Re: hardware security module storing x509 client cert: mozilla code for loging into subversion
On Sep 10, 2:37 am, Nelson Bolyard [EMAIL PROTECTED] wrote: rupertthurnerwrote: we noticed that the support for hardware security modules (smartcards) storing ssl client certificates in mozilla/firefox is quite good. is it possible to somehow reuse this for serf to provide x509 client certificate login for subversion, via the serf library? Does serf use NSS for SSL/TLS now? or something else? Mozilla uses NSS, a set of c libraries (callable from c++) that provide SSL/TLS, CMS (the crypto component in S/MIME), and general certificate and cryptography libraries. In the middle of it all is a library called PK11wrap that finds the right PKCS#11 module to do each crypto operation (ALL crypto operations are done in PKCS#11 modules). Given that serf is a c library, it should be possible to make it use NSS. But if it's now using OpenSSL, then the switch to NSS might be a big change. Does serf use modSSL? If so, there is a modNSS that causes Apache to use NSS instead of OpenSSL. That might be an easy change for you. seehttp://code.google.com/p/serf/issues/detail?id=27. What's the difference between issue 27 and issue 8 (which is marked fixed)? They seem to be describing the same issue. /Nelson the issue 8 was to use client certificates from HARDWARE security modules (chip card), but the fix seem to be for software (pkcs12). if we could change the text of issue 8 it would be the least contradiction i guess :) ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: hardware security module storing x509 client cert: mozilla code for loging into subversion
Robert Relyea wrote: It's part of the Fedora Crypto Consolidation project: http://fedoraproject.org/wiki/FedoraCryptoConsolidation Great job ! I'm happy to see it happening. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
Re: hardware security module storing x509 client cert: mozilla code for loging into subversion
Rob Crittenden wrote: Eddy Nigg (StartCom Ltd.) wrote: Nelson Bolyard wrote: Does serf use modSSL? If so, there is a modNSS that causes Apache to use NSS instead of OpenSSL. That might be an easy change for you. Nelson, what about the env variables as in http://httpd.apache.org/docs/2.0/mod/mod_ssl.html Does mod_nss support the same naming convention? And is NSSEnforceValidCerts equal to SSLVerifyDepth (with correct depth)? There is no equivalent for SSLVerifyDepth. My understanding of how intermediate CAs are evaluated in NSS is admittedly sketchy but I believe it requires all of them to be installed and trusted. NSS collects all certificates in the SSL message, and then tries to build a valid chain. To successfully validate, NSS must have at least one cert in the chain which it trusts (typically the root cert). NSS follows the normal PKI rules about VerifyDepth (based on basic constraints of the cert) except one: NSS does have a hard limit on the size of the chain of 20. I know of no case where anyone has actually hit the NSS hard limit, which is there to deal with pathelogical cases like loops. Of course some of what I just said is likely to change with the new PKIX code going in. bob rob ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto smime.p7s Description: S/MIME Cryptographic Signature ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
hardware security module storing x509 client cert: mozilla code for loging into subversion
hi, we noticed that the support for hardware security modules (smartcards) storing ssl client certificates in mozilla/firefox is quite good. is it possible to somehow reuse this for serf to provide x509 client certificate login for subversion, via the serf library? see http://code.google.com/p/serf/issues/detail?id=27. regards, rupert. ___ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto