Bugzilla will be upgraded to version 5.0 on a still to be determined date in the near future. The original upgrade date has been delayed.
Bug 347691 - Port neon to use NSS library for cryptography
Port neon to use NSS library for cryptography
Product: Fedora
Classification: Fedora
Component: neon (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Joe Orton
Fedora Extras Quality Assurance
: FutureFeature
: 346661 (view as bug list)
Depends On:
Blocks: CryptoConsolidation
  Show dependency treegraph
Reported: 2007-10-23 06:21 EDT by Peter Vrabec
Modified: 2014-09-23 16:03 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-09-23 16:03:19 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Peter Vrabec 2007-10-23 06:21:02 EDT
neon should be ported to use NSS library for cryptography.
See the tracking bug for details and links on how it could be done.
Comment 1 Joe Orton 2007-12-04 10:09:53 EST
neon has an library-agnostic SSL interface which is currently implemented for
both OpenSSL and GnuTLS.  To be able to port neon to NSS, NSS needs to be able
to work in a mode where a central certificate database is not required.  I
couldn't work out how to do this with the current API.
Comment 2 Bob Relyea 2007-12-04 12:40:29 EST
NSS can be initialized to work without a centralized database. The open ssl
compatibility libraries currently uses this method.

That being said, doing so can leave the application deficient compared to other
applications. Certainly for the first step, that's probably sufficient. As we
enable the shared database code, applications that don't play in that shared
database will be viewed as deficient or lacking.
Comment 3 Joe Orton 2007-12-04 16:05:59 EST
Can you explain how?  

I think I was supposed to call NSS_NoDB_Init() to initialize, right?  I couldn't
see any way to get a CERTCertDBHandle * pointer other than calling the
CERT_GetDefaultCertDB() function, so virtually all the state neon needs to
manipulate is process-global (e.g. the cert verification callback) - which is
not possible for a library interface.
Comment 4 Joe Orton 2007-12-04 16:10:07 EST
The other thing I stumbled on when looking at this was that the export policy
would have to be set (again as process-global state) at startup somehow.  How
would an application (or worse, a library) be expected to decide what export
policy to use?  Is this supposed to be user-configurable?
Comment 5 Joe Orton 2008-10-20 12:02:09 EDT
*** Bug 346661 has been marked as a duplicate of this bug. ***

Note You need to log in before you can comment on or make changes to this bug.