Closed
Bug 332279
Opened 19 years ago
Closed 18 years ago
SSL2 client auth stress tests fail when using auto cert selection
Categories
(NSS :: Libraries, defect, P1)
Tracking
(Not tracked)
RESOLVED
FIXED
3.11.1
People
(Reporter: alvolkov.bgs, Assigned: alvolkov.bgs)
References
Details
Problem shows up when running tests with patch https://bugzilla.mozilla.org/attachment.cgi?id=216778.
Bits built without ECC work fine.
Test:
noECC 0 -r_-r -c_1000_-C_A_-N Stress SSL2 RC4 128 with MD5
ssl.sh: Stress SSL2 RC4 128 with MD5 ----
selfserv -D -p 9443 -d ../server -n simplify.red.iplanet.com -B -s \
-e simplify.red.iplanet.com-ec -w nss -r -r -i ../tests_pid.29524 &
selfserv started at Thu Mar 30 13:04:09 PST 2006
tstclnt -p 9443 -h simplify.red.iplanet.com -q \
-d ../client < /export/volkov/nss-3.12-t-unsafe/mozilla/security/nss/tes
ts/ssl/sslreq.dat
strsclnt -q -p 9443 -d ../client -w nss -c 1000 -C A -N \
simplify.red.iplanet.com
strsclnt started at Thu Mar 30 13:04:09 PST 2006
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
selfserv: HDX PR_Read returned error -12285:
Unable to find the certificate or key necessary for authentication.
strsclnt: PR_Write returned error -5938:
Encountered end of file.
strsclnt: -- SSL: Server Certificate Validated.
selfserv: HDX PR_Read returned error -12285:
...
Test:
noECC 0 -r_-r -c_1000_-C_c_-T_-N Stress SSL3 RC4 128 with MD5
selfserv -D -p 9443 -d ../server -n simplify.red.iplanet.com -B -s \
-e simplify.red.iplanet.com-ec -w nss -r -r -i ../tests_pid.29524 &
selfserv started at Thu Mar 30 13:04:55 PST 2006
tstclnt -p 9443 -h simplify.red.iplanet.com -q \
-d ../client < /export/volkov/nss-3.12-t-unsafe/mozilla/security/nss/tes
ts/ssl/sslreq.dat
strsclnt -q -p 9443 -d ../client -w nss -c 1000 -C c -T -N \
simplify.red.iplanet.com
strsclnt started at Thu Mar 30 13:04:55 PST 2006
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: 0 cache hits; 8 cache misses, 0 cache not reusable
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
selfserv: HDX PR_Read returned error -8180:
Peer's Certificate has been revoked.
strsclnt: PR_Write returned error -12270:
SSL peer rejected your certificate as revoked.
strsclnt: -- SSL: Server Certificate Validated.
selfserv: HDX PR_Read returned error -8180:
Peer's Certificate has been revoked.
strsclnt: PR_Write returned error -12270:
SSL peer rejected your certificate as revoked.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
...
Test:
noECC 0 -r_-r -c_1000_-C_c_-N Stress TLS RC4 128 with MD5
ssl.sh: Stress TLS RC4 128 with MD5 ----
selfserv -D -p 9443 -d ../server -n simplify.red.iplanet.com -B -s \
-e simplify.red.iplanet.com-ec -w nss -r -r -i ../tests_pid.29524 &
selfserv started at Thu Mar 30 13:05:25 PST 2006
tstclnt -p 9443 -h simplify.red.iplanet.com -q \
-d ../client < /export/volkov/nss-3.12-t-unsafe/mozilla/security/nss/tes
ts/ssl/sslreq.dat
strsclnt -q -p 9443 -d ../client -w nss -c 1000 -C c -N \
simplify.red.iplanet.com
strsclnt started at Thu Mar 30 13:05:25 PST 2006
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: 0 cache hits; 8 cache misses, 0 cache not reusable
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: -- SSL: Server Certificate Validated.
selfserv: HDX PR_Read returned error -8180:
Peer's Certificate has been revoked.
strsclnt: PR_Write returned error -12270:
SSL peer rejected your certificate as revoked.
strsclnt: -- SSL: Server Certificate Validated.
Assignee | ||
Updated•19 years ago
|
Assignee: nobody → alexei.volkov.bugs
Comment 1•19 years ago
|
||
Alexei,
How easy is this to reproduce ? It sounds like another race condition in the cert code.
The revocation errors are a little weird. But the CRL code maps a lot of errors while trying to search CRLs to "cert revoked" . It may be time to add some assertions.
Assignee | ||
Comment 2•19 years ago
|
||
the problem with 100% reproducible and require at least concurrent 10 connections.
Updated•19 years ago
|
Priority: -- → P1
Target Milestone: 3.11.2 → 3.11.1
Version: 3.11.2 → 3.11
Assignee | ||
Comment 3•19 years ago
|
||
It tunes out to be mostly the test bug. The test does not specifies a nickname for the cert that strsclnt suppose to use for connection, so strsclnt tries to find a cert it by itself. Periodically it picks certs that are in revocation list on the server side and the test fails.
The test result depends on the sequence on nicknames returned by CERT_GetCertNicknames. Bob, may be you can answer the question why the
some degree of randomness exists in results returned by the function.
It works most of the time since there are only two certs revoked on server side.
Also, it behaves same way with non-ecc bits.
I think the test should be modify to supply proper name to strsclnt to use for communication, or changes should be made in strsclnt to check if user cert is not revoked. For the last one, the revocation list should be imported into client db before running the test.
New priority/severity should be set for this bug.
Comment 4•19 years ago
|
||
After discussing this with Alexei today, I'm changing this summary from
> selfserv is unable to validate user cert when running non ecc strs test
> on binaries built with ECC
to
> SSL2 client auth stress tests fail when using auto cert selection
Summary: selfserv is unable to validate user cert when running non ecc strs test on binaries built with ECC → SSL2 client auth stress tests fail when using auto cert selection
Assignee | ||
Comment 5•19 years ago
|
||
As suggested by Nelson, the way to fix it is to specify the name of the cert as an argument to strsclnt.
sslstress.txt will be modified as following:
> noECC 0 -r_-r -c_1000_-C_A_-N Stress SSL2 RC4 128 with
to
> noECC 0 -r_-r -c_1000_-C_A_-N_-n_TestUser Stress SSL2 RC4 128 with
Fix will be integrated into the tree as a patch for bug:220380.
Assignee | ||
Comment 6•18 years ago
|
||
fixed as a part of patch to bug 220380 attchment 222740
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•