This was revealed after bug 479393 was landed by a chrome mochitest for bug 413909 which is using a self signed certificate. Problem is that call to PKIX_BuildChain fails when called from cert_VerifyCertChainPkix during server certificate verification. This leads to error code PKIX_NULLARGUMENT and an empty log. Fix for bug 444404 doesn't help. I so far discovered this: - certsFound list in pkix_Build_GatherCerts is empty after the 'while (state->certStoreIndex < state->buildConstants.numCertStores)' cycle - then in pkix_BuildForwardDepthFirstSearch state->status goes to BUILD_TRYAIA and then to BUILD_AIAPENDING - BUILD_AIAPENDING branch is not executed because 'state->buildConstants.aiaMgr' is null - cycle ends and result is pkixErrorCode = PKIX_SECERRORUNKNOWNISSUER - in cert_VerifyCertChainPkix we then get error with errCode = PKIX_NULLARGUMENT - the log is empty and nsNSSIOLayer code decides there is nothing wrong with certificate - get ###!!! ASSERTION: why did NSS call our bad cert handler if all looks good? Let's cancel the connection: 'Not Reached', file d:/mozilla/mozilla-central/security/manager/ssl/src/nsNSSIOLayer.cpp, line 2997 The server certificate for the test is outlined in bug 479393 comment 9.
Honza, can you supply steps to reproduce that don't involve "mochitest" ?
Honza, did the fix for Bug 484466: sec_error_invalid_args with NSS_ENABLE_PKIX_VERIFY=1 have any impact on this issue?
Target Milestone: --- → 3.12.3
(In reply to comment #1) > Honza, can you supply steps to reproduce that don't involve "mochitest" ? It probably means to find a server with a self signed certificate or build the ssltunnel program and chain it with an http server. (In reply to comment #2) > Honza, did the fix for Bug 484466: > sec_error_invalid_args with NSS_ENABLE_PKIX_VERIFY=1 > have any impact on this issue? The patch could not be applied to mozilla-central's nss copy, it's probably for nss cvs trunk, and I cannot find a place where to apply it manually. So, to check it I have to do it with nss trunk and find some other way then mochitest. Guys, how are you testing nss? Is there some test suit or infrastructure for it where a test for bug like this could be added? I actually need server and a program based on nss to test this.
According to bug 479393 comment 20 this looks like no more reproducible bug.
(In reply to comment #4) > According to bug 479393 comment 20 this looks like no more reproducible bug. Thanks for checking! (In reply to comment #3) > Guys, how are you testing nss? Is there some test suit or infrastructure for it > where a test for bug like this could be added? I actually need server and a > program based on nss to test this. We testing nss in a varaiety of ways, but the part that had the problem related to this bug is mostly tested by vfychain. The suite is called "chains". Please check an examples at nss/tests/chains/scenarios/bridge.cfg. This is scenario file for test run by chains.sh script. If you need to run ssl+validation test, you may use combination of selfserv and tstclnt programs. Examples of tests can be found in nss/tests/ssl/ssl.sh script.
no longer a reproducible bug. Closing...
Status: NEW → RESOLVED
Last Resolved: 9 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.