- Aug 18, 2018
-
-
Sometimes, nss_get_version will return "3.21.3 Extended ECC" which can't be parsed. Trim junk to be able to parse it.
-
- Jul 29, 2018
-
-
With NSS, unlike python sockets, the timeout should be passed on every recv call. But since it's implemented in C, we're forced to reimplement read/readinto/etc. Use io.BufferedRWPair and io.RawIOBase to implement some of them and implement the others by hand.
-
NSS uses different filenames for its certificate database depending on its version (cert8.db before NSS 3.35, cert9.db after). This filename is checked to determine if the certificate db must be created, so we need to find the correct filename.
-
- Jun 09, 2018
-
-
- Mar 31, 2018
-
-
A lot of environments will block those verifications anyway
-
-
Client certificate support seems hard to implement with NSS due to shitty API, so fallback on OpenSSL. Sorry! PKCS12Decoder() segfaults. PrivateKey() doesn't accept any argument. Certificate(private_der) raises an exception with a stupid error message (like most NSS errors). I'm giving up.
-
- Mar 03, 2018
-
-
This patch has been done because certutil does not seem to handle files containing multiple certificates. We also ignore files without extentions because centos contains some Makefile examples in the system CA folder
-
- Sep 06, 2017
-
-
It seems NSS can raise errors if it is not re-initialized after the process is forked. ssl_wrap_socket is thus modified to call init again if the PID changed. Also, it seems it is safer to use an init context. https://bugzilla.redhat.com/show_bug.cgi?id=800304 https://bugzilla.redhat.com/show_bug.cgi?id=1317691 https://bugzilla.mozilla.org/show_bug.cgi?id=1263017
-
- Jul 08, 2017
-
-
python3's httplib uses readinto and flush which are not implemented by nss.
-
- Apr 01, 2017
-
-
Since NSS doesn't implement AIA (Authority Information Access) for incomplete certificate chain, a workaround can be to hardcode the expected certificate. In a Browser, the VERIFY field should be set to the expected certificate path.
-
- Mar 11, 2017
-
-
The 'u' (user) flag seems only useful when a private key is present, for user auth, which is not the case here. Plus it prints annoying notices.
-
-
requests expect socket.error and ssl.SSLError exceptions, not nss.error.NSPRError. Try to convert NSS exceptions in expected ones.
-
OpenSSL fails to connect to numerous websites where NSS succeeds. This helper module enables to use NSS if desired.
-