ntome authored Aug 07, 2018 and Romain Bignon committed Aug 18, 2018

Sometimes, nss_get_version will return "3.21.3 Extended ECC" which
can't be parsed. Trim junk to be able to parse it.

ntome authored Jun 03, 2018 and Romain Bignon committed Jul 29, 2018

With NSS, unlike python sockets, the timeout should be passed on every
recv call. But since it's implemented in C, we're forced to reimplement
read/readinto/etc.
Use io.BufferedRWPair and io.RawIOBase to implement some of them and
implement the others by hand.

ntome authored Jul 02, 2018 and Romain Bignon committed Jul 29, 2018

NSS uses different filenames for its certificate database depending on
its version (cert8.db before NSS 3.35, cert9.db after).
This filename is checked to determine if the certificate db must be
created, so we need to find the correct filename.

Benjamin Tampigny authored Mar 20, 2018 and Romain Bignon committed Mar 31, 2018

A lot of environments will block those verifications anyway

ntome authored Mar 15, 2018 and Romain Bignon committed Mar 31, 2018

Client certificate support seems hard to implement with NSS due to
shitty API, so fallback on OpenSSL. Sorry!

PKCS12Decoder() segfaults. PrivateKey() doesn't accept any argument.
Certificate(private_der) raises an exception with a stupid error message
(like most NSS errors). I'm giving up.

btampigny authored Feb 12, 2018 and Romain Bignon committed Mar 03, 2018

This patch has been done because certutil does not seem to handle files
containing multiple certificates. We also ignore files without
extentions because centos contains some Makefile examples in the system
CA folder

ntome authored Sep 04, 2017 and Romain Bignon committed Sep 06, 2017

It seems NSS can raise errors if it is not re-initialized after the
process is forked. ssl_wrap_socket is thus modified to call init again
if the PID changed.

Also, it seems it is safer to use an init context.

https://bugzilla.redhat.com/show_bug.cgi?id=800304
https://bugzilla.redhat.com/show_bug.cgi?id=1317691
https://bugzilla.mozilla.org/show_bug.cgi?id=1263017

ntome authored Jun 21, 2017 and Romain Bignon committed Jul 08, 2017

python3's httplib uses readinto and flush which are not implemented by nss.

ntome authored Mar 22, 2017 and Romain Bignon committed Apr 01, 2017

Since NSS doesn't implement AIA (Authority Information Access) for
incomplete certificate chain, a workaround can be to hardcode the
expected certificate.
In a Browser, the VERIFY field should be set to the expected certificate
path.

ntome authored Mar 01, 2017 and Romain Bignon committed Mar 11, 2017

The 'u' (user) flag seems only useful when a private key is present, for
user auth, which is not the case here. Plus it prints annoying notices.

Vincent Ardisson authored Feb 09, 2017 and Romain Bignon committed Mar 11, 2017

requests expect socket.error and ssl.SSLError exceptions, not
nss.error.NSPRError. Try to convert NSS exceptions in expected ones.

Vincent Ardisson authored Jan 31, 2017 and Romain Bignon committed Mar 11, 2017

OpenSSL fails to connect to numerous websites where NSS succeeds. This
helper module enables to use NSS if desired.