Closed
Bug 106526
Opened 23 years ago
Closed 23 years ago
N620 Problems with SSL with FIPS enabled. [@ PK11_DestroyContext]
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
3.3.2
People
(Reporter: junruh, Assigned: KaiE)
References
()
Details
(Keywords: crash, topcrash)
Crash Data
Attachments
(1 file)
10/22 Final 6.2 branch build. 1.) Edit>Prefs>Security>Certs>Manage Devices. 2.) Enable FIPS, click OK and OK. 3.) Use the above test page. What happens: Linux and Win2000: Crash when visiting SSL2-only site. Other sites are OK. Mac OSX and Win98: Crash when visiting SSL2-only site. SSL3-only gives -SSL error -12204. Other sites like https://www.verisign.com it cannot reach. On http://cyclone, search for junruh@netscape.com for stack trace.
Updated•23 years ago
|
Assignee: ssaux → kaie
Priority: -- → P1
Target Milestone: --- → 2.2
Comment 1•23 years ago
|
||
P1 ->Kai cc relyea, nelsonb
Comment 2•23 years ago
|
||
John, I enabled FIPS and was able to visit aka, https://www.verisign.com. This is using a special build off the 0.9.4 branch (close to the tip). Using win2000
Comment 3•23 years ago
|
||
Sigh. PSM clearly needs to to a better job of reporting error strings instead of error numbers for NSS and SSL errors. Error -12204 is SSL_ERROR_TOKEN_SLOT_NOT_FOUND. The English string for this error code is "No PKCS#11 token could be found to do a required operation." Remember that when FIPS is enabled, the software token can ONLY do FIPS algorithms. It cannot do non-FIPS algorithms, such as RC4 or MD5. So, if one visits a web site that can only do SSL ciphersuites that use non-FIPS algorithms, one would expect failure. If the SSL protocol negotiated a non-FIPS ciphersuite between client and server, then it would fail at the point that it attempted to use a non-FIPS algorithm. When the only tokens available are FIPS tokens, then the SSL code should disable all the non-FIPS ciphersuites. It is possible that the logic to do that disabling is not working correctly. And, a crash is never appropriate. Since SSL2 has NO FIPS ciphersuites, SSL2 should be disabled when in FIPS mode.
Comment 4•23 years ago
|
||
1) SSL2 is not supported in FIPs mode. It should not crash, however. I looks like the problem is in ssl3_CreateSessionCypher() in sslcon.c. If we don't set up the connection, the routine will free the session contexts, but not null out the destructor. When we later try to free the sslSecurityInfo, we see we have the destructor set and think we need to free the contexts, but we can't. I've included an untested patch which should cause the crash to go away. 2) One of the things FIPs mode was supposed to do is turn on the FIPs only ciphers and turn off everything else. If that is true, many sites will not be available, but this should be consistant on all platforms, so the SSL3 issue still needs to be investigated (the included patch will not help).
Comment 5•23 years ago
|
||
Comment 6•23 years ago
|
||
stack trace: PK11_DestroyContext() ssl_DestroySecurityInfo() ssl_FreeSocket() ssl_DefClose() ssl_SecureClose() SSL_ImportFD() nsSSLIOLayerClose [d:\builds\seamonkey\mozilla\security\manager\ssl\src\nsNSSIOLayer.cpp, line 571] PR_Close [../../../../pr/src/io/priometh.c, line 132] talkback numbers: 37132951 37132934 37131521 37131308 37131226 37131096 37130737
Assignee | ||
Comment 7•23 years ago
|
||
Bob's patch prevents the crash.
Reporter | ||
Comment 9•23 years ago
|
||
This bug could have existed for a long time. You need a profile without a master password setup, and you need to encounter that rare server that is running SSL2 only. I'll add this to the FIPS test plan. After discovering that one Win98 profile COULD reach SSL sites with FIPS enabled, I found that the difference between the two profiles is that one had a master password setup, and the failing profile did not. Mac OSX and Win98 (and all other platforms) can now reach most normal SSL sites. The trick is to first setup a master password. So the workaround for FIPS users, that should be release noted, is to: 1.) Disable SSL2 to prevent a crash. 2.) Setup a master password.
Comment 10•23 years ago
|
||
The code that caused the problem is fairly old. I would not be surprised if you could get Comm 4.7 to crash under similar conditions. FIPs mode users usually have SSL2 turned off, so it's not surprising the bug has not surfaced. bob
Assignee | ||
Comment 11•23 years ago
|
||
We have created PSM bug 106587 for the "force master password set" issue. We have created PSM bug 106604 to disabled SSL2 ciphers. I'm changing the component of this bug to NSS. Will you land it on the NSS client branch?
Assignee | ||
Updated•23 years ago
|
Component: Client Library → Libraries
Product: PSM → NSS
Target Milestone: 2.2 → 3.3.2
Version: 2.1 → 3.3.1
Keywords: crash
Summary: Problems with SSL with FIPS enabled. → Problems with SSL with FIPS enabled. [@ PK11_DestroyContext]
Comment 12•23 years ago
|
||
Adding the signature to the summary and KW: crash to help talkback
Comment 13•23 years ago
|
||
Updating the summary and cc'ing talkback.
Keywords: topcrash
Summary: Problems with SSL with FIPS enabled. [@ PK11_DestroyContext] → N620 Problems with SSL with FIPS enabled. [@ PK11_DestroyContext]
Comment 14•23 years ago
|
||
No, We don't mess with the client branches. We can land it into any standard NSS branch, though I only intend to land it in the NSS tip for NSS 3.4. bob
Assignee | ||
Comment 15•23 years ago
|
||
Ok, unless you object, I can check it in to NSS_3_3_BRANCH and update the NSS_CLIENT_TAG.
Assignee | ||
Comment 16•23 years ago
|
||
Patch checked in to NSS_3_3_BRANCH, now visible to Mozilla.
Comment 17•23 years ago
|
||
Kai, if the fix for this bug has been checked in, could you mark it fixed? I assume you also checked in the fix on the tip of NSS?
Assignee | ||
Comment 18•23 years ago
|
||
I have not checked it in, but the change is already in the trunk, I guess Bob did it. Marking this fixed.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Comment 20•23 years ago
|
||
Where exactly was this fixed? I still see crashes with the official Netscape 6.20 release...so I'm guessing the fix didn't make it into the final release bits, right?
Assignee | ||
Comment 21•23 years ago
|
||
The bug was discovered after 6.2 final was shipped. The fix is in the tip of NSS and also in the NSS version used by the tip of Mozilla.
Reporter | ||
Comment 22•23 years ago
|
||
The workaround is release noted. 1.) Disable SSL2 to prevent a crash. 2.) Setup a master password.
Comment 23•23 years ago
|
||
removing item for this fixed bug from mozilla 0.9.6 release notes.
Updated•13 years ago
|
Crash Signature: [@ PK11_DestroyContext]
You need to log in
before you can comment on or make changes to this bug.
Description
•