1547860 - netwerk/test/unit/test_tls_server.js fails with NSS 56826bedabba

Status: RESOLVED FIXED

(Core :: Security: PSM, defect, P1)

Description

[J.C. Jones [:jcj] (he/him)]

Between NSS e5e10a46b9ad and NSS 56826bedabba, a commit has landed that broke netwerk/test/unit/test_tls_server.js for all platforms.

Try run: https://treeherder.mozilla.org/#/jobs?repo=try&revision=9dcad6ce4e933316e1c5477e240b6f4459b43be5

Commit log: https://hg.mozilla.org/projects/nss/log?rev=e5e10a46b9ad..56826bedabba

Example logs:

• https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=243397127&repo=try&lineNumber=9925
• https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=243381834&repo=try&lineNumber=2261

Comment 1

[J.C. Jones [:jcj] (he/him)]

Bisecting shows something from Bug 1532312 broke this test. I haven't determined yet whether the test needs to be updated, or whether there's a problem with the patchset from that bug.

Comment 2

[J.C. Jones [:jcj] (he/him)]

Daiki,

Any off-the-top-of-your-head thoughts about how netwerk/test/unit/test_tls_server.js's new failure might be related to Bug 1532312? It looks like some things with NSS-as-a-server changed, but I haven't yet been able to dig into it, just getting back from PTO. I'll do more analysis tomorrow if you don't have immediate ideas.

Comment 3

[J.C. Jones [:jcj] (he/him)]

eb03936b42bb51d1e96acc73ac25a3b2501090b9 passes.
ef0974cfd1defe7512c8978095edd81e86e8b1d8 fails.

I'm currently suspecting 15905cd1cab9c8460b245f19134043b5217e0e8b.

Comment 4

[J.C. Jones [:jcj] (he/him)]

15905cd1cab9c8460b245f19134043b5217e0e8b fails. Since that's the first patch that modifies non-test code past eb03936b42bb51d1e96acc73ac25a3b2501090b9, it must be part of the answer, though that doesn't prove whether the fault is in NSS or the Firefox test.

Comment 5

[Daiki Ueno [:ueno]]

(In reply to J.C. Jones [:jcj] (he/him) from comment #4)

15905cd1cab9c8460b245f19134043b5217e0e8b fails. Since that's the first patch that modifies non-test code past eb03936b42bb51d1e96acc73ac25a3b2501090b9, it must be part of the answer, though that doesn't prove whether the fault is in NSS or the Firefox test.

Thank you for looking into it. Indeed that commit changed the behavior in NSS server: previously the server sent a "bad_certificate" alert instead of "certificate_required" when a client certificate is required by the server but not provided by the client.

It seems the Firefox test relies on the alert description "bad_certificate", so I guess it needs to be updated to expect "certificate_required".

Comment 6

[J.C. Jones [:jcj] (he/him)]

Attachment: Bug 1547860 - Update test_tls_server to use TLS 1.3 client cert alert logic

Comment 7

[Pulsebot]

Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/54d6029f69a5
Update test_tls_server to use TLS 1.3 client cert alert logic r=keeler

Comment 8

[Cristina Coroiu [:ccoroiu]]

https://hg.mozilla.org/mozilla-central/rev/54d6029f69a5