Re: Regarding PSM with external SSL library
Ashok Subash wrote: > Hi Brian, > > We have made some progress. We could statically build nss and link on > our platform. Do you mean statically link NSS into Firefox? If so, there are several gotchas that need to be taken into account. See Wan-Teh's patch at https://bugzilla.mozilla.org/show_bug.cgi?id=534471 which addresses some/all of them on Windows for *Chrome*. I imagine the issues are similar but not quite the same for Firefox and/or for other platforms. > Is there any other porting points i've missed? Your > inputs/suggestions will help us to solve this faster. I wish I could be more helpful but it is really hard to tell the problem from the description given. Also, it is hard for me to diagnose problems with Firefox 3.6.x because I have *literally* never even checked out the source code for Firefox 3.6.x before. (I started at Mozilla during the development of 4.0.) - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Regarding PSM with external SSL library
On Jan 6, 6:56 am, Brian Smith wrote: > Ashok Subash wrote: > > We'll go with your suggestion of using NSS after size reduction for > > this project for our security requirements. But right now we cannot > > upgrade to latest firefox due to the current schedule and resources > > we have for this project. We will follow the guidelines listed in > > the 611781 as well your other suggestions in the mail. It will be > > great if you can support us if we hit a roadblock. > > The best way to get such support is to attach ask questions and to post your > patches in bugs in our bugzilla database. Try to write patches in a way that > is beneficial to the overall NSS and Gecko (Firefox) projects, so that we can > incorporate those patches into the mainline Gecko and/or NSS source code. If > you identify new ways to shrink NSS besides the ways listed in those bugs, > then please file new bugs and document your findings in them (And please CC > me in the bug report). It is likely that any such reductions in the size of > NSS that you make for Firefox 3.6 will be applicable to Firefox 12+ as our > usage of NSS hasn't changed much between 3.6 and 12. Whenever I get around to > working on bug 611781, the improvements I make will probably benefit your > project as well (possibly requiring some small modifications.) > > - Brian Hi Brian, We have made some progress. We could statically build nss and link on our platform. Till now NSS Initialization has happened after redirect for URL http://mail.google.com through a proxy. From the logs i found that HTTP connect is sent to proxy successfully and 200 OK response successfully but after that we are not seeing the SSL handshake happening. We see connection refused error page being displayed. From the code perspective for some reason nsSSLIOLayerPoll is not being called. From what i understand TCP Socket Pair that is created for https sites helps is notifying necko whenever SSL thread IO (send/ recv) is completed. Is that understanding right? Currently for us the Connect of this local TCP socket pair is failing but we are able to go ahead as HTTP Connect happens successfully as mentioned earlier Is there any other porting points i've missed? Your inputs/suggestions will help us to solve this faster. Regards Ashok -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Regarding PSM with external SSL library
Ashok Subash wrote: > We'll go with your suggestion of using NSS after size reduction for > this project for our security requirements. But right now we cannot > upgrade to latest firefox due to the current schedule and resources > we have for this project. We will follow the guidelines listed in > the 611781 as well your other suggestions in the mail. It will be > great if you can support us if we hit a roadblock. The best way to get such support is to attach ask questions and to post your patches in bugs in our bugzilla database. Try to write patches in a way that is beneficial to the overall NSS and Gecko (Firefox) projects, so that we can incorporate those patches into the mainline Gecko and/or NSS source code. If you identify new ways to shrink NSS besides the ways listed in those bugs, then please file new bugs and document your findings in them (And please CC me in the bug report). It is likely that any such reductions in the size of NSS that you make for Firefox 3.6 will be applicable to Firefox 12+ as our usage of NSS hasn't changed much between 3.6 and 12. Whenever I get around to working on bug 611781, the improvements I make will probably benefit your project as well (possibly requiring some small modifications.) - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Regarding PSM with external SSL library
Hi Brian, We'll go with your suggestion of using NSS after size reduction for this project for our security requirements. But right now we cannot upgrade to latest firefox due to the current schedule and resources we have for this project. We will follow the guidelines listed in the 611781 as well your other suggestions in the mail. It will be great if you can support us if we hit a roadblock. We will update on the progress soon. Thanks. Ashok -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: Regarding PSM with external SSL library
Ashok Subash wrote: > Firefox 3.6 :( Beware that you will not get any more security updates for the Firefox 3.6 codebase from Mozilla soon. (We are still sometimes finding security bugs in Firefox 3.6 that won't ever be fixed in 3.6.x, only in Firefox 12+). > Currently due to footprint issue we want to remove NSS from the > build and integrate a 3rd party ssl library (optimized for this > embedded platform) for browsing "https" sites. Have you tried reducing the size of NSS by using a custom build of NSS? See bug 611781. By working on bug 611781 and the bugs blocking it, and cutting out some Firefox features (e.g. certificate import/export and other features that depend on libsmime, ECC support), you could probably reduce the amount of NSS needed for a working Firefox by 50% or so, with very few code changes to NSS or to Gecko. Try this experiment: On Windows, remove the calls to CERT_PKIXVerifyCert in Gecko so that GetIsExtendedValidation always returns false (i.e. disable the EV UI in Gecko), remove as many entries in lib/nss/nss.def as possible, so that its export list matches the imports from Firefox (especially remove CERT_PKIXVerifyCert, and use dumbpin /imports on the Firefox DLLs to find out which other NSS functions they use), remove the features that require "#include smime", stop linking to libsmime, and build NSS with link-time optimization (as explained in one of my comments in bug 611781). Just these simple changes will reduce the size of NSS required by Gecko substantially. (I am sure there is a way of doing this experiment on Linux, but I don't know how). With another round of changes, I think NSS could become somewhat reasonably sized. And, this is all work that Mozilla would be very supportive of. Assuming your platform is Linux-based and you are using openssl, I would consider replacing your other crypto library (openssl?) with NSS, and remove the dependency on openssl. Red Hat has done a lot of work to make this possible for most important Linux applications. Doing all of the above may help you meet your size targets. > As i understand we need to replace NSS interfaces used for SSL from > PSM (Platform Security Manager) with SSL interfaces of 3rd party > library. I joined Mozilla at the end of the Firefox 4.0 work, so I know almost nothing about Gecko 1.9.x. I would think that you would have an easier time embedding later versions of Firefox, since they are better designed for embedding (because of our mobile versions of Firefox). > PSM related documentation is pretty outdated in my opinion. Any > pointers to how to approach this problem and road blocks I'll face > will be of immense help. Especially very recently, Firefox is pretty tightly tied to NSS and probably becoming increasingly tied to it. I won't help people work replacing NSS on Firefox 3.6 for a secret (NDA'd) project. But, I am more than eager to help with work that would also benefit modern Firefox. - Brian -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Regarding PSM with external SSL library
Hi All, We are trying to embed Gecko (Firefox 3.6) over a RTOS platform. We are able to currently render web pages successful albeit with few issues which we are confident we can fix ourselves. Currently due to footprint issue we want to remove NSS from the build and integrate a 3rd party ssl library (optimized for this embedded platform) for browsing "https" sites. As i understand we need to replace NSS interfaces used for SSL from PSM (Platform Security Manager) with SSL interfaces of 3rd party library. PSM related documentation is pretty outdated in my opinion. Any pointers to how to approach this problem and road blocks I'll face will be of immense help. Due to NDA I cannot tell the information about platform and project, since we are currently doing the development. Thanks in advance. Ashok -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
