Closed Bug 458251 Opened 16 years ago Closed 3 years ago

SSLServerSocket should ensure that the session cache is configured

Categories

(JSS Graveyard :: Library, defect, P2)

4.2.5
x86
Windows XP
defect

Tracking

(Not tracked)

RESOLVED WONTFIX

People

(Reporter: dean_roberts, Unassigned)

Details

Attachments

(1 file)

User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.04506.30; .NET CLR 3.0.04506.648) Build Identifier: When a JSS SSLServerSocket has requireClientAuth or requestCientAuth turned on but the client does not provide a certificate (this is allowable and not necessarily uncommon in SSL) the VM will core. I have tested this against Sun's JDK 1.5.0_11 and our own VM implementation. The problem appears to be an issue in a JSS native. Thread: main (priority 5) (LOCATION OF ERROR) NATIVE org/mozilla/jss/ssl/SSLSocket.socketRead([BIII)I 0000003c org/mozilla/jss/ssl/SSLSocket.read([BII)I 00000007 org/mozilla/jss/ssl/SSLInputStream.read([BII)I 00000005 org/mozilla/jss/ssl/SSLInputStream.read([B)I 000000d8 jss/SimpleJSSServer.run()V 00000009 jss/SimpleJSSServer.main([Ljava/lang/String;)V Reproducible: Always Steps to Reproduce: 1. Run the test server and client provided. Appropriate keystores are also provided The keystore and key passwords are change!tn0w Expected Results: SSLServerSocket should likely throw an SSLException with reason no_certificate It would appear that any client can actually bring down any server that has client authentication enabled by simply not sending a client certificate.
Just a simplification to the reproduce steps. I have not included a test client or test client keystore as you can just use a browser as the client. Run the server with the attached NSS keystore. Use a browser to initiate an HTTPS connection to the test server: https://127.0.0.1 The browser will tell you that the server certificate is unknown ... so accept it. The browser will also likely tell you that the server is claiming to be Dean Roberts and not 127.0.0.1. Likewise accept that. The browser will receive the servers Certificate request message and will provide no client certificate, since it has none. The VM running the server will core.
Version: unspecified → 4.2.5
The crash was due to the fact the SSL server session ID cache was never configured. JSS should ensure the session ID cache is configured, so I am changing the summary to work on the bug. Dean thanks for the test program: Before creating any JSS SSL server socket you must configure the server session ID cache by calling the method SLServerSocket.configServerSessionIDCache http://www.mozilla.org/projects/security/pki/jss/javadoc/org/mozilla/jss/ssl/SSLServerSocket.html#configServerSessionIDCache(int,%20int,%20int,%20java.lang.String) see also: http://www.mozilla.org/projects/security/pki/nss/ref/ssl/sslfnc.html#1143851 // We have to configure the server session ID cache before // creating any server sockets. SSLServerSocket.configServerSessionIDCache(100, 100, 100, null); SSLServerSocket listenSocket = new SSLServerSocket(443); also after your accept you may want to force the handshake for debugging SSLSocket socket = (SSLSocket) listenSocket.accept(); try { socket.forceHandshake(); } catch (SocketException socketException) { System.out.println("forceHandshake" + socketException.getMessage()); } http://mxr.mozilla.org/security/source/security/jss/org/mozilla/jss/tests
Status: UNCONFIRMED → ASSIGNED
Ever confirmed: true
Summary: SSLServerSocket with client authentication enabled crashes VM if no certificate sent from client → SSLServerSocket should ensure that the session cache is configured
Severity: critical → normal
Priority: -- → P2
Glen, can you put a real stack trace into this bug? Can you identify the line of code that crashed?
Assignee: gbmozilla → nobody
JSS development has moved from the Mozilla community to the Dogtag PKI community. Please re-file this bug at https://github.com/dogtagpki/jss if it is still relevant. Thank you!
Status: ASSIGNED → RESOLVED
Closed: 3 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: