Closed Bug 1302457 Opened 8 years ago Closed 8 years ago

ssl.sh shouldn't restart selfserv for ECDH_RSA cipher suites

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ttaubert, Assigned: ttaubert)

Details

Attachments

(1 file)

0001-Bug-1302457-ssl.sh-shouldn-t-restart-selfserv-for-EC.patch
24.54 KB, patch
Details | Diff | Splinter Review
When encountering an ECDH_RSA cipher suite, ssl.sh kills and restarts selfserv with the *-ecmixed certificate. We can remove this by converting selfserv to SSL_ConfigServerCert().
Here's a patch that allows passing multiple "-e ecnickname" arguments to selfserv, and they're then configure in order. That way we can first configure a cert for ssl_auth_ecdsa and ssl_auth_ecdh_rsa, and then another on that overrides the first slot but also configures ssl_auth_ecdh_ecdsa. (It doesn't seem to make ssl.sh runs faster or slower.) https://treeherder.mozilla.org/#/jobs?repo=nss-try&revision=b223411dd04afef9cfdd0e1f96ab71142f261c47
Attachment #8790787 - Flags: review?(franziskuskiefer)
Comment on attachment 8790787 [details] [diff] [review] 0001-Bug-1302457-ssl.sh-shouldn-t-restart-selfserv-for-EC.patch Review of attachment 8790787 [details] [diff] [review]: ----------------------------------------------------------------- ::: cmd/selfserv/selfserv.c @@ -1328,5 @@ > } > > - for (kea = kt_rsa; kea < kt_kea_size; kea++) { > - if (certStatus[kea] != NULL) { > - SSL_SetStapledOCSPResponses(ssl_sock, certStatus[kea], kea); so no stapled ocsp responses anymore? @@ +2571,1 @@ > fprintf(stderr, "Required arg '-n' (rsa nickname) not supplied.\n"); do we still require rsa nickname (only) here? @@ +2780,5 @@ > exit(11); > } > if (testbypass) { > PRBool bypassOK; > + if (SSL_CanBypass(cert[i], privKey[i], protos, cipherlist, since this won't land in 3.27 you can drop the bypass things @@ -2815,5 @@ > - } > - setupCertStatus(certStatusArena, ocspStaplingMode, cert[ssl_kea_dh], ssl_kea_dh, > - &pwdata); > - } > -#ifndef NSS_DISABLE_ECC should we check again here that ecc is enabled?
Attachment #8790787 - Flags: review?(franziskuskiefer)
https://hg.mozilla.org/projects/nss/rev/de4860036105
Status: ASSIGNED → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.28
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: