Closed Bug 188856 Opened 22 years ago Closed 22 years ago

https gets Error Code: -8173 when DHE ciphers negotiated

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: joe, Assigned: rrelyea)

References

(
URL
)

Details

(Keywords: regression)

Attachments

(3 files)

Text file
3.45 KB, text/plain
Details
1) Return proper error code in more cases. 2) Fix bug in DH KeyPair Generation.
8.20 KB, patch
wtc
: review+
asa
: approval1.3+
Details | Diff | Splinter Review
Fix a typo in pk11_GetPubKey
711 bytes, patch
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030111 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.3b) Gecko/20030111 I get the above message when attempting to connect to the above secure site. Similarly, I have also received that message when connecting to a secure site I maintain for development purposes (unfortunately, my dev sites are located on an 'internal only' machine). Other secure sites, such as https://rhn.redhat.com/, do not seem to cause such problems. The only similarity I can find between https://https.openbsd.org/cgi-bin/order and my internal secure site is that Apache is built against OpenSSL 0.9.7 (beta3 in the OpenBSD case, and 0.9.7 release in my case). In my example, I've tried serving the site with both Apache 1.3 and 2.0 and have experienced the problem. A slightly older apache, built against OpenSSL 0.9.6b, worked without incident. I generally get a new Mozilla build every few days, and this has been happening only since early last week. I tested 1.0.2, and even the latest "generally released" 1.3a(b?) and they connect to these sites. It's only in the latest of the nightly builds that I've seen this problem. Reproducible: Always Steps to Reproduce: 1. point the browser to https://https.openbsd.org/cgi-bin/order 2. 3. Actual Results: A modal(?) error window pops up, with the message "Error establishing and encrypted connection to <site>. Error Code: -8173". Nothing further. The browser keeps the current page displayed (not the secure page I intended to visit). Expected Results: Should have displayed the intended page. Run of the mill Mozilla install, classis theme. Machine is a home-built Athlon, 256MB RAM, ATI Rage128 video (32MB). Connected via DSL. Red Hat 7.3, current patches. This machine also has OpenSSL 0.9.7 installed (does Mozilla even utilize this?). This machine also boots into Windows 2000, and I noticed the same behaviour with the latest Mozilla for Windows builds as well.
-> PSM
Assignee: dougt → ssaux
Component: Networking → Client Library
Product: Browser → PSM
QA Contact: benc → junruh
Version: Trunk → unspecified
Confirming with the Jan 13 Win2000 commercial trunk build. Works on Mozilla Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.3b) Gecko/20030102
Severity: normal → major
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Linux → All
Priority: -- → P2
Hardware: PC → All
Version: unspecified → 2.4
Another example: https://www.arrl.org
Attached file Text file
I can reach the test sites if I disable SSL3 and TLS. After turning those options back on, I used ssltap to create an attachment while trying to reach https://www.arrl.org. Save the attachment as file.txt.
If I'm not mistaken, -8173 == -8192 + 19 , so this is error SEC_ERROR_NO_MEMORY = SEC_ERROR_BASE + 19, So, either the browser really is running out of memory (not necessarily caused by anything directly related to https), or else some code is falsely setting this error code. Can this be reproduced with tstclnt?
Summary: "Error establishing and encrypted connection to <site>. Error Code: -8173" → https connection attempt gets Error Code: -8173
