1957206 - Avoid external connections in ssl_policy_pkix_ocsp

Status: NEW

(NSS :: Test, enhancement, P3)

Description

[Joonas Niilola]

Attachment: nss-3.110:20250329-052235.log.xz

Steps to reproduce:

Run NSS_CYCLES="standard" for the 3.110 release.

Actual results:

One test failed:

Tests summary:
--------------
Passed:             6885
Failed:             1
Failed with core:   0
ASan failures:      0
Unknown status:     12
TinderboxPrint:Unknown: 12

******************************Testing ../server with:
library= 
name=NSS Internal PKCS #11 Module
parameters=configdir='./client' certPrefix='' keyPrefix='' secmod='secmod.db' flags= updatedir='' updateCertPrefix='' updateKeyPrefix='' updateid='' updateTokenDescription=''
NSS=Flags=internal,critical trustOrder=75 cipherOrder=100 slotParams=(1={slotFlags=[RSA,DSA,DH,RC2,RC4,DES,RANDOM,SHA1,MD5,MD2,SSL,TLS,AES,Camellia,SEED,SHA256,SHA512] askpw=any timeout=30})
config=disallow=sha1

library=/var/tmp/portage/dev-libs/nss-3.110/work/nss-3.110/nss-abi_x86_64.amd64/dist/Linux6.12_x86_64_x86_64-pc-linux-gnu-gcc_glibc_PTH_64_OPT.OBJ/lib/libnssckbi.so
name=RootCerts
NSS=trustOrder=100
******************************
 vfyserv -o wrong.host.badssl.com -d ../server 2>&1 | tee ../server/vfy.out
Error in function PR_GetHostByName: -5973
 - A directory lookup on a network address has failed
grep 12276 ../server/vfy.out
ssl.sh: #663:  produced a returncode of 1, expected is 0 - FAILED
ssl.sh: SSL POLICY  - server /client  ===============================
Saving pkcs11.txt
selfserv starting at Sat Mar 29 05:33:29 -00 2025
selfserv -D -p 8443 -d ../server -n 127.0.0.1  \
         -e 127.0.0.1-ecmixed -e 127.0.0.1-ec -S 127.0.0.1-dsa -w nss -c :C001:C002:C003:C004:C005:C006:C007:C008:C009:C00A:C00B:C00C:C00D:C00E:C00F:C010:C011:C012:C013:C014:C023:C024:C027:C028:C02B:C02C:C02F:C030:CCA8:CCA9:CCAA:0016:0032:0033:0038:0039:003B:003C:003D:0040:0041:0067:006A:006B:0084:009C:009D:009E:009F:00A2:00A3:CCAAcdeinvyz -i ../tests_pid.62\
         -V ssl3:tls1.2  -H 1 &
trying to connect to selfserv at Sat Mar 29 05:33:29 -00 2025
tstclnt -4 -p 8443 -h 127.0.0.1  -q \
        -d ../client  < /var/tmp/portage/dev-libs/nss-3.110/work/nss-3.110/nss-abi_x86_64.amd64/tests/ssl/sslreq.dat
kill -0 42115 >/dev/null 2>/dev/null
selfserv with PID 42115 found at Sat Mar 29 05:33:29 -00 2025
selfserv with PID 42115 started at Sat Mar 29 05:33:29 -00 2025
ssl.sh: running Allowed by Narrow Policy ----------------------------

Full build.log is attached.

Expected results:

Tests should pass.

Comment 1

[John Schanck [:jschanck]]

From the output:

vfyserv -o wrong.host.badssl.com -d ../server 2>&1 | tee ../server/vfy.out
Error in function PR_GetHostByName: -5973
 - A directory lookup on a network address has failed

This looks like a live site test that is failing because of a DNS issue.

Are you able to reproduce this reliably? Are you able to resolve wrong.host.badssl.com in other programs (e.g. ping)?

Comment 2

[Joonas Niilola]

Oh, right, that's a hint and now that you say it, it's obvious. The tests are usually ran in a sandboxed environment without internet access. So far with previous releases this hasn't been an issue, and going forth I'm not sure whether this 1 test should be removed/disabled or an exception made for running tests with live internet connection.

I hope you understand my problem, but I'd like to hear what's your recommendation? How important is this particular test amongst the ~7000 passing ones?

Comment 3

[John Schanck [:jschanck]]

I'm not sure why this only just stopped working for you. My guess is that the test was flaky to begin with. In any case, this is not a very important test and it would be fine to remove or disable it. I'll change this to an enhancement request to avoid making external connections in tests.