Thursday, April 21, 2016

[389-devel] Re: Please review: 48798 All DS to offer weaker dh params optionally.

On Thu, 2016-04-21 at 09:13 -0400, Rob Crittenden wrote:
William Brown wrote:  
https://fedorahosted.org/389/ticket/48798 https://fedorahosted.org/389/attachment/ticket/48798/0001-Ticket-48798-Enable-DS-to-offer-weaker-DH-params-in-.patch https://fedorahosted.org/389/attachment/ticket/48798/0001-Ticket-48798-lib389-add-ability-to-create-nss-ca-and.patch
I don't understand why you are linking enabling weak DH params with enabling DHE on the server side, or are you just forcing server-side DH if the weak params are enabled? Is there some other switch to enable server-side DH too? What about the managing the DH ciphers? You should check for the existence of SSL_ENABLE_SERVER_DHE if you want to be able to build with older NSS.

That's about to change to be within #if NSS_VMAJOR * 100 + NSS_VMINOR >= 320 so it should be fine.

  In the second patch there is no context why creating your own CA is   linked in any way with testing DH params, plus the "This is a trick"   code is duplicated between the patches. I think I'd just revise the   commit message on the second patch saying it is code to generate an RSA   CA and leave it at that.  

Well, we need certificates to test ssl, else no DH ...

But I will update the commit message. 

  There is a comment that the "shipped" NSS db is broken but no   explanation of how.  

It has no password, and all kinds of basic operations just ... break. You can't import certificates correctly and some other issues I cannot remember because I generally just nuke it from orbit before I start.

This isn't the first test where we have to "refresh" the shipped nss db to make things work. Noriko's OpenSSL patch has to do it too.

  
--   Sincerely,    William Brown  Software Engineer  Red Hat, Brisbane  

No comments:

Post a Comment