vfyserv is a program used to verify a server's chain. Sometimes, it can be useful to save the server certs to a database for further examination with certutil for example . This option could also be useful in the field in private network environment if we need to obtain a cert chain . So, I propose to add a new option to vfyserv to save the certs to the cert DB. I also propose to add an option to enable vfyserv to run OCSP checks.
Or, if not to the cert DB, at least spit them out to files, like ssltap does. Right now, the only semi-convenient way to capture the server's certs is to use ssltap.
I ran into a problem with my patch trying to import the cert in vfyserv. I extracted the server cert from the socket using SSL_PeerCertificate (the rest of the cert chain will be next). Then, I used PK11_ImportCert to import the cert permanently. This worked, but unfortunately, at NSS_Shutdown time, I get an assertion about the secmod_privateModuleCount. Ie. we have a slot leak. This leak seems to only happen if the cert was first a temp cert, and then gets imported to the DB . I will try to save the DER of the cert, and import it after the SSL socket has been closed and the temp cert destroyed, to see if the problem goes away. But either way, there is a bug in our cert code. I spent some time debugging yesterday, and it appears to be Stan-related.
Assignee: nobody → julien.pierre.bugs
Severity: normal → enhancement
Priority: -- → P2
Version: unspecified → 3.11.1
It looks like there is a pre-existing leak of a CERTCertificate in vfyserv. But the cert was a temp cert before my patch added PK11_ImportCert, and its slot was NULL. So, the leak of the cert did not result in a leak of a slot reference. I am looking into this leak now.
The "leak" was actually a reference held in the SSL client session cache. Clearing that cache prior to shutdown is expected to solve the problem.
Created attachment 233314 [details] [diff] [review] Call SSL_ClearSessionCache Indeed, adding a call to SSL_ClearSessionCache caused the cert to be freed, and thus its slot reference as well. This patch is still not for review, however.
Attachment #224956 - Attachment is obsolete: true
Alexei, I think this bug overlaps (and may duplicate) a bug on which you've recently worked. If this bug duplicates one you're working on, please mark this bug as a dupliate of yours. Please see if Julien's patch (attachment 233314 [details] [diff] [review]) is needed and add it to your bug/patch if necessary.
Assignee: bugzilla → alexei.volkov.bugs
Unsetting target milestone in unresolved bugs whose targets have passed.
Target Milestone: 3.12 → ---
You need to log in before you can comment on or make changes to this bug.