crypto consolidation status?

Rob Crittenden rcritten at redhat.com
Thu May 7 18:51:50 UTC 2009


Dan Winship wrote:
> Adam Goode wrote:
>>  * We are trying to use TLS from a library. The NSS documentation seems
>>    to suggest that calling NSS_Init more than once is bad. It doesn't
>>    look like it would be safe to call NSS_Init from a library. Really
>>    NSS should be returning a context object that encapsulates all NSS
>>    state, yes?
> 
> Yes. https://bugzilla.redhat.com/show_bug.cgi?id=466313

The thing about NSS_Init is that the first caller wins. Subsequent calls 
will silently succeed but you'll be using the initial database. It is 
possible to open multiple NSS databases in a single process you just 
don't use NSS_Init to open subsequent ones.

Per the bug it isn't really expected for people to use the SSL_DIR 
environment variable. Since this provides compatibility with OpenSSL one 
can continue to use the same PEM files. NSS has a PKCS#11 module which 
can load these into an in-memory NSS database for use. I'm not 
discouraging its use but may simply be easier to use PEM files for now.

> 
>> It almost seems like a little more work is needed in NSS before it can
>> really work as the one true crypto library.
> 
> Agreed. Right now it's really only designed to be used directly by
> applications, not by other libraries.
> 
> -- Dan
> 

I think some NSS work that is expected to appear in F12 will move things 
a great deal closer to this goal.

rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090507/cd2e6f00/attachment.bin>


More information about the fedora-devel-list mailing list