Closed Bug 125263 Opened 23 years ago Closed 23 years ago

"Peer's Certificate Issuer is not recognized" errors on solaris

Categories

(NSS :: Libraries, defect, P1)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: bugz, Assigned: bugz)

Details

When stressing selfserv with required client auth on the first handshake, the
error "Peer's certificate issuer is not recognized" appears about once per
10,000 connections.

This would appear to be a timing issue in the temp store code, which would store
all of the peer's cert chain but the root.  After reviewing the temp store code,
I found a likely suspect.

Opening bug to track issue, but have fix in hand I will check in, as it is
needed irregardless.
/cvsroot/mozilla/security/nss/lib/pki/pkistore.c,v  <--  pkistore.c
new revision: 1.10; previous revision: 1.9

As the log notes, the searches involved here were not capturing the state of the
subject list within the store's lock, could cause problems as noted on this bug.
 Testing now.
Target Milestone: --- → 3.4
Did not fix bug, unless I messed up my build.  I did 100,000 sessions and saw
the error 6 times.
Priority: -- → P1
/cvsroot/mozilla/security/nss/lib/pki/pkistore.c,v  <--  pkistore.c
new revision: 1.11; previous revision: 1.10

This problem is rather intricate.  It is a timing issue that shows up when
destroying a temp cert.  There is a lengthy description in the comment block
above the fix.

Unfortunately, my connection went dead as I was testing the fix.  But I was able
to use PR_Sleep to hasten the problem, to the point where it happened within
1000 connections reliably.  The test was up to 15,000 with the fix.

Will mark fixed after more testing.
More testing done.  Marking fixed.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.