Closed
Bug 1311213
Opened 8 years ago
Closed 8 years ago
Assertion failure: ss->sec.peerCert, at ../../lib/ssl/tls13con.c:2082 when enabling resume bogo tests
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.28
People
(Reporter: jld, Assigned: ttaubert)
References
Details
Attachments
(1 file)
|
2.44 KB,
patch
|
Details | Diff | Splinter Review |
With the attached patch to make the BoGo test -resume-count option work (formerly -resume, but this changed a few months ago in upstream BoringSSL), I get "Assertion failure: ss->sec.peerCert, at ../../lib/ssl/tls13con.c:2082" on these tests:
FAILED (TLS13-AEAD-CHACHA20-POLY1305-client)
FAILED (TLS13-AEAD-AES128-GCM-SHA256-client)
FAILED (Resume-Client-TLS13-TLS13)
FAILED (Resume-Client-CipherMismatch-TLS13)
FAILED (TLS13-SendUnknownModeSessionTicket-Client)
FAILED (TLS13-1RTT-Client-Sync)
FAILED (TLS13-HelloRetryRequest-Client-Sync)
FAILED (TLS13-1RTT-Client-Sync-SplitHandshakeRecords)
FAILED (TLS13-HelloRetryRequest-Client-Sync-SplitHandshakeRecords)
FAILED (TLS13-1RTT-Client-Sync-PackHandshakeFlight)
FAILED (TLS13-HelloRetryRequest-Client-Sync-PackHandshakeFlight)
I don't know what the security implicatiions of this are, so I'm marking this bug security-sensitive to be safe.
|
||
Updated•8 years ago
|
Assignee: nobody → jld
|
||
Comment 2•8 years ago
|
||
Please leave this security sensitive until we have finished evaluating.
Group: crypto-core-security
|
|
||
Comment 3•8 years ago
|
||
Looks like we are losing the peerCert when we get multiple tickets. I will fix.
|
|
||
Comment 4•8 years ago
|
||
Actually, this looks like it might be a bit complicated. I can fix peerCert specifically, but there's other stuff floating around. I'm starting to think that it was a mistake to delete and remake the sessionID rather than patching the existing one. Not sure how complicated either of these is going to be.
A simple fix would be to just ignore repeated NST messages
ni-ing ttaubert for thoughts.
Flags: needinfo?(ttaubert)
|
Assignee | |
Comment 5•8 years ago
|
||
Here's another possible solution:
https://nss-dev.phacility.com/D108
We can simply update the ticket store in a cached SID, instead of freeing the SID and recreating it. That passes {A,UB,L}San tests, BoGo, and ssl_gtests.
Flags: needinfo?(ttaubert)
|
|
Assignee | |
Comment 6•8 years ago
|
||
|
|
Assignee | |
Comment 7•8 years ago
|
||
|
|
Assignee | |
Comment 8•8 years ago
|
||
Assignee: jld → ttaubert
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.28
|
||
Updated•8 years ago
|
Group: crypto-core-security → core-security-release
|
|
||
Updated•6 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•