Closed Bug 332279 Opened 19 years ago Closed 18 years ago

SSL2 client auth stress tests fail when using auto cert selection

Categories

(NSS :: Libraries, defect, P1)

3.11
defect

Tracking

(Not tracked)

RESOLVED FIXED
3.11.1

People

(Reporter: alvolkov.bgs, Assigned: alvolkov.bgs)

References

Details

Problem shows up when running tests with patch https://bugzilla.mozilla.org/attachment.cgi?id=216778. Bits built without ECC work fine. Test: noECC 0 -r_-r -c_1000_-C_A_-N Stress SSL2 RC4 128 with MD5 ssl.sh: Stress SSL2 RC4 128 with MD5 ---- selfserv -D -p 9443 -d ../server -n simplify.red.iplanet.com -B -s \ -e simplify.red.iplanet.com-ec -w nss -r -r -i ../tests_pid.29524 & selfserv started at Thu Mar 30 13:04:09 PST 2006 tstclnt -p 9443 -h simplify.red.iplanet.com -q \ -d ../client < /export/volkov/nss-3.12-t-unsafe/mozilla/security/nss/tes ts/ssl/sslreq.dat strsclnt -q -p 9443 -d ../client -w nss -c 1000 -C A -N \ simplify.red.iplanet.com strsclnt started at Thu Mar 30 13:04:09 PST 2006 strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. selfserv: HDX PR_Read returned error -12285: Unable to find the certificate or key necessary for authentication. strsclnt: PR_Write returned error -5938: Encountered end of file. strsclnt: -- SSL: Server Certificate Validated. selfserv: HDX PR_Read returned error -12285: ... Test: noECC 0 -r_-r -c_1000_-C_c_-T_-N Stress SSL3 RC4 128 with MD5 selfserv -D -p 9443 -d ../server -n simplify.red.iplanet.com -B -s \ -e simplify.red.iplanet.com-ec -w nss -r -r -i ../tests_pid.29524 & selfserv started at Thu Mar 30 13:04:55 PST 2006 tstclnt -p 9443 -h simplify.red.iplanet.com -q \ -d ../client < /export/volkov/nss-3.12-t-unsafe/mozilla/security/nss/tes ts/ssl/sslreq.dat strsclnt -q -p 9443 -d ../client -w nss -c 1000 -C c -T -N \ simplify.red.iplanet.com strsclnt started at Thu Mar 30 13:04:55 PST 2006 strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: 0 cache hits; 8 cache misses, 0 cache not reusable strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. selfserv: HDX PR_Read returned error -8180: Peer's Certificate has been revoked. strsclnt: PR_Write returned error -12270: SSL peer rejected your certificate as revoked. strsclnt: -- SSL: Server Certificate Validated. selfserv: HDX PR_Read returned error -8180: Peer's Certificate has been revoked. strsclnt: PR_Write returned error -12270: SSL peer rejected your certificate as revoked. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. ... Test: noECC 0 -r_-r -c_1000_-C_c_-N Stress TLS RC4 128 with MD5 ssl.sh: Stress TLS RC4 128 with MD5 ---- selfserv -D -p 9443 -d ../server -n simplify.red.iplanet.com -B -s \ -e simplify.red.iplanet.com-ec -w nss -r -r -i ../tests_pid.29524 & selfserv started at Thu Mar 30 13:05:25 PST 2006 tstclnt -p 9443 -h simplify.red.iplanet.com -q \ -d ../client < /export/volkov/nss-3.12-t-unsafe/mozilla/security/nss/tes ts/ssl/sslreq.dat strsclnt -q -p 9443 -d ../client -w nss -c 1000 -C c -N \ simplify.red.iplanet.com strsclnt started at Thu Mar 30 13:05:25 PST 2006 strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: 0 cache hits; 8 cache misses, 0 cache not reusable strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. strsclnt: -- SSL: Server Certificate Validated. selfserv: HDX PR_Read returned error -8180: Peer's Certificate has been revoked. strsclnt: PR_Write returned error -12270: SSL peer rejected your certificate as revoked. strsclnt: -- SSL: Server Certificate Validated.
Assignee: nobody → alexei.volkov.bugs
Alexei, How easy is this to reproduce ? It sounds like another race condition in the cert code. The revocation errors are a little weird. But the CRL code maps a lot of errors while trying to search CRLs to "cert revoked" . It may be time to add some assertions.
the problem with 100% reproducible and require at least concurrent 10 connections.
Priority: -- → P1
Target Milestone: 3.11.2 → 3.11.1
Version: 3.11.2 → 3.11
It tunes out to be mostly the test bug. The test does not specifies a nickname for the cert that strsclnt suppose to use for connection, so strsclnt tries to find a cert it by itself. Periodically it picks certs that are in revocation list on the server side and the test fails. The test result depends on the sequence on nicknames returned by CERT_GetCertNicknames. Bob, may be you can answer the question why the some degree of randomness exists in results returned by the function. It works most of the time since there are only two certs revoked on server side. Also, it behaves same way with non-ecc bits. I think the test should be modify to supply proper name to strsclnt to use for communication, or changes should be made in strsclnt to check if user cert is not revoked. For the last one, the revocation list should be imported into client db before running the test. New priority/severity should be set for this bug.
Blocks: 220380
After discussing this with Alexei today, I'm changing this summary from > selfserv is unable to validate user cert when running non ecc strs test > on binaries built with ECC to > SSL2 client auth stress tests fail when using auto cert selection
Summary: selfserv is unable to validate user cert when running non ecc strs test on binaries built with ECC → SSL2 client auth stress tests fail when using auto cert selection
As suggested by Nelson, the way to fix it is to specify the name of the cert as an argument to strsclnt. sslstress.txt will be modified as following: > noECC 0 -r_-r -c_1000_-C_A_-N Stress SSL2 RC4 128 with to > noECC 0 -r_-r -c_1000_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with Fix will be integrated into the tree as a patch for bug:220380.
fixed as a part of patch to bug 220380 attchment 222740
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.