This must be a version of mozilla in which the new DHE ciphersuites have been enabled. The client and server have negotiated a DHE ciphersuite. The error occurs in NSS. The calls stack is shown below. The relevant code is the following code in PK11_GenerateKeyPair: crv = PK11_GETTAB(slot)->C_GenerateKeyPair(session_handle, &mechanism, pubTemplate,pubCount,privTemplate,privCount,&pubID,&privID); if (crv != CKR_OK) { if (restore) { PK11_RestoreROSession(slot,session_handle); } else PK11_ExitSlotMonitor(slot); PORT_SetError( PK11_MapError(crv) ); return NULL; } The variable crv contains the value 2, which is CKR_HOST_MEMORY. The stack is: PORT_SetError(int 0xffffe013) line 178 + 12 bytes PK11_GenerateKeyPair(PK11SlotInfoStr * 0x005313b0, unsigned long 0x00000020, void * 0x0012e81c, SECKEYPublicKeyStr * * 0x0012e848, int 0x00000000, int 0x00000000, void * 0x00000000) line 2086 + 21 bytes SECKEY_CreateDHPrivateKey(SECKEYDHParamsStr * 0x0012e81c, SECKEYPublicKeyStr * * 0x0012e848, void * 0x00000000) line 223 + 27 bytes sendDHClientKeyExchange(sslSocketStr * 0x00543d08, SECKEYPublicKeyStr * 0x005539a8) line 3310 + 15 bytes ssl3_SendClientKeyExchange(sslSocketStr * 0x00543d08) line 3851 + 13 bytes ssl3_HandleServerHelloDone(sslSocketStr * 0x00543d08) line 4737 + 9 bytes ssl3_HandleHandshakeMessage(sslSocketStr * 0x00543d08, unsigned char * 0x00548924, unsigned int 0x00000000) line 7213 + 9 bytes ssl3_HandleHandshake(sslSocketStr * 0x00543d08, sslBufferStr * 0x00543eb0) line 7300 + 25 bytes ssl3_HandleRecord(sslSocketStr * 0x00543d08, SSL3Ciphertext * 0x0012e9b8, sslBufferStr * 0x00543eb0) line 7564 + 13 bytes ssl3_GatherCompleteHandshake(sslSocketStr * 0x00543d08, int 0x00000000) line 203 + 22 bytes ssl_GatherRecord1stHandshake(sslSocketStr * 0x00543d08) line 1256 + 11 bytes ssl_Do1stHandshake(sslSocketStr * 0x00543d08) line 145 + 13 bytes ssl_SecureSend(sslSocketStr * 0x00543d08, const unsigned char * 0x0012eaa0, int 0x00000012, int 0x00000000) line 1024 + 9 bytes ssl_SecureWrite(sslSocketStr * 0x00543d08, const unsigned char * 0x0012eaa0, int 0x00000012) line 1058 + 19 bytes ssl_Write(PRFileDesc * 0x00543c98, const void * 0x0012eaa0, int 0x00000012) line 1262 + 21 bytes The next question is: why did the key gen functions return that error code?
In the previous comment, I asked why, when attempting to generate an ephemeral Diffie Hellman key pair, does NSC_GenerateKeyPair return CKR_HOST_MEMORY? The answer is as follows. The relevant stack is: pk11_Attribute2SSecItem(PLArenaPool * 0x00554f50, SECItemStr * 0x005546a4, PK11ObjectStr * 0x0055a9f0, unsigned long 0xd5a0db00) line 1225 pk11_mkPrivKey(PK11ObjectStr * 0x0055a9f0, unsigned long 0x00000002) line 1884 pk11_handlePrivateKeyObject(PK11SessionStr * 0x004db718, PK11ObjectStr * 0x0055a9f0, unsigned long 0x00000002) line 1242 + 13 bytes pk11_handleKeyObject(PK11SessionStr * 0x004db718, PK11ObjectStr * 0x0055a9f0) line 1502 + 17 bytes pk11_handleObject(PK11ObjectStr * 0x0055a9f0, PK11SessionStr * 0x004db718) line 1687 + 13 bytes NSC_GenerateKeyPair(unsigned long 0x00000001, CK_MECHANISM * 0x0012e6b8, CK_ATTRIBUTE * 0x0012e644, unsigned long 0x00000008, CK_ATTRIBUTE * 0x0012e770, unsigned long 0x00000007, unsigned long * 0x0012e5ac, unsigned long * 0x0012e754) line 3316 + 13 bytes PK11_GenerateKeyPair(PK11SlotInfoStr * 0x005313b0, unsigned long 0x00000020, void * 0x0012e81c, SECKEYPublicKeyStr * * 0x0012e848, int 0x00000000, int 0x00000001, void * 0x00000000) line 2079 + 55 bytes SECKEY_CreateDHPrivateKey(SECKEYDHParamsStr * 0x0012e81c, SECKEYPublicKeyStr * * 0x0012e848, void * 0x00000000) line 226 + 27 bytes sendDHClientKeyExchange(sslSocketStr * 0x00543d08, SECKEYPublicKeyStr * 0x005539a8) line 3310 + 15 bytes The DH key pair has been generated by blapi without error. Softoken is now trying to setup the private key object in the token. pk11_mkPrivKey