Closed Bug 1340841 Opened 8 years ago Closed 8 years ago

NSS is treating ticket_lifetime_hint as if it were milliseconds

Categories

(NSS :: Libraries, defect)

Product:
NSS
Component:
Libraries
Version:
3.29
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: ekr, Assigned: mt)

References

Details

Result of the fix in bug 1322187. This landed in 3.29, so affects FF 53 and FF 54, but not 52.
For clarity. S 4.6.1: ticket_lifetime Indicates the lifetime in seconds as a 32-bit unsigned integer in network byte order from the time of ticket issuance. Servers MUST NOT use any value more than 604800 seconds (7 days). The value of zero indicates that the ticket should be discarded immediately. Clients MUST NOT cache session tickets for longer than 7 days, regardless of the ticket_lifetime, and MAY delete the ticket earlier based on local policy. A server MAY treat a ticket as valid for a shorter period of time than what is stated in the ticket_lifetime. The confusion is that obfuscated_ticket_age is in ms, so when we fixed that, we broke ticket_lifetime, which is in seconds. Assuming I am correct, 3.28 had obfuscated_ticket_age wrong but the right timeout logic and 3.29 has obfuscated_ticket_age right but the wrong timeout logic. I think we can live with 3.28 being wrong about obfuscated_ticket_age, but we do need to fix the cache.
trunk: https://hg.mozilla.org/projects/nss/rev/16f9b6c70772563079ee310ffbab91c5bcf16980 3.29 branch: https://hg.mozilla.org/projects/nss/rev/7fcfb8306880ac0724502cbb2aa8827dc09db08a
Assignee: nobody → martin.thomson
Status: NEW → RESOLVED
Closed: 8 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.29
Version: 3.18 → 3.29
You need to log in before you can comment on or make changes to this bug.