Don't answer client auth request that requires unsupported method



13 years ago
9 years ago


(Reporter: nelson, Unassigned)


Firefox Tracking Flags

(Not tracked)


This bug only affects NSS clients, not NSS servers.

As noted in bug 236245 and in bug 340043, NSS presently implements only one
of the 3 methods for ECC client authentication defined in RFC 4492.
It implements ECDSA_sign, but not ECDSA_fixed_ECDH or RSA_fixed_ECDH.

When the server requests client auth with either or both of the "fixed_ECDH"
methods, but NOT with the ECDSA_sign method, NSS fails to notice this, and
will attempt to perform client authentication using the ECDSA_sign method
if it has a certificate suitable for that purpose.  That is a bug.

As noted elsewhere (in another bug), NSS's callback API, by which NSS calls 
the appliation-supplied function that selects the user's client auth cert, 
does not pass the client auth method to the callback function.  But this 
bug is separate from and independent of that one.  This bug merely requires
NSS client code to only perform ECDSA_sign when that method has been requested
and to perform NO client auth otherwise.  The fix to this bug requires no API


13 years ago
Priority: -- → P2

Comment 1

13 years ago
Retargetting all P2s to 3.11.3 .
Target Milestone: 3.11.2 → 3.11.3
remove target milestone, since the target was missed.
Target Milestone: 3.11.3 → ---
Assignee: nelson → nobody
You need to log in before you can comment on or make changes to this bug.