Sacado de: [[Referencia SSL|http://www.mozilla.org/projects/security/pki/nss/ref/ssl/index.html]]
Initialization includes setting up configuration files, setting global defaults, and setting up callback functions. Functions used in the initialization part of an application can include the following:
* PR_Init. Initializes NSPR. Must be called before any other NSS functions.
* PK11_SetPasswordFunc. Sets the global callback function to obtain passwords for PKCS #11 modules. Required.
* NSS_Init. Sets up configuration files and performs other tasks required to run Network Security Services. NSS_Init is not idempotent, so call it only once. Required.
* SSL_OptionSetDefault. Changes default values for all subsequently opened sockets as long as the application is running (compare with SSL_SetURL which only configures the socket that is currently open). This function must be called once for each default value that needs to be changed. Optional.
* NSS_SetDomesticPolicy, NSS_SetExportPolicy, NSS_SetFrancePolicy, or SSL_CipherPolicySet. These functions tell the library which cipher suites are permitted by policy (for example, to comply with export restrictions). Cipher suites disabled by policy cannot be enabled by user preference. One of these functions must be called before any cryptographic operations can be performed with [[NSS]].
* SSL_CipherPrefSetDefault. Enables all ciphers chosen by user preference. Optional.
The configuration portion of an SSL-enabled application typically begins by opening a new socket and then importing the new socket into the SSL environment:
* PR_NewTCPSocket. Opens a new socket. A legal NSPR socket is required to be passed to SSL_ImportFD, whether it is created with this function or by another method.
* SSL_ImportFD. Makes an NSPR socket into an SSL socket. Required. Brings an ordinary [[NSPR]] socket into the SSL library, returning a new NSPR socket that can be used to make SSL calls. You can pass this function a model file descriptor to create the new SSL socket with the same configuration state as the model.
* PR_GetSocketOption. Retrieves the socket options currently set for a specified socket. Optional.
* PR_SetSocketOption. Sets the socket options for a specified socket., including making it blocking or nonblocking. Optional.
* SSL_OptionSet. Sets a single configuration parameter of a specified socket. This function must be called once for each parameter whose settings you want to change from those established with SSL_OptionSetDefault. Optional.
* SSL_ConfigSecureServer. For servers only. Configures the socket with the information needed to handshake as an SSL server. Required for servers.
* SSL_SetURL. For clients only. Records the target server URL for comparison with the URL specified by the server certificate. Required for clients.
* SSL_SetPKCS11PinArg. Sets the argument passed to the PKCS #11 password callback function. Required.
* SSL_AuthCertificateHook. Specifies a callback function used to authenticate an incoming certificate (optional for servers, necessary for clients to avoid "man-in-the-middle" attacks). Optional. If not specified, SSL uses the default callback function, SSL_AuthCertificate.
* SSL_BadCertHook. Specifies a callback function to deal with a situation where authentication has failed. Optional.
* SSL_GetClientAuthDataHook. Specifies a callback function for SSL to use when the server asks for client authentication information. This callback is required if you want to do client authentication. You can set the callback function to a standard one that is provided, NSS_GetClientAuthData.
* SSL_HandshakeCallback. Specifies a callback function that will be used by SSL to inform either a client application or a server application when the SSL handshake is completed. Optional.
After establishing a connection, an application first calls PR_Send, PR_Recv, PR_Read, PR_Write, or SSL_ForceHandshake to initiate the handshake. The application's protocol (for example, HTTP) determines which end has responsibility to talk first. The end that has to talk first should call PR_Send or PR_Write, and the other end should call PR_Read or PR_Recv. Use SSL_ForceHandshake when the socket has been prepared for a handshake but neither end has anything to say immediately. This occurs, for example, when an HTTPS server has received a request and determines that before it can answer the request, it needs to request an authentication certificate from the client. At the HTTP protocol level, nothing more is being said (that is, no HTTP request or response is being sent), so the server first uses SSL_ReHandshake to begin a new handshake and then call SSL_ForceHandshake to drive the handshake to completion.
!Ver También
[[SSL Functions|http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1047959]]
[[JSS y ECC|https://bugzilla.mozilla.org/show_bug.cgi?id=322871]]