Closed
Bug 1429475
Opened 6 years ago
Closed 6 years ago
Calling libssl functions after SSL_AuthCertificateComplete(error) doesn't produce immediate failure
Categories
(NSS :: Libraries, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
People
(Reporter: ekr, Unassigned)
Details
(Keywords: sec-audit)
Attachments
(1 file)
Consider the case where you are doing delayed cert auth. You return SECWouldBlock in the auth callback and then call SSL_AuthCertificatecComplete() after. If you subsequently call SSL_ForceHandshake() it goes right into ssl3_GatherCompleteHandshake() as if you hadn't called the error. I don't think that this is a security problem because 1. The state machine still doesn't advance and 2. You shouldn't do this, but it is a bit disturbing.
Comment 1•6 years ago
|
||
Comment on attachment 8941538 [details] Be more aggressive about making failures persistent. Martin Thomson [:mt:] has approved the revision. https://phabricator.services.mozilla.com/D365#8952
Attachment #8941538 -
Flags: review+
Comment 2•6 years ago
|
||
Comment on attachment 8941538 [details] Be more aggressive about making failures persistent. Wan-Teh Chang has approved the revision. https://phabricator.services.mozilla.com/D365#9148
Attachment #8941538 -
Flags: review+
Comment 3•6 years ago
|
||
https://hg.mozilla.org/projects/nss/rev/faaff377f79b
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Version: trunk → 3.34
Updated•6 years ago
|
Group: crypto-core-security → core-security-release
Updated•5 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•