Closed Bug 1474875 Opened 6 years ago Closed 6 years ago

Typo in policy handling for DTLS-VERSION-MAX

Categories

(NSS :: Libraries, enhancement)

Product:
NSS
Component:
Libraries
Version:
3.38
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: KaiE, Assigned: KaiE)

References

Details

Attachments

(1 file)

1474875-v1.patch
1.10 KB, patch
ueno
: review+
Details | Diff | Splinter Review 
This commit
  https://hg.mozilla.org/projects/nss/rev/0d419662b42d

from bug 1009429 contains the following incorrect line:
   {CIPHER_NAME("DTLS-VERSION-MAX"), NSS_DTLS_VERSION_MIN_POLICY}

It should be:
   {CIPHER_NAME("DTLS-VERSION-MAX"), NSS_DTLS_VERSION_MAX_POLICY}

It means the policy configuration for DTLS currently isn't working.
Attached patch 1474875-v1.patchSplinter Review 
Assignee: nobody → kaie

        Attachment #8991300 -
        Flags: review?(dueno)

    
    

    
  
Comment on attachment 8991300 [details] [diff] [review]
1474875-v1.patch

Review of attachment 8991300 [details] [diff] [review]:
-----------------------------------------------------------------

Sure, looks good to me.

        Attachment #8991300 -
        Flags: review?(dueno) → review+

    
    

    
  
By the way, it would be nice if this is covered by the tests.

    
    

    
  
(In reply to Daiki Ueno [:ueno] from comment #3)
> By the way, it would be nice if this is covered by the tests.

Agreed, but I currently don't see an easy way to do so. The NSS test tools don't support DTLS, so we probably cannot use tstclnt like it's done for the other sslpolicy.txt tests.

I suggest to implement a test as part of bug 1474887. For example, we would be able test that a configuration with {min=tls1.2, max=tls1.0} indeed produces an invalid configuration.

    
    

    
  
https://hg.mozilla.org/projects/nss/rev/53c2ee896c57
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.39

    
    

    
  
The NSS test tools do support DTLS.

1. We have extensive gtests
2. tstclnt supports DTLS as well, and there's even a test: https://searchfox.org/nss/source/tests/ssl/ssl.sh#1084

Please add some kind of test here.

    
    

    
  
Thanks for the pointer!

    
    

    
  
I've checked in new policy tests as part of bug 1474887. When reverting to the broken handling for DTLS-VERSION-MAX, the new test reports an error.

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: