crypto consolidation status?
Rob Crittenden
rcritten at redhat.com
Thu May 7 18:51:50 UTC 2009
Dan Winship wrote:
> Adam Goode wrote:
>> * We are trying to use TLS from a library. The NSS documentation seems
>> to suggest that calling NSS_Init more than once is bad. It doesn't
>> look like it would be safe to call NSS_Init from a library. Really
>> NSS should be returning a context object that encapsulates all NSS
>> state, yes?
>
> Yes. https://bugzilla.redhat.com/show_bug.cgi?id=466313
The thing about NSS_Init is that the first caller wins. Subsequent calls
will silently succeed but you'll be using the initial database. It is
possible to open multiple NSS databases in a single process you just
don't use NSS_Init to open subsequent ones.
Per the bug it isn't really expected for people to use the SSL_DIR
environment variable. Since this provides compatibility with OpenSSL one
can continue to use the same PEM files. NSS has a PKCS#11 module which
can load these into an in-memory NSS database for use. I'm not
discouraging its use but may simply be easier to use PEM files for now.
>
>> It almost seems like a little more work is needed in NSS before it can
>> really work as the one true crypto library.
>
> Agreed. Right now it's really only designed to be used directly by
> applications, not by other libraries.
>
> -- Dan
>
I think some NSS work that is expected to appear in F12 will move things
a great deal closer to this goal.
rob
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3245 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20090507/cd2e6f00/attachment.bin>
More information about the fedora-devel-list
mailing list