ssl.sh shouldn't restart selfserv for ECDH_RSA cipher suites

RESOLVED FIXED in 3.28

Status

NSS
Libraries
RESOLVED FIXED
2 years ago
2 years ago

People

(Reporter: ttaubert, Assigned: ttaubert)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Assignee)

Description

2 years ago
When encountering an ECDH_RSA cipher suite, ssl.sh kills and restarts selfserv with the *-ecmixed certificate. We can remove this by converting selfserv to SSL_ConfigServerCert().
(Assignee)

Comment 1

2 years ago
Created attachment 8790787 [details] [diff] [review]
0001-Bug-1302457-ssl.sh-shouldn-t-restart-selfserv-for-EC.patch

Here's a patch that allows passing multiple "-e ecnickname" arguments to selfserv, and they're then configure in order. That way we can first configure a cert for ssl_auth_ecdsa and ssl_auth_ecdh_rsa, and then another on that overrides the first slot but also configures ssl_auth_ecdh_ecdsa.

(It doesn't seem to make ssl.sh runs faster or slower.)

https://treeherder.mozilla.org/#/jobs?repo=nss-try&revision=b223411dd04afef9cfdd0e1f96ab71142f261c47
Attachment #8790787 - Flags: review?(franziskuskiefer)
Comment on attachment 8790787 [details] [diff] [review]
0001-Bug-1302457-ssl.sh-shouldn-t-restart-selfserv-for-EC.patch

Review of attachment 8790787 [details] [diff] [review]:
-----------------------------------------------------------------

::: cmd/selfserv/selfserv.c
@@ -1328,5 @@
>      }
>  
> -    for (kea = kt_rsa; kea < kt_kea_size; kea++) {
> -        if (certStatus[kea] != NULL) {
> -            SSL_SetStapledOCSPResponses(ssl_sock, certStatus[kea], kea);

so no stapled ocsp responses anymore?

@@ +2571,1 @@
>          fprintf(stderr, "Required arg '-n' (rsa nickname) not supplied.\n");

do we still require rsa nickname (only) here?

@@ +2780,5 @@
>              exit(11);
>          }
>          if (testbypass) {
>              PRBool bypassOK;
> +            if (SSL_CanBypass(cert[i], privKey[i], protos, cipherlist,

since this won't land in 3.27 you can drop the bypass things

@@ -2815,5 @@
> -        }
> -        setupCertStatus(certStatusArena, ocspStaplingMode, cert[ssl_kea_dh], ssl_kea_dh,
> -                        &pwdata);
> -    }
> -#ifndef NSS_DISABLE_ECC

should we check again here that ecc is enabled?
Attachment #8790787 - Flags: review?(franziskuskiefer)
(Assignee)

Comment 4

2 years ago
https://hg.mozilla.org/projects/nss/rev/de4860036105
Status: ASSIGNED → RESOLVED
Last Resolved: 2 years ago
Resolution: --- → FIXED
(Assignee)

Updated

2 years ago
Target Milestone: --- → 3.28
You need to log in before you can comment on or make changes to this bug.