I am running on Windows 7 64bit. I have installed Visual Studio 2015 update 3.
I have installed mozilla-build 2.2.0 (the latest version that has the
start-msvc scripts). I have built NSS and NSPR 64 bit but JSS bombs out trying
to compile CryptoManager.c
I'm following instructions from readm
On 12/9/2010 2:29 PM, Wan-Teh Chang wrote:
I would go with adding an importNonUserCertPackage method,
or add a new method that exposes both the boolean noUser
and boolean leafIsCA parameters of the native method
importCertPackageNative.
I got around to testing the second method. I exposed the
On 12/9/2010 2:29 PM, Wan-Teh Chang wrote:
The "(-8157) Certificate extension not found" part
is most likely wrong (a stale error code). Please try to track that down
and fix it.
I remember Nelson saying pretty much anytime that error pops out it's a
bug in NSS.
I would go with adding an
I have this certificate sitting on the filesystem and it's a leaf cert,
not a CA. I am hitting a snag here trying to import the cert into the
database with JSS.
* NSS works fine:
certutil -A -d . -i cert.der -n "nickIWant" -t ",,"
* JSS:
byte[] certBytes = ;
CryptoManager.importCertPackage(cer
On 12/3/2010 10:38 AM, David Stutzman wrote:
In his snippet from PK11KeyGenerator there's the comment:
/* special case, construct key by hand. Bug #336587 */
I wanted to add this on Friday, but was waiting for my post to get
through moderation.
I wonder if part of the problem here is
This is a refresh for a roughly 3.5 year old thread (August 2007). I
decided to do a quick check to see if the problem went away but alas I
get the same behavior. I started looking through the code again and
came up with a few things.
As a quick re-cap, if I call "computeMacData" on a PFX wh
On 10/22/2010 8:00 AM, stephen.mocca...@gdc4s.com wrote:
I would also be interested in the 64-bit 4.3.2 JSS.dll. I have been having
problems building it on a 64-bit Windows XP system.
Again, you'll probably need to have the MS C runtime 2010 installed for
this to work. And it should work at
On 10/21/2010 12:30 PM, Marcio wrote:
Hi there,
I´m trying to compile the JSS in the Windows 64 bits platform and I
have found many problems to do that.
I have seen many posts in the internet with many problems too.
I just want use the JSS and not compile it.
Could the Mozilla team publishs th
On 9/17/2010 8:29 AM, Owen Shepherd wrote:
Win 5.2 is Windows Server 2003 and XP x86_64 (Yes, Windows XP x86_64
has a different version number from XP i386...). Vista is 6.0, Seven
is 6.1 (Makes sense, doesn't it? ;-))
So I had a couple people test my output, one 64-bit win7 and one 32bit
winX
So apparently we have MSDN and I installed a copy of VS2010 Premium this
morning and first run through it built NSS in 64 bit no trouble. It
seems it targeted Win 5.2 (Vista?)
I'm thinking my issue is that the express versions of VS don't have the
64-bit compilers. The Windows/Platform SDK c
I give up...can you guys point me to some directions for this?
I've installed the latest mozilla-build, VS2008 Express SP1, the latest
windows SDK (7.1) and I'm just not getting too far in this process.
Linux is so much easier!
I start up the shell with the start-msvc8-x64.bat script, whi
I'm assuming not based on my experience, but does NSS support point
compression on EC keys?
Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
On 08/19/10 16:33, Nelson B Bolyard wrote:
If you think this is a bug in JSS, then
- File a B.M.O bug.
https://bugzilla.mozilla.org/show_bug.cgi?id=589158
- Assign it to yourself.
I don't seem to have the permissions in BZ to do that.
- Write a patch and attach it to the bug.
Done.
- reques
On 08/19/10 20:12, Wan-Teh Chang wrote:
It seems very straightforward to add algorithm aliases:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/jss/org/mozilla/jss/JSSProvider.java&rev=1.34&mark=106-113#103
I know I can probably go in and change the way JSS reports the algorithm to
I would like to know if I have any options to mitigate this. I'm also
fully expecting the "JSS has no full-time developers, patches accepted"
answer.
