480076 - need sample source: how to avoid hard coding SSL cipher suite info

Status: RESOLVED FIXED

(NSS :: Documentation, enhancement, P4)

Description

[Nelson Bolyard (seldom reads bugmail)]

Attachment: Source file that demonstrates use of SSL_GetCipherSuiteInfo

For years, libSSL has has functions that enable an application to dynamically
adjust to new cipher suites as they become available in newer NSS releases,
without needing to modify or recompile application source code.  This obviates
hard coded application tables of attributes for SSL cipher suites.  But there 
has been no code that demonstrates how to use it, so the feature has gone 
largely (perhaps totally) unused.  We need sample code for it.  

That's the purpose of the attachment.  I'd actually like to commit this in a 
new subdirectory of mozilla/security/nss/cmd.  Any objections?

Comment 1

[Nelson Bolyard (seldom reads bugmail)]

1 minor correction.  The line that reads:
    ((info.cipherSuite & 0xff00) == 0xff00 ? "SSL2" : ""), 
should instead read:
    (SSL_IS_SSL2_CIPHER(info.cipherSuite) ? "SSL2" : ""), 
I meant to fix that before attaching it.

Comment 2

[Elio Maldonado]

Line 45 includes secutil.h a non-public header. This is currently needed because Lines 70 and 79 call SECU_Strerror, from sectools, a tools support library that we don't yet ship and support. 

Once this dependency is removed the sample should build stand-alone via as simple a makefile target as:
listsuites: listsuites.c
	gcc -Wall -Werror -g $^ -o $@  \
-lnspr4 -lnss3 -lssl3 -I/usr/include/nspr4 -I/usr/include/nss3

Comment 3

[Nelson Bolyard (seldom reads bugmail)]

Elio, 
Was your comment 2 meant to be interpreted as an R- ?
If so, please set the review- flag.  Thanks.

Comment 4

[Elio Maldonado]

Since nss 3.13 we have support for localizeable error strings via PORT_ErrorToString. So with these changes

$ diff ~/Downloads/listsuites.c ./listsuites.c
45c45
< #include "secutil.h"
---
> #include "secport.h"
70c70
< 	    	   suite, i, SECU_Strerror(err));
---
> 	    	   suite, i, PORT_ErrorToString(err));
79c79
< 	    	   suite, i, SECU_Strerror(err));
---
> 	    	   suite, i, PORT_ErrorToString(err));
the sample will rely on public headers and only.

Comment 5

[Elio Maldonado]

Attachment: Source file that demonstrates use of SSL_GetCipherSuiteInfo

Comment 6

[Elio Maldonado]

Attachment: Demonstrates use of SSL_GetCipherSuiteInfo - updated license

Comment 7

[Kai Engert [:KaiE:]]

Please make the replacement that Nelson suggested in comment 1.

I read the code and it looks find to me.
But this isn't a patch, where do you want this code to live?

Without makefile changes this work isn't complete.

Comment 8

[Kai Engert [:KaiE:]]

Attachment: Patch v4

Comment 9

[Kai Engert [:KaiE:]]

Comment on attachment 647642 [details]
Demonstrates use of SSL_GetCipherSuiteInfo - updated license

r+ but please make the requested changes.

I attached a new patch, please feel free to r+ and check it in if you think this is OK.

(remember to use "cvs add" on the directory and all new files.)

Comment 10

[Elio Maldonado]

Checked in to the trunk:
Checking in mozilla/security/nss/cmd/manifest.mn;
/cvsroot/mozilla/security/nss/cmd/manifest.mn,v  <--  manifest.mn
new revision: 1.38; previous revision: 1.37
done
RCS file: /cvsroot/mozilla/security/nss/cmd/listsuites/Makefile,v
done
Checking in mozilla/security/nss/cmd/listsuites/Makefile;
/cvsroot/mozilla/security/nss/cmd/listsuites/Makefile,v  <--  Makefile
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/cmd/listsuites/listsuites.c,v
done
Checking in mozilla/security/nss/cmd/listsuites/listsuites.c;
/cvsroot/mozilla/security/nss/cmd/listsuites/listsuites.c,v  <--  listsuites.c
initial revision: 1.1
done
RCS file: /cvsroot/mozilla/security/nss/cmd/listsuites/manifest.mn,v
done
Checking in mozilla/security/nss/cmd/listsuites/manifest.mn;
/cvsroot/mozilla/security/nss/cmd/listsuites/manifest.mn,v  <--  manifest.mn
initial revision: 1.1
done