server client auth tests fail with SEC_ERROR_UNTRUSTED_ISSUER

RESOLVED FIXED in 3.4

Status

NSS
Libraries
P1
normal
RESOLVED FIXED
17 years ago
17 years ago

People

(Reporter: Julien Pierre, Assigned: Ian McGreer)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

17 years ago
The web server test suite includes many client auth tests, with valid and
invalid certs, expired, unexpired, etc. The server's certificate database
contains a CA cert which is marked as trusted.

Using the monday 1/14/2002 build of NSS, all the client auth tests (as well as
the rest of the server test suite) pass.
Using 1/16/2002, it no longer passes. The server log contains many 
SEC_ERROR_UNTRUSTED_ISSUER errors. The certificate database file used is the
exact same, but the error only occurs with the 1/16 version of NSS. This is a
regression in our code.
(Reporter)

Updated

17 years ago
Priority: -- → P1

Comment 1

17 years ago
Ian, could you take a look at this?  Thanks.
Assignee: wtc → ian.mcgreer
Whiteboard: Add new test
Target Milestone: --- → 3.4
(Assignee)

Comment 2

17 years ago
Everything has been hosed since Monday, when the changes to the DER encoder went
in.  I believe everything is fixed now.  Please try the 1/17/01 builds.
(Assignee)

Comment 3

17 years ago
Would it be possible for you to package up both the client's and server's
databases and send them to me (along with the passwords)?

The extended SSL tests should reproduce this situation.  That is, they test the
ability for a client to do client auth to a server, where the server has the
client's CA trusted (and vice-versa).  The chains for the client and server
certs have a path length of 3.  Since those tests pass, I'm not sure how to
reproduce this.

Comment 4

17 years ago
Ian, today's build passed the web server's test suite.

Updated

17 years ago
Whiteboard: Add new test
(Assignee)

Comment 5

17 years ago
marking fixed then
Status: NEW → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.