The Sun^H^H^HOracle JCE "Standard Names Document" [0], which lays out
what the all the algorithm names/permutations are, lists the EC
Signatur
On 5/5/2010 9:49 AM, joabelfa wrote:
On May 5, 2:33 pm, David Stutzman
wrote:
On 5/5/2010 7:02 AM, joabelfa wrote:
ksfis = new
FileInputStream("./certificates/runa/keystore.jks");
KeyStore truststore = KeyStore.getIns
I'm guessing my previous submission was eaten by the terrible list
monster due to having an attachment...
As usual, you appear to be correct Nelson, I figured out the proper
cipher string format for vfyserv and enabled ALL ecc ciphers and it
didn't work. So I set about recompiling NSS again a
On 5/5/2010 7:02 AM, joabelfa wrote:
ksfis = new
FileInputStream("./certificates/runa/keystore.jks");
KeyStore truststore = KeyStore.getInstance("JKS");
truststore.load(ksfis, "key123".toCharArray());
On 5/4/2010 11:24 AM, fsuel wrote:
I would like to know if RSA 2048 digital signature with SHA hash (224,
256 and more bit) is possible in Mozilla products. In particuler if i
can realise a RSA 2048/SHA 256 digital signature with Thunderbird 2.x
or 3.x
Ripping off Wan-Teh[1]
"We have an "Encryp
Sorry I keep having so many issues with EC :)
Using vfyserv from nss-3.12.6 built using mozilla-build on Vista32.
C:\usr\mozilla>vfyserv.exe -d . -p 9444 ferret.pki
Connecting to host ferret.pki (addr 192.168.1.171) on port 9444
Error in function PR_Write: -12286
- Cannot communicate securely w
On 4/28/2010 1:30 PM, Robert Relyea wrote:
If you are building your own copies of NSS on fedora, I strongly suggest
testing them first with LD_LIBRARY_PATH. May key fedora subsystems now
use NSS natively, including rpm. If you mess up your system NSS, you may
have difficulty recovering. (Of cours
On 4/27/2010 12:32 PM, Nelson B Bolyard wrote:
Hi David, Long time ...
I've been lurking...I still read the messages almost every day. Nice to
see you're still around as well.
Are your newly built NSS shared libs in a directory in your LD_LIBRARY_PATH?
This is a FC12 system and I was re
I just built nss-3.12.6 with the tarball from mozilla.org[1] and when I
try to create a new DB using "certutil -N -d ." I get the following
error. I'm running certutil out of the dist folder in the nss source
tree after it's built.
certutil: function failed: Symbol not found in any of the load
On 2/3/2010 11:56 AM, Anna Gellatly wrote:
Thanks for the info David .
When I run this command:
/usr/java/current/bin/keytool -importkeystore -srckeystore
/proximo/config/cluster/trusted.keystore -srcalias mykkey -destkeystore
test.p12 -deststoretype PKCS12
and put in the destination password an
On 2/2/2010 6:00 PM, Anna Gellatly wrote:
Hello All -
I'm very new to all this - forgive a potentially ignorant question.
I believe have created a keystore with the following commands
certutil -N -d .
modutil -fips true -dbdir .
So far so good...
I am changing my application from using JKS
On 2/1/2010 1:39 PM, Anna Gellatly wrote:
Thanks for responding David -
If the Mozilla JCA isn't JSS compatible then I'm barking up the wrong tree.
I see you included the pkcs#11 java doc but how do you ensure sun's
PKCS#11 uses nss? I see that you need to set the configuration
directives - but I
I recently built NSS 3.12.5/NSPR4.8.2 and JSS 4.3.1 on a RHEL4.8 system
(SUN JDK 1.6u18). certutil works fine with -d sql:., but JSS tosses an
exception when I try to initialize pointing to a (freshly created with
certutil) SQLite DB whereas it will initialize with the legacy db format.
