Open Bug 340762 Opened 18 years ago Updated 1 year ago

vfyserv should be able to capture certs to database; and do OCSP

Categories

(NSS :: Tools, enhancement, P2)

Product:
NSS
Component:
Tools
Version:
3.11.1
Type:
enhancement

Tracking

(Not tracked)

People

(Reporter: julien.pierre, Unassigned)

Details

Attachments

(1 file, 1 obsolete file)

Call SSL_ClearSessionCache
10.78 KB, patch
Details | Diff | Splinter Review 
vfyserv is a program used to verify a server's chain.
Sometimes, it can be useful to save the server certs to a database for further examination with certutil for example .
This option could also be useful in the field in private network environment if we need to obtain a cert chain .
So, I propose to add a new option to vfyserv to save the certs to the cert DB.

I also propose to add an option to enable vfyserv to run OCSP checks.
Or, if not to the cert DB, at least spit them out to files, like ssltap does.
Right now, the only semi-convenient way to capture the server's certs is to
use ssltap.
I ran into a problem with my patch trying to import the cert in vfyserv. I extracted the server cert from the socket using SSL_PeerCertificate (the rest of the cert chain will be next).
Then, I used PK11_ImportCert to import the cert permanently. This worked, but unfortunately, at NSS_Shutdown time, I get an assertion about the secmod_privateModuleCount. Ie. we have a slot leak.

This leak seems to only happen if the cert was first a temp cert, and then gets imported to the DB . I will try to save the DER of the cert, and import it after the SSL socket has been closed and the temp cert destroyed, to see if the problem goes away. But either way, there is a bug in our cert code. I spent some time debugging yesterday, and it appears to be Stan-related.
Assignee: nobody → julien.pierre.bugs
Severity: normal → enhancement
Priority: -- → P2
Version: unspecified → 3.11.1
Attached patch work in progress (obsolete) — Splinter Review 
Not for review yet.
Adds -O option for OCSP and -S option to save certs.
Run this with a secmod database that has the roots added, on a debug build, and NSS_STRICT_SHUTDOWN set to 1 (I have it in my .cshrc) :

[jp96085@monstre]/export/home/nss/tip/mozilla/dist/SunOS5.10_i86pc_DBG.OBJ/bin 424 % ./vfyserv -d . -S us.etrade.com
Connecting to host us.etrade.com (addr 12.153.224.21) on port 443
Handshake Complete: SERVER CONFIGURED CORRECTLY
   bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1
   subject DN:
 CN=us.etrade.com,OU=Terms of use at www.verisign.com/rpa (c)00,OU=Global Information Security,O=E-Trade Group Inc.,L=Alpharetta,ST=Georgia,C=US
   issuer  DN:
 OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU="VeriSign, Inc.",O=VeriSign Trust Network
   0 cache hits; 0 cache misses, 0 cache not reusable
***** Connection 1 read 339 bytes total.
Assertion failure: secmod_PrivateModuleCount == 0, at pk11util.c:120
Abort (core dumped)

The cert gets properly added, but there is a reference leak. The reference leak goes away if I don't call PK11_ImportCert to import the cert to the DB.
It looks like there is a pre-existing leak of a CERTCertificate in vfyserv.
But the cert was a temp cert before my patch added PK11_ImportCert, and its slot was NULL. So, the leak of the cert did not result in a leak of a slot reference. I am looking into this leak now.

The "leak" was actually a reference held in the SSL client session cache.
Clearing that cache prior to shutdown is expected to solve the problem.
Indeed, adding a call to SSL_ClearSessionCache caused the cert to be freed, and thus its slot reference as well.
This patch is still not for review, however.
Attachment #224956 - Attachment is obsolete: true
Target Milestone: --- → 3.12
Alexei, I think this bug overlaps (and may duplicate) a bug on which you've
recently worked.  If this bug duplicates one you're working on, please mark
this bug as a dupliate of yours.  
Please see if Julien's patch (attachment 233314 [details] [diff] [review]) is needed and add it to your bug/patch if necessary.
Assignee: bugzilla → alexei.volkov.bugs
Unsetting target milestone in unresolved bugs whose targets have passed.
Target Milestone: 3.12 → ---

The bug assignee is inactive on Bugzilla, and this bug has priority 'P2'.
:beurdouche, could you have a look please?

For more information, please visit auto_nag documentation.

Assignee: alvolkov.bgs → nobody
Flags: needinfo?(bbeurdouche)
Severity: normal → S3

We have modified the bot to only consider P1 as high priority, so I'm cancelling the needinfo here.

Flags: needinfo?(bbeurdouche)
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: