1The purpose is to cause as few changes to the code you are trying to port as 2possible. Some changes are inevitable, particularly when crypto outside of 3SSL is being used, but for a general-purpose SSL client or server the goal 4is that 80% of the code can remain untouched. 5 6Currently Supports: 7 8 * Creating an SSL server listener and accepting requests 9 * Creating an SSL client socket and making requests 10 * Ciphers that should be compatible with OpenSSL 11 * Client certificate authentication 12 * Token password prompting/handlng 13 14Requires: 15 16NSPR 4.6.4 or higher 17NSS 3.11.4 or higher 18 19How Do I Use the Library: 20 21For the short term you will need to use an NSS database. This consists of 3 22files: cert8.db, key3.db and secmod.db located in the same directory. In order 23for the target to find the right database you need to set the environment 24variable SSL_DIR to the location of your NSS database (unless you have a 25server cert installed in the default NSS database in /etc/pki/nssdb) 26 27The code doesn't currently support file-based certificates. It uses the path 28of the certificate passed to SSL_CTX_use_certificate_file() and 29SSL_CTX_use_certificate_chain_file() as the nickname of the certificate in 30the NSS database. To list the certificates (and their nickname) in an NSS 31database you can use this: 32 33% certutil -L -d /path/to/database 34 35If you have a PKCS#12 file containing you can import it into your NSS database 36with: 37 38% pk12util -i mycert.p12 -d /path/to/database 39 40We currently lack nice, importable autoconf rules. You will need to tell your 41application where to find the NSPR and NSS include and libraries. You can use 42pkg-config to determine this. The package names are nss and nspr. 43 44So far we are use HAVE_NSS and HAVE_OPENSSL to differentiate between NSS and 45OpenSSL. 46 47You want to include "nss_compat_ossl.h". Be careful to not include any OpenSSL 48header files. 49 50Some specific things to watch out for: 51 52- OpenSSL CRL handling is very different from NSS so any OpenSSL CRL handling 53code should be ifdef'd out. NSS handles CRLs directly. Users can use the 54crlutil tool to load them into the NSS database. 55 56- The callbacks for info_callback and verify_callback are made but from what 57I've seen those functions use very diverse OpenSSL calls that aren't supported 58yet (and may never be). These callbacks will likely all need to be rewritten 59for NSS. 60 61- Few of the BIO_ calls are implemented. If these are used extensively in the 62target application then some major rewriting may be needed. Best to request 63some assistance before proceeding. 64 65- I didn't use OpenSSL structures in most cases so any programs trying to 66access specific elements may need to change (or the library does). 67 68- NSS supports two modes for its SSL cache: threaded and multi-process. The 69nss_compat_ossl code currently initializes the cache for multi-threaded 70operation. If you need multi-process you will need to call these in your 71application: 72 73 SSL_CTX_set_timeout(ctx, timeout); 74 SSL_ShutdownServerSessionIDCache(); 75 SSL_ConfigMPServerSIDCache(0, timeout, timeout, NULL); 76 77Things to be done: 78 79- We should import referenced certificates on the fly into our NSS database. 80A PKCS#11 module to do this has been started but requires NSS 3.12 so it is 81of limited use in the short-term. 82 83- Many missing pieces of the API 84 85