[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: crypto consolidation status?

Dan Winship wrote:
Adam Goode wrote:
 * We are trying to use TLS from a library. The NSS documentation seems
   to suggest that calling NSS_Init more than once is bad. It doesn't
   look like it would be safe to call NSS_Init from a library. Really
   NSS should be returning a context object that encapsulates all NSS
   state, yes?

Yes. https://bugzilla.redhat.com/show_bug.cgi?id=466313

The thing about NSS_Init is that the first caller wins. Subsequent calls will silently succeed but you'll be using the initial database. It is possible to open multiple NSS databases in a single process you just don't use NSS_Init to open subsequent ones.

Per the bug it isn't really expected for people to use the SSL_DIR environment variable. Since this provides compatibility with OpenSSL one can continue to use the same PEM files. NSS has a PKCS#11 module which can load these into an in-memory NSS database for use. I'm not discouraging its use but may simply be easier to use PEM files for now.

It almost seems like a little more work is needed in NSS before it can
really work as the one true crypto library.

Agreed. Right now it's really only designed to be used directly by
applications, not by other libraries.

-- Dan

I think some NSS work that is expected to appear in F12 will move things a great deal closer to this goal.


Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]