DescriptionSupport for using OS-native certificates for SSL client auth.
Known Limitations
- Only SSL3/TLS1.0 handshakes are supported. It's unlikely SSLv2 will/should ever be implemented. NSS does not yet support TLS1.1/1.2
- On Windows, only CryptoAPI keys are supported. Keys that can only be accessed via CNG will fail.
Technical Notes:
Windows:
- Only the AT_KEYEXCHANGE key is used, per http://msdn.microsoft.com/en-us/library/aa387461(VS.85).aspx
- CryptSetHashParam is used to directly set the hash value. This *should* be supported by all CSPs that are compatible with RSA/SChannel, AFAICT, but testing is needed.
NSS:
- The define NSS_PLATFORM_CLIENT_AUTH is used to guard all of the new/patched code. The primary implementation details are in sslplatf.c.
BUG=148
BUG=37560
BUG=45369
TEST=Attempt to authenticate with a site that requires HTTPS (eg: https://foaf.me/simpleLogin.php with a FOAF+SSL client certificate).
Patch Set 1 #Patch Set 2 : Whitespace for NSS, leakfix for client auth handler, intermediate cert for win/osx #
Total comments: 1
Patch Set 3 : Mac handling of smart card ejection and a few Mac typos I spotted reviewing #Patch Set 4 : Enable ECDSA signatures, match SChannel's behaviour for signing, and omit root certs from the chain #Patch Set 5 : License fix #
Total comments: 1
Patch Set 6 : Copy from 3455019 - Patchset 1 (rebase to trunk) #Patch Set 7 : White space and don't prompt to insert smart card if ejected on Windows #
Total comments: 3
Patch Set 8 : Rebase to trunk #Patch Set 9 : Copy from 3455019 - Patchset 2 #Patch Set 10 : Merge in Patchset 7 - Switch to CRYPT_SILENT #Patch Set 11 : Fix Mac compiles post-copy #
Total comments: 3
Patch Set 12 : Copy from 3455019 - Patchset 4 #Patch Set 13 : Add a short-circuit when the CSP reports the container is not removable #
Messages
Total messages: 16 (0 generated)
|