Closed
Bug 1320708
Opened 8 years ago
Closed 7 years ago
strsclnt gets stuck during session resumption when using client certificates
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
3.33
People
(Reporter: frantisek, Assigned: ueno)
Details
Attachments
(2 files)
904 bytes,
patch
|
KaiE
:
review+
|
Details | Diff | Splinter Review |
5.74 KB,
patch
|
franziskus
:
review+
|
Details | Diff | Splinter Review |
User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:48.0) Gecko/20100101 Firefox/48.0 Build ID: 20160729111717 Steps to reproduce: # NSS_CIPHER="002F" # OPENSSL_CIPHER="AES128-SHA" # openssl req -out ca.pem -new -x509 -nodes -subj "/CN=CA" # openssl genrsa -out server.key 2048 # openssl req -key server.key -new -out server.req -subj "/CN=localhost" # echo 00 > serial.srl # openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out server.pem # openssl genrsa -out client.key 2048 -nodes # openssl req -key client.key -new -out client.req -subj "/CN=client" # openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out client.pem # openssl pkcs12 -name client -export -inkey client.key -out client.p12 -in client.pem -passout "pass:" # mkdir nssdb # certutil -N --empty-password -d sql:./nssdb # certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i ca.pem # pk12util -i client.p12 -d sql:./nssdb -W '' # openssl s_server -www -key server.key -cert server.pem -CAfile ca.pem -cipher $OPENSSL_CIPHER -Verify 1 & # sleep 2 # /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost Actual results: # /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost strsclnt: -- SSL: Server Certificate Validated. Expected results: # /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost strsclnt: -- SSL: Server Certificate Validated. ACCEPT strsclnt: 0 cache hits; 1 cache misses, 0 cache not reusable 0 stateless resumes strsclnt: -- SSL: Server Certificate Validated. ACCEPT strsclnt: -- SSL: Server Certificate Validated. ACCEPT <...snip...> ACCEPT ACCEPT strsclnt: 80 cache hits; 20 cache misses, 0 cache not reusable 0 stateless resumes
Reporter | ||
Comment 1•8 years ago
|
||
Missing description from the previous comment: strsclnt gets stuck during session resumption (for both SessionTicket and sessionID) when using client certificates and when the server has enabled client certificate verification.
Updated•7 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Assignee | ||
Comment 2•7 years ago
|
||
It looks like --empty-password is triggering the problem. strsclnt checks the validity of user's key/cert with PK11_IsLoggedIn and retries if it returns false. However, the tool doesn't check PK11_NeedLogin before calling PK11_IsLoggedIn. It might also make sense to stop retrying if the certain number of failures are reported. Currently it loops forever.
Attachment #8900277 -
Flags: review?(kaie)
Updated•7 years ago
|
Assignee: nobody → dueno
Comment 3•7 years ago
|
||
Comment on attachment 8900277 [details] [diff] [review] strsclnt-no-login.patch Review of attachment 8900277 [details] [diff] [review]: ----------------------------------------------------------------- Can we get a test with this change?
Assignee | ||
Comment 4•7 years ago
|
||
(In reply to Franziskus Kiefer [:fkiefer or :franziskus] from comment #3) > Can we get a test with this change? Sure, I am attaching it. It basically runs a test from sslstress.txt against a database with empty password.
Attachment #8900723 -
Flags: review?(franziskuskiefer)
Comment 5•7 years ago
|
||
Comment on attachment 8900723 [details] [diff] [review] strsclnt-no-login-tests.patch Review of attachment 8900723 [details] [diff] [review]: ----------------------------------------------------------------- The test looks good to me.
Attachment #8900723 -
Flags: review?(franziskuskiefer) → review+
Comment 6•7 years ago
|
||
Comment on attachment 8900277 [details] [diff] [review] strsclnt-no-login.patch r=kaie
Attachment #8900277 -
Flags: review?(kaie) → review+
Comment 7•7 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/37cc4e60403e https://hg.mozilla.org/projects/nss/rev/b554de9d2bd5
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.33
You need to log in
before you can comment on or make changes to this bug.
Description
•