Open Bug 1350950 Opened 8 years ago Updated 3 years ago

Sending of CERTIFICATE REQUEST messages does not correspond to manual

Categories

(NSS :: Test, defect, P3)

Product:
NSS
Component:
Test
Type:
defect

Tracking

(Not tracked)

People

(Reporter: frantisek, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Fedora; Linux x86_64; rv:51.0) Gecko/20100101 Firefox/51.0 Build ID: 20170126153103 Actual results: selfserv's behavior of requesting client certificates does not correspond to manual: # selfserv -h ... -r flag is interepreted as follows: 1 -r means request, not require, cert on initial handshake. 2 -r's mean request and require, cert on initial handshake. 3 -r's mean request, not require, cert on second handshake. 4 -r's mean request and require, cert on second handshake. ... When -r or -rr is set, to request (and require) client certificate on initial handshake, the CERTIFICATE REQUEST message is sent on both handshakes: # /usr/lib64/nss/unsupported-tools/selfserv -d sql:./nssdb/ -p 4433 -V tls1.0: -rr -H 1 -c :C02F -n rsa-server # gnutls-cli --rehandshake --x509cafile <(cat $(x509Cert ca) ${C_SUBCA[$idx]}) --x509keyfile rsa-client/key.pem --x509certfile rsa-client/cert.pem --port 4433 -d 500 localhost ... ## Epoch #1 |<3>| ASSERT: gnutls_buffers.c:1138 |<4>| HSK[0xb25820]: CERTIFICATE (11) was received. Length 2453[2857], frag offset 0, frag length: 2453, sequence: 0 |<3>| ASSERT: gnutls_buffers.c:1375 ... |<4>| HSK[0xb25820]: SERVER KEY EXCHANGE (12) was received. Length 329[400], frag offset 0, frag length: 329, sequence: 0 |<3>| ASSERT: gnutls_buffers.c:1375 |<4>| HSK[0xb25820]: Selected ECC curve SECP256R1 (2) |<4>| HSK[0xb25820]: verify handshake data: using RSA-SHA256 |<3>| ASSERT: gnutls_buffers.c:1138 |<4>| HSK[0xb25820]: CERTIFICATE REQUEST (13) was received. Length 63[67], frag offset 0, frag length: 63, sequence: 0 |<3>| ASSERT: gnutls_buffers.c:1375 ... |<3>| ASSERT: gnutls_buffers.c:1138 |<4>| HSK[0xb25820]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0 |<3>| ASSERT: gnutls_buffers.c:1375 ## Epoch #2 ... |<3>| ASSERT: gnutls_buffers.c:1138 |<4>| HSK[0xb25820]: CERTIFICATE (11) was received. Length 2453[2857], frag offset 0, frag length: 2453, sequence: 0 |<3>| ASSERT: gnutls_buffers.c:1375 ... |<4>| HSK[0xb25820]: SERVER KEY EXCHANGE (12) was received. Length 329[400], frag offset 0, frag length: 329, sequence: 0 |<3>| ASSERT: gnutls_buffers.c:1375 |<4>| HSK[0xb25820]: Selected ECC curve SECP256R1 (2) |<4>| HSK[0xb25820]: verify handshake data: using RSA-SHA256 |<3>| ASSERT: gnutls_buffers.c:1138 |<4>| HSK[0xb25820]: CERTIFICATE REQUEST (13) was received. Length 63[67], frag offset 0, frag length: 63, sequence: 0 |<3>| ASSERT: gnutls_buffers.c:1375 ... |<3>| ASSERT: gnutls_buffers.c:1138 |<4>| HSK[0xb25820]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0 Nevertheless, when -rrr or -rrrr is used, to request (and require) client certificate on the second handshake, the CERTIFICATE REQUEST is not sent at all: # /usr/lib64/nss/unsupported-tools/selfserv -d sql:./nssdb/ -p 4433 -V tls1.0: -rrrr -H 1 -c :C030 -n rsa-server # gnutls-cli --rehandshake --x509cafile <(cat $(x509Cert ca) ${C_SUBCA[$idx]}) --x509keyfile rsa-client/key.pem --x509certfile rsa-client/cert.pem --port 4433 -d 500 localhost ... ## Epoch #1 ... |<3>| ASSERT: gnutls_buffers.c:1138 |<4>| HSK[0x1d0f820]: CERTIFICATE (11) was received. Length 2453[2790], frag offset 0, frag length: 2453, sequence: 0 ... |<3>| ASSERT: gnutls_buffers.c:1138 |<4>| HSK[0x1d0f820]: SERVER KEY EXCHANGE (12) was received. Length 329[333], frag offset 0, frag length: 329, sequence: 0 |<3>| ASSERT: gnutls_buffers.c:1375 |<4>| HSK[0x1d0f820]: Selected ECC curve SECP256R1 (2) |<4>| HSK[0x1d0f820]: verify handshake data: using RSA-SHA256 |<3>| ASSERT: gnutls_buffers.c:1138 |<4>| HSK[0x1d0f820]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0 ... ## Epoch #2 ... |<3>| ASSERT: gnutls_buffers.c:1138 |<4>| HSK[0x1d0f820]: CERTIFICATE (11) was received. Length 2453[2790], frag offset 0, frag length: 2453, sequence: 0 ... |<4>| HSK[0x1d0f820]: SERVER KEY EXCHANGE (12) was received. Length 329[333], frag offset 0, frag length: 329, sequence: 0 |<3>| ASSERT: gnutls_buffers.c:1375 |<4>| HSK[0x1d0f820]: Selected ECC curve SECP256R1 (2) |<4>| HSK[0x1d0f820]: verify handshake data: using RSA-SHA256 |<3>| ASSERT: gnutls_buffers.c:1138 |<4>| HSK[0x1d0f820]: SERVER HELLO DONE (14) was received. Length 0[0], frag offset 0, frag length: 1, sequence: 0 |<3>| ASSERT: gnutls_buffers.c:1129 ... Tested on the current master (3.31 Beta).
Status: UNCONFIRMED → NEW
Ever confirmed: true
Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.