Re: NSS, AIA, Bridge
I previously replied to this but my reply hasn't shown up here in the newsgroup, apparently, so ... On 2009-07-14 06:44 PDT, dmorford wrote: Is Firefox the program that you're trying to get to use AIAs and CDPs? Firefox does not do that yet, not even when it has NSS 3.12. Firefox 3 does not yet use this new feature. Any chance Firefox 3.5 supports AIA path processing and CDPs? You wrote above that Firefox 3 does not. I didn't see anything related in the 3.5 release notes, but just wanted to see if it was put in. If not, any idea when Firefox will support it? FF 3.5.0 and FF 3.5.1 do not support fetching of certs from AIA extension URIs, nor fetching of CRLs from CDP extension URIs. The code to fetch certs from AIA URIs is present, but Firefox has not yet put it into use. The code to do CRL fetching is not yet present in FF 3.5.0 or 3.5.1, but has been made available in a new version of NSS that is not yet being used in FF 3.5.x. I expect this will change before the end of 2009, and CDP fetching will be put to use. I expect that will happen sooner than the fetching of certs from AIA URIs. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS, AIA, Bridge
Is Firefox the program that you're trying to get to use AIAs and CDPs? Firefox does not do that yet, not even when it has NSS 3.12. Firefox 3 does not yet use this new feature. Any chance Firefox 3.5 supports AIA path processing and CDPs? You wrote above that Firefox 3 does not. I didn't see anything related in the 3.5 release notes, but just wanted to see if it was put in. If not, any idea when Firefox will support it? -- View this message in context: http://www.nabble.com/NSS%2C-AIA%2C-Bridge-tp23866532p24479697.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS, AIA, Bridge
Hi Nelson, First of all, thank you very much for your time and for the quality answers. I’ve understood everything except but one thing: Did you really mean that I could have 2 versions of NSS on my computer? One for Debian and one specific to Mozilla products. And then what would exactly the purpose of Debian NSS? Also, if there are 2 libraries, do they use the same keystore??? (For example, in a Windows environment there is Windows Key store and one specific to firefox (mozilla), is it the same for Linux, one general keystore and one specific to Mozilla?) I have installed Firefox 3 through my debian packet synaptic manager (so firefox3 is specific to debian!). Does Firefox 3 is always built with the NSS 3.x library (are the two 3 related) or could I have a Firefox 3 with a NSS 2.y? How can I know the version of my NSS??? Thanks a lot, have a nice week end Eric -- View this message in context: http://www.nabble.com/NSS%2C-AIA%2C-Bridge-tp23866532p23885714.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS, AIA, Bridge
Hi Nelson, Excuse me, I meant can I have a Firefox3 with an NSS 3.11? Because Firefox 3, on my test environment, is not able to fetch the missing certificates! That means that I don't have NSS 3.12 or (sadly) that NSS 3.12 is not well implemented (hope not). Once again, with the same bridge configuration, PKI configuration ... Windows is able to fetch missing certificates! Thank you, Eric -- View this message in context: http://www.nabble.com/NSS%2C-AIA%2C-Bridge-tp23866532p23887310.html Sent from the Mozilla - Cryptography mailing list archive at Nabble.com. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS, AIA, Bridge
On 2009-06-05 03:16 PDT, Néric wrote: Hi Nelson, First of all, thank you very much for your time and for the quality answers. I’ve understood everything except but one thing: Did you really mean that I could have 2 versions of NSS on my computer? One for Debian and one specific to Mozilla products. Yes. Since they have different file names and may live in separate directories, you can have two flavors at once. And then what would exactly the purpose of Debian NSS? It is used by Debian's version of mozilla-derived products. For example, if I'm not mistaken, Debian has products named IceApe and IceWeasel which are derived by Debian from Firefox and Thunderbird sources. They use Debian's special NSS. Also, if there are 2 libraries, do they use the same keystore??? They could. I'm not aware of any changes that would make the DB files incompatible between the two versions. (For example, in a Windows environment there is Windows Key store and one specific to firefox (mozilla), is it the same for Linux, one general keystore and one specific to Mozilla?) I can't speak for all Linux distros, but I believe the answer for Debian is Yes. I have installed Firefox 3 through my debian packet synaptic manager (so firefox3 is specific to debian!). Is Firefox the program that you're trying to get to use AIAs and CDPs? Firefox does not do that yet, not even when it has NSS 3.12. Recall that I wrote: NSS 3.12 has a new cert path validation function that will pay attention to those extensions, if you tell it to do so in the function arguments. Any program written to use NSS before 3.12 was released does not use the new feature. Firefox 3 does not yet use this new feature. Does Firefox 3 is always built with the NSS 3.x library (are the two 3 related) or could I have a Firefox 3 with a NSS 2.y? No, the two 3's are not related. When built by the folks at Mozilla, Firefox 3 always uses NSS 3.12.x. Firefox 2 