Excep
On 1/29/2010 12:57 PM, Reinaldo Nolasco Sanches wrote:
Where I can download jss4.dll and libjss4.so or source code to compile?
I found jss-4.3.tar.bz2 but have only .java source, can we have more clean
info on http://www.mozilla.org/projects/security/pki/jss/using_jss.html how
we can get these n
Has anyone ever seen this or does anyone have an idea of how I can get
this crypto provider to be “installed” and utilized in a fips compliant
mode per sun java docs?
I *thought* that JSS wasn't a JSSE implementation and you needed to
write JSS specific code to do SSL sockets but I might be wro
On 1/15/2010 4:21 PM, Kai Chan wrote:
certutil -R -s "CN=ectest, O=ectest, L=ectest, ST=ectest, C=US" -p
"123-456-7890" -o ectest.req -d . -k ec -q nistp256 -Z SHA256
That command works for me. Are you trying this on a Red Hat or Fedora
system? If so, compiling NSS with extended ECC support
I just ran into this error and was about to post saying wtf but figured
out my issue and am posting this in case someone else runs into the same
problem.
If the JAVA_HOME isn't set properly, something in the build process
might eat a slash and the jss4.dll can't be built.
This happened a lit
David Stutzman wrote:
import user cert:
certutil -A -d . -n "nickname you want the cert to have" -a exported.cer
-t ",,"
import ca cert and set S/MIME trust bit:
certutil -A -d . -n "nickname you want the cert to have" -a exported.cer
-t ",C,"
Lukas Haase wrote:
Is there a way to export all my certificates of other users (and
websites) from my cert8.db Backup and re-import them?
Inside your mozilla profile dir (where the cert8/key3.db are)
Export a cert:
certutil -L -d . -n "nickname of cert you want to backup" -r > exported.cer
im
Nelson B Bolyard wrote:
I'm running your script now just generating new certs into a single sql
DB and I'll let it run overnight and see what happens.
I tested with both old and new DBs. That is how I found the bug 467298
which is fixed in NSS 3.12.3. Let us know how your experiment goes.
c
Nelson B Bolyard wrote:
If you're using cert7/key3 DB files, that's a known bug, and probably
cannot be fixed. Or rather, the fix is believed to be to go to cert8/key4
on a local file system (not over a network). That should be MUCH faster.
See bug 433105 starting at comment 8.
That's surpri
I've recently had a case where I have a DB with around 6700 certs/keys
in it and a call to get the list of certs takes something like 20
minutes to complete. I'm primarily using JSS (specifically the call to
CryptoToken.getCryptoStore().getCertificates()), but the same happens
with certutil on
Rob Stradling wrote:
A question for the NSS devs:
Is there any reason why NSS couldn't be changed to assume "NSS_ENABLE_ECC=1"
by default?
Yes...
http://fedoraproject.org/wiki/User:Peter/Disabled_applications
Disabled features:
Elliptic Curve crypto algorithm
Reasons:
software paten
Kashyap Chamarthy wrote:
certutil -G -k ec -q nistp256 -d .
Generating key. This may take a few moments...
certutil: unable to generate key(s)
: security library failure.
I guess, you need a third party ECC module?
I must admit that I am a bit puzzled by the current state
Skellington wrote:
Although they technically dont get copied in to "/Users/local/Desktop/
nss-3.12/mozilla/dist/Darwin9.7.0_DBG.OBJ/..." I found that they are
all sym links which kinda stinks, but atleast I know where they all
are.
cp -L is your friend.
--
dev-tech-crypto mailing list
dev-tech-
Claus Jørgensen wrote:
I'm wondering if anyone could enlighten me on why the PKCS#12 exported
certificate from Firefox under Ubuntu isn't identical to the certificate
that I can generate from OpenSSL like this:
$ openssl pkcs12 -in yourCertificate.p12 -out yourCertificate.pem
$ openssl pkcs12
vvick...@harris.com wrote:
I need to create a build of NSS 3.12.4 with NSPR to use for FIPS 140-2
encryption in my java.security file.
For those that are less than familiar with building software on Windows
using Microsoft products, I really recommend just using Mozilla Build.
It's not a tri
Nelson B Bolyard wrote:
On 2009-08-19 15:12 PDT, David Keeler wrote:
Wan-Teh Chang wrote:
I think "rsa encryption" is a public key algorithm, where as
"sha1 with rsa encryption" is a signature algorithm.
Thank you for the quick response. This isn't quite what I was getting
at, though. I gues
JamesH wrote:
I have some confusion with regard to JSS due to the lack of proper
documentation. Looks like JDK 6 can talk to NSS natively with this
configuration:
http://java.sun.com/developer/technicalArticles/J2SE/security/#2
If that's the case, why do I need JSS?
Your comments are appreciat
Michael Ströder wrote:
Martin Schneider wrote:
I think they keystore on
opencryptoki follows exactly the principle how storing other things
"in" the TPM works: building an encrypted key hierarchy that is stored
on harddisk with an encryption key rooted in the Storage Root Key in
the TPM.
Isn't
Michael Kaply wrote:
I'm importing a code signing cert into my database using pk12util, but
it gets assigned a random alias:
e33eb463-ddba-4895-9469-bfdd01c71fe2
Is there a way via the command line utilities to rename that to a more
human name?
I'm sure I did this in the past, but I can't f
I have a DB that has just shy of 7000 keys/certs in it. From the
command line using certutil -L takes ~5 mins or so and then finally
starts showing output all at once after the delay. It ends up using
80-90MB of ram (according to task manager). certutil -K, however,
starts listing keys right
Subrata Mazumdar wrote:
Thanks Wan-Teh for the suggestion.
No, requiring custom version of Firefox to use ECC key based certificate
enrollment is not realistic.
It just does not seem right to disable access to all licensed ECC
implementation just because Mozilla wants to disable the ECC
implem
Subrata Mazumdar wrote:
On further testing and reading the description of generateCRMFRequest()
method doc, I figured out why the key generation was failing.
I have to pass keySize as integer type not string type.
The key genartion now works for RSA and DSA key types but it still fails
for EC
I'm in the process of porting over certificate path building code from
using Sun's API to using JSS as we are gradually migrating all of our
crypto over to JSS/NSS. I'm running some testing with
CryptoManager.buildCertificateChain(X509Certificate leaf).
If I grab a cert out of the db and pass i
Nelson B Bolyard wrote:
tstclnt is able to support protocols in which the client speaks first,
and protocols in which the server speaks first. By default, it supports
protocols in which the server speaks first. To make it support protocols
in which the client speaks first, use the -f command li
I'm scratching my head here...I'm trying to connect to an SSL server
with a full EC chain using a JSS SSLSocket.
Using NSS 3.12.2 libs taken from my Firefox 3.0.6 install I get:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
(-5978) Network file descriptor is not connected.
I was trying to install a test root certificate in a database and was
getting an error. I then imported a PKCS#12 file that contained, among
others, the root cert and it went in ok. I then tried to modify the
trust using certutil and I received:
certutil: unable to modify trust attributes: Pe
(How) Is it possible to set a connection timeout for a JSS SSLSocket?
http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/ssl/SSLSocket.html
None of the constructors have a connection timeout and
SSLSocket.setSoTimeout(int timeout) can only be called *after* creating
the so
Glen Beasley wrote:
you can code the same pretty print functionality but there is no
existing function that
duplicates certutil -l -n.
You can start with
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests/ListCerts.java
Which currently outputs:
java -cp ./jss4.jar org
Is there a way to pretty print a certificate using JSS? I know NSS has
the functionality based on output from certutil -L -n "nickname".
Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Nelson B Bolyard wrote:
axi...@googlemail.com wrote, On 2009-02-03 04:09:
Is there a way to sign CRMF and create CMMF using JSS?
>
If there is, you'll find it somewhere in
http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/pkix/crmf/
CRMF requests aren't signed. I think thi
Ian G wrote:
Or: http://www.keylength.com/ is more convenient.