calls pk11_Attribute2SSecItem(arena,&privKey->u.dh.publicValue, object,CKA_NETSCAPE_DB); which attempts to fetch the CKA_NETSCAPE_DB attribute from the private key object by calling pk11_FindAttribute. pk11_FindAttribute returns NULL, so pk11_Attribute2SSecItem returns CKR_TEMPLATE_INCOMPLETE to pk11_mkPrivKey. pk11_mkPrivKey returns NULL to pk11_handlePrivateKeyObject (we lose the crv value CKR_TEMPLATE_INCOMPLETE at this level). pk11_handlePrivateKeyObject sees the NULL, and sets the crv to CKR_HOST_MEMORY, which is wrong in this case. So, here are the remaining observations/comments about this NSS bug. 1. pk11_mkPrivKey should return both a key pointer and a CRV value, so that its caller doesn't have to guess at the real problem. 2. why does it fail to find the CKA_NETSCAPE_DB attribute? 3. DHE ciphersuites worked some time ago. Why/how did this regression occur? The fact that we haven't previously detected this regression is one cost of having a client-side only implementation of DHE. :-( I am turning this into an NSS bug. In the meantime, users should be able to disable the DHE ciphersuites using the new extended ciphersuite selection GUI in mozilla.
Component: Client Library → Libraries
Product: PSM → NSS
Target Milestone: --- → 3.7.1
Version: 2.4 → 3.7
Changed owner and QA contact.
Assignee: ssaux → wtc
QA Contact: junruh → bishakhabanerjee
One more comment. If pk11_handlePrivateKeyObject had returned CKR_TEMPLATE_INCOMPLETE, then it would have been mapped into SEC_ERROR_BAD_DATA, which SSL would have mapped into SEC_ERROR_KEYGEN_FAIL, which would have correctly described the problem. Raising to P1 due to the regression. The DHE ciphersuites were to be a major new feature. The fact that they're all failing is rather embarrasing.
Priority: P2 → P1
I reproduced this error with the following NSS command: tstclnt -c p -d /tmp/newdb -h www.arrl.org -vvv -f < stdin.txt > /dev/null where stdin.txt is a two line file. The first line is GET / HTTP/1.0 The second line is blank. Both lines are ended with CR LF.
Bob, could you take a look at this bug? Thanks.
Assignee: wtc → relyea
*** Bug 189017 has been marked as a duplicate of this bug. ***
This bug will be moved to NSS 3.7.2 when Bugzilla has a 3.7.2 target milestone for NSS.
Whiteboard: [3.7.2]
Target Milestone: 3.7.1 → 3.8
Whiteboard: [3.7.2]
Target Milestone: 3.8 → 3.7.2
*** Bug 190039 has been marked as a duplicate of this bug. ***
*** Bug 190925 has been marked as a duplicate of this bug. ***
Another example of a site with the problem https://www.pipni.cz/ (Apache 2.0.x + mod_ssl)
Flags: blocking1.3b?
Keywords: regression
*** Bug 181440 has been marked as a duplicate of this bug. ***
Blocks: 181440
Blocks: 190960
This bug should not block Mozilla 1.3b. All the DHE ciphersuites have been removed from the Mozilla client to work around this bug. We will add them back when we fix this bug.
Flags: blocking1.3b?
the essential part of this fix in pkcs11c.c where we add the CKA_NETSCAPE_DB attribute on Diffie-Hellman key gen. I don't know why the code would have even thought of working without this (unless we were testing with pregenerated keys). The rest of the fix is to surface more of the PKCS #11 error back up. There is a separate bug to continue tracking the issue of lost PKCS #11 errors.
*** Bug 189357 has been marked as a duplicate of this bug. ***
From bug 189357: These sites also display this problem: http://mail.copi.org/ https://www.nmrc.ie/ Does not seem to be a problem with WinXP: http://bugzilla.mozilla.org/show_bug.cgi?id=189357#c4
Just retested the original instructions on a WinXP machine running Trunk build 2003012804, and got error -8173. Also tried mail.copi.org and also got the error. This is a problem in WinXP.
