- Feb 24, 2019
-
-
Romain Bignon authored
-
- Dec 17, 2018
-
-
It's not exactly a timeout but for now it seems sufficient for requests to retry. I don't know exactly in what circumstances this errors occurs in the wild, but it can tentatively be reproduced experimentally with a very long wait (minutes or hours) before doing the handshake.
-
- Nov 10, 2018
-
-
NSS seem to have different behaviors on different distros, e.g. Debian and CentOS, and it also depends on the NSS version, which creates a whole matrix of cases. Try to force SQL database use for >=3.35 and default (probably DBM) for versions <3.35. NSS might still ask the infamous question: Enter Password or Pin for "NSS Certificate DB": but deleting the old generated *.db files should solve it. -
Some shit sites like cragr/lcl/bforbank currently cause NSS to have error SEC_ERROR_OCSP_UNKNOWN_CERT, even in Firefox. Since disabling cannot be done per module, just disable it for those dumbasses.
-
- Oct 11, 2018
-
-
- Sep 16, 2018
-
-
-
-
Some sites rely on TLS extension "AIA" and do not provide a complete certificate chain up to the CA. The AIA extension lets the site define an HTTP URL where to fetch the parent certificates. When encountering this case, the parent certificate must be checked to really be the parent of the certificate being validated. Also, the parent certificate must be in the trusted CAs.
-
- Aug 18, 2018
-
-
Sometimes, nss_get_version will return "3.21.3 Extended ECC" which can't be parsed. Trim junk to be able to parse it.
-
- Jul 29, 2018
-
-
With NSS, unlike python sockets, the timeout should be passed on every recv call. But since it's implemented in C, we're forced to reimplement read/readinto/etc. Use io.BufferedRWPair and io.RawIOBase to implement some of them and implement the others by hand.
-
NSS uses different filenames for its certificate database depending on its version (cert8.db before NSS 3.35, cert9.db after). This filename is checked to determine if the certificate db must be created, so we need to find the correct filename.
-
- Jun 09, 2018
-
-
- Mar 31, 2018
-
-
A lot of environments will block those verifications anyway
-
-
Client certificate support seems hard to implement with NSS due to shitty API, so fallback on OpenSSL. Sorry! PKCS12Decoder() segfaults. PrivateKey() doesn't accept any argument. Certificate(private_der) raises an exception with a stupid error message (like most NSS errors). I'm giving up.
-
- Mar 03, 2018
-
-
This patch has been done because certutil does not seem to handle files containing multiple certificates. We also ignore files without extentions because centos contains some Makefile examples in the system CA folder
-
- Sep 06, 2017
-
-
It seems NSS can raise errors if it is not re-initialized after the process is forked. ssl_wrap_socket is thus modified to call init again if the PID changed. Also, it seems it is safer to use an init context. https://bugzilla.redhat.com/show_bug.cgi?id=800304 https://bugzilla.redhat.com/show_bug.cgi?id=1317691 https://bugzilla.mozilla.org/show_bug.cgi?id=1263017
-
- Jul 08, 2017
-
-
python3's httplib uses readinto and flush which are not implemented by nss.
-
- Apr 01, 2017
-
-
Since NSS doesn't implement AIA (Authority Information Access) for incomplete certificate chain, a workaround can be to hardcode the expected certificate. In a Browser, the VERIFY field should be set to the expected certificate path.
-
- Mar 11, 2017
-
-
The 'u' (user) flag seems only useful when a private key is present, for user auth, which is not the case here. Plus it prints annoying notices.
-
-
requests expect socket.error and ssl.SSLError exceptions, not nss.error.NSPRError. Try to convert NSS exceptions in expected ones.
-
OpenSSL fails to connect to numerous websites where NSS succeeds. This helper module enables to use NSS if desired.
-