Thanks for posting this link again. I had gone to it previously and
forgotten it and almost posted to the list to ask about it a couple
weeks ago.
Dave
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://
Jean-Marc Desperrier wrote:
You *obviously* never had to handle this CRL :
http://onsitecrl.certplus.com/DIRECTIONGENERALEDESIMPOTSDIRECTIONGENERALEDESIMPOTSUSAGER/LatestCRL
Java programs just can't take it up. And J2EE is by far the most popular
application server architecture nowadays. 64 bi
Denis McCarthy wrote:
customers use. On this application, it is important to identify the
physical machine on which a transaction takes place. In most of our
b) The application is currently multi platform, but all our users use
windows (because that is what the application we are replacing run
-Original Message Michael Ströder -
> Unfortunately CRMF is not really standardized. IMHO it's more a message
> format framework for which you have to define a certain CRMF profile.
> Furthermore many products tend to support CMC.
I'm wondering about your wording here. I thought CMC was,
* D3|\||\|!$
-Original Message-
Subject: A / V / Text encryption methods
It uses 256-bit encryption in order to actively encrypt the data in
each Skype call or instant message. Skype uses 1024 bit RSA to
negotiate symmetric AES keys. User public keys are certified by the
Skype server at l
My only guess as to the source of that number is that NSS is reporting the
size in bytes (16) to Java. That key was put in to the db as a 128 bit key.
-Original Message-
> SunPKCS11-NSSfips AES secret key, 16 bits (id 3126949473, token object,
> sensitive, extractable)
16 bits?
smime
Bug https://bugzilla.mozilla.org/show_bug.cgi?id=471665 has been filed and it
appears Nelson has found the source of the problem if anyone is interested.
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinf
If I wrap/unwrap with a token object RSA key, I get a different error trying to
encrypt with the unwrapped AES key:
RSA key from NSS DB: SunPKCS11-NSSfips RSA private key, 2048 bits (id
2464323849, token object, sensitive, extractable)
pulled sym key out of keystore? SunPKCS11-NSSfips AES secret
Nelson, I wonder if anything from this thread has any bearing here as you
describe some FIPS restrictions:
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thread/a5d22af274d36c6a?pli=1
I've been trying to help out Alex in the Sun forums and pointed him over here
with this is
-Original Message-
From: On Behalf Of Nelson B Bolyard
Sent: Tuesday, December 30, 2008 2:25 PM
>> Attempting to create a 128 byte (1024 bit) aes key on the token:
>> C:\nss\fips>symkeyutil -K -n aesKey3 -t aes -s 128 -d .
>> Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
>> aes
Ahh...I did it from my Vista workstation's firefox profile which I knew had the
roots module added. Nssckbi.dll or libnssckbi.so or whatever it is on a Mac is
a special PKCS#11 module that is read-only and contains the trust anchors. By
default with an NSS database, it's not added. You can ad
I was playing around with the Sun PKCS11 provider and accessing NSS directly
while in FIPS mode. It appears nss 3.12 (on Vista 32-bit) has issues reporting
key sizes both to Java and using symkeyutil directly:
Attempting to create a 128 byte (1024 bit) aes key on the token:
C:\nss\fips>symkeyut
Kyle,
Assuming your DBs are in the current directory:
certutil -L -d . -h "Builtin Object Token" will list all of the nicknames
Then you just add the -n "nickname" (and optionally -a to get base64) for each
one like so:
certutil -L -d . -n "Builtin Object Token:StartCom Certification Authority"
Unless you're intimate with the NSS build system and know enough to trim things
down...then this set of instructions is the best thing. I've built NSS on
Vista using this wiki page:
https://developer.mozilla.org/En/Windows_Build_Prerequisites
-Original Message-
From: dev-tech-crypto-bou
http://directory.fedoraproject.org/wiki/Mod_revocator
This *might* help…
Dave
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
Since you say you originally created the key/cert with openssl, just
use openssl to package those things up into a PKCS#12 file and use
pk12util to import them.
