User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1) Build Identifier: trunk As reported in bug #483168 comment #43, the current Firefox HEAD + NSS HEAD shows a sec_error_invalid_args error when attempting to navigate to various https sites. Affected sites include: https://www.verisign.com https://secure.comodo.com https://www.globalsign.com Unaffected sites include: https://www.entrust.net https://www.startssl.com This problem did not occur 1 month ago when I reported bug #479508 comment #2. Reproducible: Always
The crucial detail for this bug is that it only occurs when NSS_ENABLE_PKIX_VERIFY=1 is set. So, this bug will be "major" when that condition becomes the default, but not until then.
The problem was introduced in the patch for the bug 444404. It happens when pkix_VerifyNode_SetError function sets "unknown issuer" error into verifyNode - the variable that suppose to point to the validation error log. pkix_VerifyNode_SetError(verifyNode, verifyError, plContext), Only in this case it is incorrect to use verifyNode. state->verifyNode should have been used instead of it. pkix_VerifyNode_SetError returns "invalid argument" error since verifyNode is NULL in the context. (state->verifyNode, verifyError, plContext),
Created attachment 368936 [details] [diff] [review] Patch v1 - use correct pointer to pkix error log structure
Comment on attachment 368936 [details] [diff] [review] Patch v1 - use correct pointer to pkix error log structure r=nelson
> (From update of attachment 368936 [details] [diff] [review]) committed.