1320708 - strsclnt gets stuck during session resumption when using client certificates

Status: RESOLVED FIXED

(NSS :: Libraries, defect)

Description

[Frantisek Sumsal]

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0
Build ID: 20160729111717

Steps to reproduce:

# NSS_CIPHER="002F"
# OPENSSL_CIPHER="AES128-SHA"
# openssl req -out ca.pem -new -x509 -nodes -subj "/CN=CA"
# openssl genrsa -out server.key 2048
# openssl req -key server.key -new -out server.req -subj "/CN=localhost"
# echo 00 > serial.srl
# openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out server.pem
# openssl genrsa -out client.key 2048 -nodes
# openssl req -key client.key -new -out client.req -subj "/CN=client"
# openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out client.pem
# openssl pkcs12 -name client -export -inkey client.key -out client.p12 -in client.pem -passout "pass:"
# mkdir nssdb
# certutil -N --empty-password -d sql:./nssdb
# certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i ca.pem
# pk12util -i client.p12 -d sql:./nssdb -W ''
# openssl s_server -www -key server.key -cert server.pem -CAfile ca.pem -cipher $OPENSSL_CIPHER -Verify 1 &
# sleep 2
# /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost


Actual results:

# /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost
strsclnt: -- SSL: Server Certificate Validated.


Expected results:

# /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost
strsclnt: -- SSL: Server Certificate Validated.
ACCEPT
strsclnt: 0 cache hits; 1 cache misses, 0 cache not reusable
          0 stateless resumes
strsclnt: -- SSL: Server Certificate Validated.
ACCEPT
strsclnt: -- SSL: Server Certificate Validated.
ACCEPT
<...snip...>
ACCEPT
ACCEPT
strsclnt: 80 cache hits; 20 cache misses, 0 cache not reusable
          0 stateless resumes

Comment 1

[Frantisek Sumsal]

Missing description from the previous comment:
strsclnt gets stuck during session resumption (for both SessionTicket and sessionID) when using client certificates and when the server has enabled client certificate verification.

Comment 2

[Daiki Ueno [:ueno]]

Attachment: strsclnt-no-login.patch

It looks like --empty-password is triggering the problem. strsclnt checks the validity of user's key/cert with PK11_IsLoggedIn and retries if it returns false. However, the tool doesn't check PK11_NeedLogin before calling PK11_IsLoggedIn.

It might also make sense to stop retrying if the certain number of failures are reported.  Currently it loops forever.

Comment 3

[Franziskus Kiefer [:franziskus]]

Comment on attachment 8900277 [details] [diff] [review]
strsclnt-no-login.patch

Review of attachment 8900277 [details] [diff] [review]:
-----------------------------------------------------------------

Can we get a test with this change?

Comment 4

[Daiki Ueno [:ueno]]

Attachment: strsclnt-no-login-tests.patch

(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #3)

> Can we get a test with this change?

Sure, I am attaching it.  It basically runs a test from sslstress.txt against a database with empty password.

Comment 5

[Franziskus Kiefer [:franziskus]]

Comment on attachment 8900723 [details] [diff] [review]
strsclnt-no-login-tests.patch

Review of attachment 8900723 [details] [diff] [review]:
-----------------------------------------------------------------

The test looks good to me.

Comment 6

[Kai Engert [:KaiE:]]

Comment on attachment 8900277 [details] [diff] [review]
strsclnt-no-login.patch

r=kaie

Comment 7

[Kai Engert [:KaiE:]]

https://hg.mozilla.org/projects/nss/rev/37cc4e60403e
https://hg.mozilla.org/projects/nss/rev/b554de9d2bd5