Note: There are a few cases of duplicates in user autocompletion which are being worked on.

pkix default http client returns error when try to get an ocsp response.

RESOLVED FIXED in 3.12

Status

NSS
Libraries
P1
normal
RESOLVED FIXED
10 years ago
10 years ago

People

(Reporter: Alexei Volkov, Assigned: Alexei Volkov)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PKIX)

Attachments

(2 attachments)

(Assignee)

Description

10 years ago
nss(in ocsp.c:fetchOcspHttpClientV1) calls registered http client to get an ocsp server response. LibPKIX default http client start register itself with NSS after final libpkix integration patch had been landed on the truck.

The reason for ocsp failure reported as
           "The OCSP server experienced an internal error."
was disagreement in allowed http client interface function parameter values. 

LibPKIX http client requires caller to pass non-NULL pointer as pPollDesc (PRPollDesc **) that intended to be used to return a blocked io descriptor. OCSP code in NSS, on the other hand, expects that registered http client will handle blocked io by itself in case then interface function is called with pPollDesc == NULL.
(Assignee)

Updated

10 years ago
Whiteboard: PKIX
(Assignee)

Updated

10 years ago
Priority: -- → P1
(Assignee)

Comment 1

10 years ago
Created attachment 266154 [details] [diff] [review]
switch off pkix default http client registration

temporary patch to make nss tinderbox green again.
Attachment #266154 - Flags: review?(nelson)
Comment on attachment 266154 [details] [diff] [review]
switch off pkix default http client registration

I approve this patch as a temporary workaround until we can fix the larger underlying problem described in this bug.
r=nelson
Attachment #266154 - Flags: review?(nelson) → review+
(Assignee)

Comment 3

10 years ago
attchment 266154 integrated on the trunk:
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c,v  <--  pkix_pl_lifecycle.c
new revision: 1.3; previous revision: 1.2
Alexei, was this disagreement about the API present on the PKIX branch?
(Assignee)

Comment 5

10 years ago
Created attachment 267231 [details] [diff] [review]
fix parameter value disagreement

pkix_pl_HttpDefaultClient_TrySendAndReceive requires the pPollDesc parameter value to be non-Null for blocking and non-blocking io. This is too strict. Function fetchOcspHttpClientV1 from ocsp.c creates a socket with non-zero timeout - expecting socket to be blocked on io, and wherefore making non-NULL poll descriptor to be unnecessary requirement.
Patch fixes the problem. All ocsp interoperability tests pass with this fix.
Attachment #267231 - Flags: review?(nelson)
Comment on attachment 267231 [details] [diff] [review]
fix parameter value disagreement

>+        if (!pPollDesc && client->timeout == 0) {
>+            PKIX_ERROR_FATAL(PKIX_NULLARGUMENT);
>+        }

Alexei,
Is client->timeout == 0 being used to mean "is a non-blocking socket" ?? (oy!)
Is there any other code in libpkix that uses that test for that purpose?
(Assignee)

Comment 7

10 years ago
yes, pkix create non-blocking socket if timeout specified by user is eq 0. See pkix_pl_socket.c:pkix_pl_Socket_CreateClient.
Comment on attachment 267231 [details] [diff] [review]
fix parameter value disagreement

I'm giving this r+.
If we need to revisit that particular aspect of this API, we can do that later.
Attachment #267231 - Flags: review?(nelson) → review+
(Assignee)

Comment 9

10 years ago
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c,v  <--  pkix_pl_httpdefaultclient.c
new revision: 1.3; previous revision: 1.2
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c,v  <--  pkix_pl_lifecycle.c
new revision: 1.4; previous revision: 1.3
Status: NEW → RESOLVED
Last Resolved: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.