Session id failure on hardware tokens.
Categories
(NSS :: Libraries, defect, P3)
Tracking
(Not tracked)
People
(Reporter: rrelyea, Assigned: rrelyea)
Details
Attachments
(1 file)
|
Bug 1530472 - handle issue when server ECC key is in a token that doesn't handle the TLS mechanisms.
47 bytes,
text/x-phabricator-request
|
Details | Review |
NSS can fail to recover the master secret from the server on disk cache when a hardware token is involved. The wrapping key gets unwrapped into the hardware token, but the hardware token can't support the TLS operations thus it fails to unwrap the master secret. When we detect this, we need to try to move the unwrapping key from the token back into softoken so the master secret unwrap can still succeed.
This problem on occurs on multi-process servers sharing an ondisk cache and using a hardware token (using ECC rather than RSA).
|
Assignee | |
Comment 1•5 years ago
|
||
Downstream bug: https://bugzilla.redhat.com/show_bug.cgi?id=1639873
|
||
Updated•5 years ago
|
|
|
Assignee | |
Comment 2•5 years ago
|
||
|
|
Assignee | |
Comment 3•5 years ago
|
||
|
|
Assignee | |
Comment 4•5 years ago
|
||
mt, thanks for the review. I'm not sure how to add comments to Phabricator without changing the state.
Yes, there isn't a way for automated test of this particular issue as it requires specific hardware.
I purposefully included the full list with the idea that maybe this could in the future get folded into Unwrap itself.
bob
|
|
Assignee | |
Comment 5•5 years ago
|
||
Description
•