This bug only affects NSS clients, not NSS servers. As noted in bug 236245 and in bug 340043, NSS presently implements only one of the 3 methods for ECC client authentication defined in RFC 4492. It implements ECDSA_sign, but not ECDSA_fixed_ECDH or RSA_fixed_ECDH. When the server requests client auth with either or both of the "fixed_ECDH" methods, but NOT with the ECDSA_sign method, NSS fails to notice this, and will attempt to perform client authentication using the ECDSA_sign method if it has a certificate suitable for that purpose. That is a bug. As noted elsewhere (in another bug), NSS's callback API, by which NSS calls the appliation-supplied function that selects the user's client auth cert, does not pass the client auth method to the callback function. But this bug is separate from and independent of that one. This bug merely requires NSS client code to only perform ECDSA_sign when that method has been requested and to perform NO client auth otherwise. The fix to this bug requires no API change.
Retargetting all P2s to 3.11.3 .
Target Milestone: 3.11.2 → 3.11.3
remove target milestone, since the target was missed.
Target Milestone: 3.11.3 → ---
You need to log in before you can comment on or make changes to this bug.