Vipul Gupta of Sun submitted this patch.
The workaround we checked in (see bug 190640) did not make it into today's Mozilla trunk build. Please download the Mozilla trunk build tomorrow and verify the workaround again. Thanks. Please comment on the workaround in bug 190640.
It appears that the version I built from cvs (cvs update about 12h ago) fixes my problem [Re: comment #21, https:ww.nmrc.ie/].
No longer blocks: 181440
The above fixes plus wtc's review comments on these fixes have been checked into the NSS 3.7 BRANCH and the NSS tip.
Comment on attachment 112879 [details] [diff] [review] 1) Return proper error code in more cases. 2) Fix bug in DH KeyPair Generation. I've reviewed the checked-in version of this patch, in which Bob has addressed the issues I pointed out in my first code review. r=wtc. Bob, I noticed that you add this comment in three places in lib/softoken/pkcs11c.c: *crvp = CKR_DEVICE_ERROR; /* should map NSS SECError */ What do this comment mean? Is this a "to do" reminder? Nelson, I'd like you to review the following changes in this patch: >Index: pkcs11c.c >=================================================================== >RCS file: /cvsroot/mozilla/security/nss/lib/softoken/pkcs11c.c,v >retrieving revision 1.38.10.1 >diff -u -r1.38.10.1 pkcs11c.c >--- pkcs11c.c 13 Dec 2002 00:02:07 -0000 1.38.10.1 >+++ pkcs11c.c 28 Jan 2003 18:27:15 -0000 [...] >@@ -3311,6 +3308,7 @@ > pk11_DeleteAttributeType(privateKey,CKA_PRIME); > pk11_DeleteAttributeType(privateKey,CKA_BASE); > pk11_DeleteAttributeType(privateKey,CKA_VALUE); >+ pk11_DeleteAttributeType(privateKey,CKA_NETSCAPE_DB); > key_type = CKK_DH; > > /* extract the necessary parameters and copy them to private keys */ >@@ -3345,6 +3343,10 @@ > pk11_item_expand(&dhPriv->publicValue)); > if (crv != CKR_OK) goto dhgn_done; > >+ crv = pk11_AddAttributeType(privateKey,CKA_NETSCAPE_DB, >+ pk11_item_expand(&dhPriv->publicValue)); >+ if (crv != CKR_OK) goto dhgn_done; >+ > crv=pk11_AddAttributeType(privateKey, CKA_VALUE, > pk11_item_expand(&dhPriv->privateValue)); >
Attachment #112879 - Flags: superreview?(nelsonb)
Attachment #112879 - Flags: review+
Regarding the question about the meaning of the comment /* should map NSS SECError */ This comment refers to bug 190501, which is also targetted to be fixed in NSS 3.8. That bug reports that in many places in softoken, the wrong PKCS 11 error code is returned. The proper thing to do, in many cases, is to map the SEC_ERROR code to a PKCS 11 error code. Recently, more places have been added to softoken that fail to determine the proper error code. Bob has marked them with comments like that one. r=nbb for the portion of code shown above.
Nelson answered my question and reviewed the essential part of the patch. The patch has been checked in on the NSS TIP and NSS_3_7_BRANCH. Marked the bug fixed. Will request approval for checking in to mozilla 1.3.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Comment on attachment 112879 [details] [diff] [review] 1) Return proper error code in more cases. 2) Fix bug in DH KeyPair Generation. This patch has been reviewed by me and nelsonb (see comment 28). Requesting approval for mozilla 1.3.
Attachment #112879 - Flags: superreview?(nelsonb) → approval1.3?
Comment on attachment 112879 [details] [diff] [review] 1) Return proper error code in more cases. 2) Fix bug in DH KeyPair Generation. a=asa (on behalf of drivers) for checkin to 1.3.
Attachment #112879 - Flags: approval1.3? → approval1.3+
Fix checked into the NSS_CLIENT_TAG for mozilla 1.3.
Changed subject to reflect the problem
Summary: https connection attempt gets Error Code: -8173 → https gets Error Code: -8173 when DHE ciphers negotiated
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: