vfyserv should be able to capture certs to database; and do OCSP

NEW
Assigned to

Status

P2
enhancement
12 years ago
10 years ago

People

(Reporter: julien.pierre, Assigned: alvolkov.bgs)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

12 years ago
vfyserv is a program used to verify a server's chain.
Sometimes, it can be useful to save the server certs to a database for further examination with certutil for example .
This option could also be useful in the field in private network environment if we need to obtain a cert chain .
So, I propose to add a new option to vfyserv to save the certs to the cert DB.

I also propose to add an option to enable vfyserv to run OCSP checks.
Or, if not to the cert DB, at least spit them out to files, like ssltap does.
Right now, the only semi-convenient way to capture the server's certs is to
use ssltap.
(Reporter)

Comment 2

12 years ago
I ran into a problem with my patch trying to import the cert in vfyserv. I extracted the server cert from the socket using SSL_PeerCertificate (the rest of the cert chain will be next).
Then, I used PK11_ImportCert to import the cert permanently. This worked, but unfortunately, at NSS_Shutdown time, I get an assertion about the secmod_privateModuleCount. Ie. we have a slot leak.

This leak seems to only happen if the cert was first a temp cert, and then gets imported to the DB . I will try to save the DER of the cert, and import it after the SSL socket has been closed and the temp cert destroyed, to see if the problem goes away. But either way, there is a bug in our cert code. I spent some time debugging yesterday, and it appears to be Stan-related.
(Reporter)

Updated

12 years ago
Assignee: nobody → julien.pierre.bugs
Severity: normal → enhancement
Priority: -- → P2
Version: unspecified → 3.11.1
(Reporter)

Comment 3

12 years ago
Created attachment 224956 [details] [diff] [review]
work in progress

Not for review yet.
Adds -O option for OCSP and -S option to save certs.
Run this with a secmod database that has the roots added, on a debug build, and NSS_STRICT_SHUTDOWN set to 1 (I have it in my .cshrc) :

[jp96085@monstre]/export/home/nss/tip/mozilla/dist/SunOS5.10_i86pc_DBG.OBJ/bin 424 % ./vfyserv -d . -S us.etrade.com
Connecting to host us.etrade.com (addr 12.153.224.21) on port 443
Handshake Complete: SERVER CONFIGURED CORRECTLY
   bulk cipher RC4, 128 secret key bits, 128 key bits, status: 1
   subject DN:
 CN=us.etrade.com,OU=Terms of use at www.verisign.com/rpa (c)00,OU=Global Information Security,O=E-Trade Group Inc.,L=Alpharetta,ST=Georgia,C=US
   issuer  DN:
 OU=www.verisign.com/CPS Incorp.by Ref. LIABILITY LTD.(c)97 VeriSign,OU=VeriSign International Server CA - Class 3,OU="VeriSign, Inc.",O=VeriSign Trust Network
   0 cache hits; 0 cache misses, 0 cache not reusable
***** Connection 1 read 339 bytes total.
Assertion failure: secmod_PrivateModuleCount == 0, at pk11util.c:120
Abort (core dumped)

The cert gets properly added, but there is a reference leak. The reference leak goes away if I don't call PK11_ImportCert to import the cert to the DB.
(Reporter)

Comment 4

12 years ago
It looks like there is a pre-existing leak of a CERTCertificate in vfyserv.
But the cert was a temp cert before my patch added PK11_ImportCert, and its slot was NULL. So, the leak of the cert did not result in a leak of a slot reference. I am looking into this leak now.
The "leak" was actually a reference held in the SSL client session cache.
Clearing that cache prior to shutdown is expected to solve the problem.
(Reporter)

Comment 6

12 years ago
Created attachment 233314 [details] [diff] [review]
Call SSL_ClearSessionCache

Indeed, adding a call to SSL_ClearSessionCache caused the cert to be freed, and thus its slot reference as well.
This patch is still not for review, however.
Attachment #224956 - Attachment is obsolete: true
(Reporter)

Updated

12 years ago
Target Milestone: --- → 3.12
Alexei, I think this bug overlaps (and may duplicate) a bug on which you've
recently worked.  If this bug duplicates one you're working on, please mark
this bug as a dupliate of yours.  
Please see if Julien's patch (attachment 233314 [details] [diff] [review]) is needed and add it to your bug/patch if necessary.
Assignee: bugzilla → alexei.volkov.bugs
Unsetting target milestone in unresolved bugs whose targets have passed.
Target Milestone: 3.12 → ---
You need to log in before you can comment on or make changes to this bug.