First, copy the text of the keyfile into the certfile or vice versa
(or cat them both into a 3rd file), it doesn't matter as long as both
-Original Message-
Interesting. Haven't seen that one before.
Please file a bug in bugzilla.mozilla.org, product NSS, component tools.
>From the presence of the string "foo", I infer that these files are
merely test files and not actually important for any real security, so
let me ask you
certutil -K -d .
Enter Password or Pin for "NSS FIPS 140-2 Certificate DB":
<0> cn=foo-Signature
<1> cn=foo-Encryption
<2> cn=foo-Identity
certutil -L -d .
cn=foo-Identity u,u,u
cn=foo-Identity u,u,u
cn=foo-Identity u,u,u
cer
Specifically it's built from Red Hat Enterprise Linux (RHEL) sources with the
Red Hat proprietary pieces removed.
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of Kai Engert
Sent: Thursday, November 06, 2008 8:26 AM
To: mozilla's crypto code discussion l
-Original Message-
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of [EMAIL PROTECTED]
Sent: Monday, November 03, 2008 1:46 PM
To: dev-tech-crypto@lists.mozilla.org
Subject: Re: someone else complaining about "Mozilla SSL policy"
On 3 Nov., 14:40, "David St
http://www.cs.uml.edu/~ntuck/mozilla/
I think we covered this before and he misses the fact that there are free
alternatives out there like StartSSL that I use (Thanks Eddy!).
Dave
smime.p7s
Description: S/MIME cryptographic signature
___
dev-tech-cry
> Anyway, I've tried dumping it to a file, this way:
> And after that, I tried managing it with openssl command line tools,
> but it doesn't seem to have a proper structure.
>
> ¿What are the contents of the string encprivkey->encryptedData.data?
>
> Is it a proper pkcs5 or pkcs8 or pkcs12 (when
Fernando,
Unless you specifically tell it not to, when you initialize JSS, it
installs the JSS provider with the highest precedence. Since the JSS
provider doesn't implement everything that the Sun providers do, that
may be your problem.
CryptoManager.initialize:
967 if( values.install
The security policy in case anyone is interested and doesn't have it:
http://www.mozilla.org/projects/security/pki/nss/fips/secpolicy.pdf
Dave
smime.p7s
Description: S/MIME cryptographic signature
___
dev-tech-crypto mailing list
dev-tech-crypto@lists.
> If you are only trying to protect the private key from being
> extracted,
> then the answer is obvious - don't use a software token, use
> an HSM that
> stores the key in such a way that it cannot be extracted.
And when Julien says HSM, a USB crypto token would provide security
vastly superi
This might be helpful for you:
http://www.mozilla.org/projects/security/certs/
> I'm writing to kindly ask you to consider to insert the Cybertrust
> Educational certificate in the list of the trusted
> certificate authorities.
___
dev-tech-crypto maili
> > Actually, most of the developers who work on it are
> developing it for
> > servers. It is revenue from server sales that pay the salaries of
> > most of NSS developers (since revenues from browser sales
> are ... low :).
>
> They must be using it in pretty simple scenarios so far. The
> w
> -Original Message-
> From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> la.org] On Behalf Of Nelson B Bolyard
> Sent: Tuesday, July 29, 2008 1:41 PM
> To: mozilla's crypto code discussion list
> Subject: Re: Question about JSS FIPS compliance
> How is software like Sun's Java JCE
> -Original Message-
> From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> la.org] On Behalf Of Nelson B Bolyard
> Sent: Monday, July 28, 2008 6:48 PM
> To: mozilla's crypto code discussion list
> Subject: Re: Question about JSS FIPS compliance
> JSS also provides an interface for pu
> -Original Message-
> The requirement to put all cryptographically sensitive
> information into a
> well defined crypto boundary seems very elegant. It explains
> how NSS was
> able to work with so many third party crypto gizmos starting
> in the late
> 90's, and how it was able to get
> I'm trying to do TLS using an ECC ciphersuite. I thought FF3 natively
> supported it (ECC ciphersuites are enabled in about:config). Using
> normal downloads of FF3 on either Linux or Windows I'm getting the
> error that there's no common ciphersuite. Looking at SSLTap, both
> versions of FF3
> -Original Message-
> From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> la.org] On Behalf Of Dean
> Sent: Wednesday, July 23, 2008 12:09 PM
> To: dev-tech-crypto@lists.mozilla.org
> Subject: Re: Failed to toggle FIPS mode with JSS
> Essentially I have an SSL implementation that I
> -Original Message-
> From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> la.org] On Behalf Of Wan-Teh Chang
> Sent: Friday, July 18, 2008 12:04 AM
> To: mozilla's crypto code discussion list
> Subject: Re: 3rd party ECC module + NSS integration
> Since you need the bug fix in the
> I believe the NSS 3.11.4/NSPR 4.6.4 tags were chosen specifically
> for their FIPS validation status.
>
> Since you need the bug fix in the upcoming NSS 3.11.10, you should
> update the Dogtag wiki page to use NSS_3_11_BRANCH (until
> NSS_3_11_10_RTM is created) and NSPR_4_7_1_RTM. You can
> re
Nelson,
Thanks for the info, I tried to list out the tags from the repository
which didn't go so well so I just grabbed the HEAD for everything and it
ended up working just fine for me, both on the command line and for
Dogtag. The Dogtag devs and I have updated the wiki to remove the
3.11.4/4.6.4
Well...I couldn't figure out how to grab any version close to that so I
just grabbed the NSPR/NSS heads and I was able to run the command:
certutil -d . -R -h "Certicom FIPS Cert/Key Services" -k ec -q nistp256
-s "CN=cfu1003" -o req.1003b
I dumped the ASN1 and it looks ok. I'll continue on with
You may find this recent thread informative:
http://groups.google.com/group/mozilla.dev.tech.crypto/browse_thread/thr
ead/5885eb5986864447
Dave
> -Original Message-
> From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
la.org] On Behalf Of jehan procaccia
> Sent: Wednesday, July 16, 2
Nelson,
I'm using NSS 3.11.4 according to the Dogtag instructions. You mention
3.11.10 has the fix. I don't see that on the ftp in the normal nss
releases area. Do I have to pull it from cvs? If so, would you mind
supplying the correct tag? Is NSPR 4.7 OK with that or another needed?
Dave
>
Gentlemen,
I'm trying to get NSS working with a 3rd party (Certicom) PKCS#11
library for the ultimate goal of having an ECC CA (Dogtag). I've asked
on the Dogtag IRC channel and someone has told me they followed the
instructions below more than once and had it working. I believe they
also used a
As Nelson mentioned, just using FIPS-approved NSS isn't enough. Go to
the NIST website and download the Security Policy document. That tells
you how you must configure/run the system to be truly FIPS compliant.
http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401val2007.htm#815
Straight to
Nelson B Bolyard:
> On your system, is certutil a shell script that runs a program named
> certutil-bin ?
As Eddy said about getting it from a directory server install, the
Directory/Certificate System products have been doing that for quite a
while now.
>From a system with Red Hat CS 7.1 instal
> -Original Message-
> From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
> la.org] On Behalf Of Nelson B Bolyard
> Sent: Monday, June 09, 2008 6:01 PM
> To: mozilla's crypto code discussion list
> Subject: Re: Problems importing pkcs12 keystore to NSS
>
> What tool produced those PKC
> -Original Message-
> From:
> [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED]
la.org] On Behalf Of Nelson B Bolyard
> Sent: Sunday, June 01, 2008 4:01 PM
> To: mozilla's crypto code discussion list
> Subject: Re: Problems importing pkcs12 keystore to NSS
> In NSS version 3.10 and later
françois blanchon wrote:
> Hello
> Question about CA in Firefox (I precise : I am not a developper at all). I
> must securise a Firefox on a Windows workstation, and one part is to remove
> all the built-in CA certs and install only a private one (the workstation is
> not able to go on the Interne
1 - 100 of 209 matches
Mail list logo
