William Brown wrote:
https://fedorahosted.org/389/ticket/48798 https://fedorahosted.org/389/attachment/ticket/48798/0001-Ticket-48798-Enable-DS-to-offer-weaker-DH-params-in-.patch https://fedorahosted.org/389/attachment/ticket/48798/0001-Ticket-48798-lib389-add-ability-to-create-nss-ca-and.patch
I don't understand why you are linking enabling weak DH params with enabling DHE on the server side, or are you just forcing server-side DH if the weak params are enabled? Is there some other switch to enable server-side DH too? What about the managing the DH ciphers?
You should check for the existence of SSL_ENABLE_SERVER_DHE if you want to be able to build with older NSS.
In the second patch there is no context why creating your own CA is linked in any way with testing DH params, plus the "This is a trick" code is duplicated between the patches. I think I'd just revise the commit message on the second patch saying it is code to generate an RSA CA and leave it at that.
There is a comment that the "shipped" NSS db is broken but no explanation of how.
rob -- 389-devel mailing list 389-devel@xxxxxxxxxxxxxxxxxxxxxxx http://lists.fedoraproject.org/admin/lists/389-devel@xxxxxxxxxxxxxxxxxxxxxxx