always uses NSS 3.11.x. There are some other parties that build their own versions of Firefox that use other versions of NSS than the version used by Mozilla. NSS 2.x was a closed source version of NSS that existed back when it was a crime in the US to open source crypto code. It was replaced by NSS 3.x in the year 2000 when the rules changed. All open source versions of NSS are have version number 3.x.y for some x and y. How can I know the version of my NSS??? First, you must know which NSS files are being used by your program. Then, when you know that, you can find the version number of those NSS files. The ldd program will tell you which particular NSS file is used by your program. For firefox, you may need to run it on the executable and also on each of Firefox's shared libraries to find the one that uses NSS. Then once you have found the pathname of the NSS shared library, you can run the ident program on that shared library file. If that doesn't work, you can try this command: strings /foo/libnss3.so | fgrep 3.1 where /foo/libnss3.so is replaced by the pathname for your copy as revealed by the ldd program. Thanks a lot, have a nice week end -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: NSS, AIA, Bridge
On 2009-06-04 02:23 PDT, Néric wrote: Context: I am working on PKI cross certification using a PKI bridge. To fetch missing certificates, I use the following AIA certificate extension: CA Issuer: URI : http://_...@ftp_server__/.../bundle.p7c where bundle.p7c contains the missing certificates (pkcs7 format). Mozilla's NSS seems to ignore the AIA extension and doens'nt fetch the bundle. All version of NSS up to (not including) 3.12 do ignore the AIA extension, and the CRLDP extension, too. NSS 3.12 has a new cert path validation function that will pay attention to those extensions, if you tell it to do so in the function arguments. Any program written to use NSS before 3.12 was released does not use the new feature. The currently release version of NSS is 3.12.3. Version 3.12.4 is undergoing a FIPS 140-2 evaluation, and will be released when it has been accepted for FIPS. Question: I found a library on the internet called libpathfinder-nss-1 (http://packages.debian.org/fr/lenny/libpathfinder-nss-1). +++ Pathfinder is designed to provide a mechanism for any program to perform RFC3280-compliant path validation of X.509 certificates, even when some of the intermediate certificates are not present on the local machine. It will automatically download any such certificates (and their CRLs) from the Internet as needed using the AIA and CRL distribution point extensions of the certificate it is processing. This package contains the shared library to allow LibNSS based programs to use Pathfinder for their Certificate validation. +++ It seems that this package enables a Debian distribution to do exactly what i want! Yet I have installed this library and nothing changed. Would you have any complementary information on this package? No. I have not even heard of it until I read your email. It says that it allows LibNSS based programs to use PathFinder, It *IS* pathfinder, is it not? I can well imagine that the pathfinder library uses pathfinder. :) Does NSS is based on LibNSS(is it really the same thing)? In Unix/Linux, there are two separate libraries known as NSS. One of them is the Name Services Switch which decides whether to use DNS or NIS or LDAP for host name lookup, and the other is Network Security Services which is the crypto libraries used for SSL by Firefox. I am guessing that LibNSS (as used in the text you quoted above) refers to the latter. Below I will use NSS to refer only to the crypto libraries. libNSS may be Debian's name for their version of the NSS crypto libraries. Debian has made numerous changes to NSS. They've changed the names of NSS's shared libraries, and certain other things, such as the directories in which the NSS shared libraries are placed. I believe they've even changed the names of many of the public NSS functions. Consequently, AFAIK, the only code that works with Debian's NSS is code that was specifically written (or modified) to work with that. Code that compiles and runs with Mozilla's NSS will require modification to build and run with Debian's NSS, or so I have been led to believe. Any programs you download directly from Mozilla will not use Debian's version of NSS. If you have downloaded a browser from Mozilla, you probably have two flavors of NSS installed, one that uses the original file and function names, and Debian's modified copy. Debian has its own modified versions of the Mozilla products (with different names), and those use Debian's modified NSS. Since you found this PathFinder on a Debian web site, it probably is written to work with Debian's modified NSS and not with unmodified original NSS. So, if your program uses NSS as obtained from Mozilla, it doesn't surprise me that PathFinder had no effect on it. Do i have to change something in my NSS module to allow this library to be called or recognized?? I have no idea. My last question would be to know if all other X.509 certificate extensions were supported (policy mapping, ..) NSS 3.12's new cert path validation function fully processes all standard extensions related to certificate policies, if you tell it to do so. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto