there isn't a list of all the different places where NSS is used, but can anyone provide some guidance? Even a broad incomplete list of NSS users is better than nothing. Thanks! What context are you talking about? If you remove the roots from firefox using the firefox UI, it won't remove the roots for other applications. The builtins root store is a compiled binary file. Whe you use the firefox UI to remove the root, it creates an entry in your local cert database that says the cert 'has been removed'. It's really still there, but marked as not explicity trusted, which overrided the trust in the builtin's database. Other applications using their own database will not see these changes. bob smime.p7s Description: S/MIME Cryptographic Signature -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS key3.db file size keeps growing
On 05/30/2013 01:45 PM, prax.xyzc...@gmail.com wrote:
Platform/OS: CentOS release 6.3 (Final)
Linux x 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64
x86_64 x86_64 GNU/LinuxLinux
NSS Version:
nss.x86_643.13.3-6.el6
nss-softokn.x86_643.12.9-11.el6
nss-softokn-freebl.x86_64 3.12.9-11.el6
Problem:
We have a Java7 application that uses NSS (with FIPS mode enabled) for RSA
based crypto operations via SunPKCS11 Java abstraction.
The RSA key pairs and corresponding X.509 certs are generated and stored within
NSS from Java application using SunPKCS11 APIs.
What I am noticing is that key3.db file size grows with operations like RSA key
lookup/encryption/decryption (running in FIPS mode) over a period of time with
in the context of number of crypt operations. Typically I have observed that
the file size grows in chunks of 4K bytes with just roughly 35/40
encryption/decryption operations.
It sound like someone is creating more keys without deleting them. What
does certutil -K -d {database} show?
Why would key3.db file increase in size when nothing is being requested to be
stored and the only operations that are being performed are - lookup or
encryption/decryption. Does NSS store something within the database (key3.db)
as part of cryption operations?
NSS only stored private and secret keys, and only if the application
requested those keys to be permanent (= CKA_TOKEN=TRUE in pkcs #11
parlance).
NOTE: FYI, no change in size is observed in cert8.db file.
Any help would be greatly appreciated.
Please let me know if any other piece of information would be helpful in
figuring out what might be going on.
Regards,
Prax
smime.p7s
Description: S/MIME Cryptographic Signature
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Where is NSS used?
On Mon, July 8, 2013 12:00 pm, Rick Andrews wrote: > I need to remove some 1024-bit roots from Firefoxs trust store, but I > realize that these trusted roots are part of the NSS library, and that the > NSS library is used by lots of other software, not just Firefox. Removing > these roots may have far-reaching consequences. I understand that there > isn't a list of all the different places where NSS is used, but can anyone > provide some guidance? Even a broad incomplete list of NSS users is better > than nothing. Thanks! > -- > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > Rick, I think you may find it better to consider moz.dev.sec.policy, in the hope of reaching the people watching for additions. The issue is that there are a vast, vast number of applications that use the Mozilla Root Certificate Program data, but without using NSS. The removal of these roots would equally affect them. This includes, for example, nearly every major Linux distribution (typically as part of their ca-certificates package), which are further consumed by a variety of applications and libraries (including OpenSSL, GnuTLS, and plenty of 'home-grown' solutions, unfortunately). That said, the operation of Mozilla's Root Program is done according to the needs and abilities of NSS, and these secondary consumers are not 'officially' supported. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Where is NSS used?
I need to remove some 1024-bit roots from Firefox’s trust store, but I realize that these trusted roots are part of the NSS library, and that the NSS library is used by lots of other software, not just Firefox. Removing these roots may have far-reaching consequences. I understand that there isn't a list of all the different places where NSS is used, but can anyone provide some guidance? Even a broad incomplete list of NSS users is better than nothing. Thanks! -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: [ANNOUNCE] NSS 3.15.1 Release
Le mardi 2 juillet 2013 19:51:05 UTC+2, Kai Engert a écrit : > The NSS team has released Network Security Services (NSS) 3.15.1, which is > a minor release. > > The HG tag is NSS_3_15_1_RTM. NSS 3.15.1 requires NSPR 4.10 or newer. > > Detailed release notes are available at > https://developer.mozilla.org/en-US/docs/NSS/NSS_3.15.1_release_notes Bug 856060 mentioned in the release notes isn't public? -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
NSS key3.db file size keeps growing
Platform/OS: CentOS release 6.3 (Final) Linux x 2.6.32-279.el6.x86_64 #1 SMP Fri Jun 22 12:19:21 UTC 2012 x86_64 x86_64 x86_64 GNU/LinuxLinux NSS Version: nss.x86_643.13.3-6.el6 nss-softokn.x86_643.12.9-11.el6 nss-softokn-freebl.x86_64 3.12.9-11.el6 Problem: We have a Java7 application that uses NSS (with FIPS mode enabled) for RSA based crypto operations via SunPKCS11 Java abstraction. The RSA key pairs and corresponding X.509 certs are generated and stored within NSS from Java application using SunPKCS11 APIs. What I am noticing is that key3.db file size grows with operations like RSA key lookup/encryption/decryption (running in FIPS mode) over a period of time with in the context of number of crypt operations. Typically I have observed that the file size grows in chunks of 4K bytes with just roughly 35/40 encryption/decryption operations. Why would key3.db file increase in size when nothing is being requested to be stored and the only operations that are being performed are - lookup or encryption/decryption. Does NSS store something within the database (key3.db) as part of cryption operations? NOTE: FYI, no change in size is observed in cert8.db file. Any help would be greatly appreciated. Please let me know if any other piece of information would be helpful in figuring out what might be going on. Regards, Prax -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
