Closed Bug 167764 Opened 22 years ago Closed 22 years ago

OSX-Cannot visit a TLS intolerant site.

Categories

(Core Graveyard :: Security: UI, defect, P3)

Product:
Core Graveyard
Component:
Security: UI
Version:
1.0 Branch
Platform:
PowerPC
macOS
Type:
defect

Tracking

(Not tracked)

Status:
VERIFIED FIXED

People

(Reporter: junruh, Assigned: KaiE)

References

(
URL
)

Details

(Keywords: regression) 

1.) With a new profile, visit the above site with TLS enabled.
What happens: I cannot reach the site. Win32 and Linux are OK.
Hardware: PC → Macintosh
Blocks: 169277
Keywords: nsbeta1+, regression
Priority: -- → P3
Confirming bug on Mac OS X 10.1.5 using 29/9 build.

I traced this on the Mac.

The connection does not succeed, because we do not automatically retry (as we
are supposed to do with TLS intolerant servers).


We do not automatically retry, because the error code we encounter is not in the
retry-without-tls code list.

The error code returned from NSPR/SSL is => PR_UNKNOWN_ERROR


The failure happens during the 1st SSL handshake in macsockotpt.c,
SendReceiveStream, the first call to OTRcv returns 0xfffff3ad, which is
kOTOutStateErr.

I don't know what kOTOutStateErr means, do you know that?


But I made a wild guess and guessed "state" could be related to the
blocking/nonblocking state of the socket. I remembered we are doing a blocking
write initially and I thought that could cause the problem.

And indeed, after having worked on bug 163605 and tested the patch, the latest
patch for bug 163605 also fixes the problem in this bug 167764.
Depends on: 163605
kOTOutStateErr (-3155) means "The endpoint was not in
an appropriate state when you called this function."

I am afraid that the fix for bug 163605 merely masks
this problem.  In any case, as a general-purpose library,
NSPR should be able to handle this case properly.

Based on your description, I think the OTRcv() call in
SendReceiveStream() returns kOTOutStateErr, so we come
to this point:
                    
1543                 case kOTOutStateErr:    // if provider already closed, fall
through to handle error
1544                     if (fd->secret->md.orderlyDisconnect) {
1545                         amount = 0;
1546                         goto NormalExit;
1547                     }
1548                     // else fall through
1549                 default:
1550                     err = result;
1551                     goto ErrorExit;
[...]
1561 ErrorExit:
1562     PR_ASSERT(opCode == kSTREAM_SEND ? fd->secret->md.write.thread == NULL :
1563                                        fd->secret->md.read.thread  == NULL);
1564     macsock_map_error(err);
1565     return -1;

So apparently fd->secret->md.orderlyDisconnect is false and
macsock_map_error does not map kOTOutStateErr to a useful
NSPR error.  Simon, Gordon, do you know what kind of error
condition it is for fd->secret->md.orderlyDisconnect to be
false at that point?  That will tell us how we should map
kOTOutStateErr to an NSPR error code.  I think it probably
should be mapped to PR_CONNECT_RESET_ERROR.  Kai, is
PR_CONNECT_RESET_ERROR in the retry-without-tls error code
list?
>  Kai, is PR_CONNECT_RESET_ERROR in the retry-without-tls error code list?

Yes

is this bug related to bug 167764 (also recent regression)
Matti, this bug is bug 167764. :-)
If you have time today and want to help test the fix for this bug, please grab a
build from http://www.kuix.de/mozilla/163605/ and test whether it works, and
there are no regressions in SSL functionality. Please give feedback today or
early tomorrow. Thanks!

This should be fixed starting with tomorrow's build, by the patch for bug
163605. Please reopen if you still can reproduce the problem.
Status: NEW → RESOLVED
Closed: 22 years ago
Resolution: --- → FIXED
Verified.
Status: RESOLVED → VERIFIED
Product: PSM → Core
Version: psm2.4 → 1.0 Branch
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.