Open
Bug 434043
Opened 16 years ago
Updated 2 years ago
problem with islogin delay check in the pkcs 11 wrapper layer
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
NEW
People
(Reporter: rcritten, Assigned: rrelyea)
Details
Attachments
(1 file)
4.51 KB,
text/plain
|
Details |
If you initialize NSS, set FIPS mode, authenticate to the token and do an NSS_Shutdown() the token either isn't logged out or the login delay timer isn't reset. I'm not sure which. This can be seen if you loop over init/fips/auth/access cert/shutdown. It will work the first time and fail all subsequent times when accessing the certificate. This works fine when not in FIPS mode.
Reporter | ||
Comment 1•16 years ago
|
||
This program just loops over initializing and shutting down NSS, trying to find a certificate in between. It works fine when the -f flag is not included but fails when it is. A sample run is: $ fips -d alias -n Server-Cert -c password -f Initializing NSS round 0 in alias Enabling FIPS mode Shutdown successful. Initializing NSS round 1 in alias Enabling FIPS mode Error in function PK11_FindKeyByAnyCert: -12285 $ fips -d alias -n Server-Cert -c password Initializing NSS round 0 in alias Shutdown successful. Initializing NSS round 1 in alias Shutdown successful. Initializing NSS round 2 in alias Shutdown successful. Initializing NSS round 3 in alias Shutdown successful. Initializing NSS round 4 in alias Shutdown successful.
Assignee | ||
Updated•16 years ago
|
Assignee: nobody → rrelyea
Updated•16 years ago
|
Attachment #321259 -
Attachment mime type: text/x-csrc → text/plain
Comment 2•16 years ago
|
||
The behavior of the FIPS mode login rate limiting code is that FC_Login does PR_Sleep(loginWaitTime) before failing with an incorrect password. When the password is correct, it doesn't call PR_Sleep. So this bug should have nothing to do with the FIPS mode login rate limiting code.
Updated•16 years ago
|
Whiteboard: FIPS
Assignee | ||
Comment 3•15 years ago
|
||
This is not a FIPS token bug. The problem isn't with the Sleep in FIPS mode, but the fact login is required for the operation in FIPS mode. The problem is in islogin delay check in the pkcs 11 wrapper layer.
Whiteboard: FIPS
Comment 4•15 years ago
|
||
I wanted to know if the logged problem is same as that discussed in this thread below: http://www.nabble.com/SSL-Certificate-not-found-while-starting-apache-with-mod_nss-td21330548.html We are trying to configure mod_nss with a Sun Cryptographic Accelerator on a Solaris machine (NSS version we tried to use was 3.12.3) and I see in the Apache error log it is similar to what was seen in the discussion above. Besides this, it seems that this bug is crashing our accelerator card (I have logged this issue with the Sun support team, as this shouldn't have caused the card to crash in the first place) But I'd like to know if this bug (raised for 3.11.7) is valid for 3.12.3 as well.. Is there any workaround here for this issue? This problem seems to happen irrespective of whether I use "Sun Metaslot" or the softtoken...
Updated•15 years ago
|
Priority: -- → P2
Summary: FIPS token does not reset login timer on shutdown → problem with islogin delay check in the pkcs 11 wrapper layer
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•