186087 - Mozilla hangs when using SSL SMTP with revoked certificate

Status: VERIFIED FIXED

(MailNews Core :: Networking: SMTP, defect, P3)

Description

[Julien Pierre]

1. set "outgoing SMTP server" to nsmail-1.mcom.com
2. set "use SSL" to "always"
3. uncheck "use name and password". This enables client auth
4. make sure you have an unexpired, but revoked signing corporate certificate
(such s the one in your software device before getting your smartcard)
5. make sure you have edit/privacy & security/certificates/ask every time enabled
6. compose a message to yourself and hit send
7. when prompted for a certificate to login, selected the revoked certificate
8. at that point, mozilla asks you for a password to login to the mail server,
probably because the client auth failed (the server must have revocation
enabled).  Enter your password (note that no userid is specified, so this will
always fail!)
9. the "sending message" pop-up stays on forever and the message is not sent
10. click cancel. The pop-up disappears
11. try to do something in mozilla involving the network, such as visiting a
website. note that it doesn't do anything 
12. to file/exit to quit mozilla
13. note that all mozilla windows disappear
14. note that mozilla.exe is still there in the task manager, consuming a lot of
CPU (25% on my 4-CPU machine)
15. the only way to truly kill mozilla is through the task manager

(note: this was done on a profile without any smartcard driver loaded, just
softoken)

This was with mozilla 1.2.1 and NSS 3.6 .

Comment 1

[Kai Engert [:KaiE:]]

Julien, did you see this problem only once, or can you reproduce it reliably?
I have never seen this problem.
Do you still see it with more recent builds?
John, can you reproduce?

Comment 2

[Julien Pierre]

I could reproduce it when I posted the bug.
I have not tried recently but I will.

Comment 3

[John Unruh]

Confirmed with the 20030129 commercial Win2000 trunk build.

Comment 4

[Kai Engert [:KaiE:]]

I just got myself a new corporate cert, which effectively revoked my previous
one, and I use the previous one for testing this bug.

When I try what you describe (on Linux), my step 9 is different: crash :-(

Comment 5

[Kai Engert [:KaiE:]]

The problem is not in PSM, but in the mail code.

nsSmtpProtocol::AuthLoginUsername() does not have sufficient checks for a null
username.

With the above testcase, we crash on this line:
 	915		  base64Str = 
 	916	          PL_Base64Encode((const char *) username, 
 	917	                          strlen((const char*)username), nsnull);

(gdb) print *username->mBuffer->mHandle
$5 = {<nsBufferHandle<char>> = {mDataStart = 0x0, mDataEnd = 0x0}, mFlags = 1,
mStorageLength = 0}


I'll propose a patch.

Comment 6

[Kai Engert [:KaiE:]]

Attachment: Patch v1

This one line change fixes the crash for me.

Note that a nicer fix would probably mean a larger change to the SMTP code,
possibly to detect that no username is available at all, and therefore it
doesn't make sense to prompt for a password (only).

Comment 7

[Kai Engert [:KaiE:]]

Comment on attachment 113381 [details] [diff] [review]
Patch v1

Seth, can you please review?
Can you suggest someone for the second review?

Comment 8

[(not reading, please use seth@sspitzer.org instead)]

Comment on attachment 113381 [details] [diff] [review]
Patch v1

r/sr=sspitzer

can you get this into 1.3 beta, since it is a crasher?

Comment 9

[(not reading, please use seth@sspitzer.org instead)]

sorry, not a crasher, a hang.  still worth taking though.

Comment 10

[(not reading, please use seth@sspitzer.org instead)]

Comment on attachment 113381 [details] [diff] [review]
Patch v1

seeking approval, since this is a hang bug.

Comment 11

[Kai Engert [:KaiE:]]

Actually, it's both a crasher and a hang. Julien saw a hang, I saw a crash.

Comment 12

[Kai Engert [:KaiE:]]

Checked in, marking fixed.

Comment 13

[Kai Engert [:KaiE:]]

.

Comment 14

[(not reading, please use seth@sspitzer.org instead)]

Comment on attachment 113381 [details] [diff] [review]
Patch v1

r/sr=sspitzer

Comment 15

[John Unruh]

Verified.