Closed Bug 382078 Opened 18 years ago Closed 17 years ago

pkix default http client returns error when try to get an ocsp response.

Categories

(NSS :: Libraries, defect, P1)

3.12
defect

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: alvolkov.bgs, Assigned: alvolkov.bgs)

Details

(Whiteboard: PKIX)

Attachments

(2 files)

nss(in ocsp.c:fetchOcspHttpClientV1) calls registered http client to get an ocsp server response. LibPKIX default http client start register itself with NSS after final libpkix integration patch had been landed on the truck. The reason for ocsp failure reported as "The OCSP server experienced an internal error." was disagreement in allowed http client interface function parameter values. LibPKIX http client requires caller to pass non-NULL pointer as pPollDesc (PRPollDesc **) that intended to be used to return a blocked io descriptor. OCSP code in NSS, on the other hand, expects that registered http client will handle blocked io by itself in case then interface function is called with pPollDesc == NULL.
Whiteboard: PKIX
Priority: -- → P1
temporary patch to make nss tinderbox green again.
Attachment #266154 - Flags: review?(nelson)
Comment on attachment 266154 [details] [diff] [review] switch off pkix default http client registration I approve this patch as a temporary workaround until we can fix the larger underlying problem described in this bug. r=nelson
Attachment #266154 - Flags: review?(nelson) → review+
attchment 266154 integrated on the trunk: /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c,v <-- pkix_pl_lifecycle.c new revision: 1.3; previous revision: 1.2
Alexei, was this disagreement about the API present on the PKIX branch?
pkix_pl_HttpDefaultClient_TrySendAndReceive requires the pPollDesc parameter value to be non-Null for blocking and non-blocking io. This is too strict. Function fetchOcspHttpClientV1 from ocsp.c creates a socket with non-zero timeout - expecting socket to be blocked on io, and wherefore making non-NULL poll descriptor to be unnecessary requirement. Patch fixes the problem. All ocsp interoperability tests pass with this fix.
Attachment #267231 - Flags: review?(nelson)
Comment on attachment 267231 [details] [diff] [review] fix parameter value disagreement >+ if (!pPollDesc && client->timeout == 0) { >+ PKIX_ERROR_FATAL(PKIX_NULLARGUMENT); >+ } Alexei, Is client->timeout == 0 being used to mean "is a non-blocking socket" ?? (oy!) Is there any other code in libpkix that uses that test for that purpose?
yes, pkix create non-blocking socket if timeout specified by user is eq 0. See pkix_pl_socket.c:pkix_pl_Socket_CreateClient.
Comment on attachment 267231 [details] [diff] [review] fix parameter value disagreement I'm giving this r+. If we need to revisit that particular aspect of this API, we can do that later.
Attachment #267231 - Flags: review?(nelson) → review+
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_httpdefaultclient.c,v <-- pkix_pl_httpdefaultclient.c new revision: 1.3; previous revision: 1.2 /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/system/pkix_pl_lifecycle.c,v <-- pkix_pl_lifecycle.c new revision: 1.4; previous revision: 1.3
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: