Closed Bug 494459 Opened 14 years ago Closed 14 years ago

more than one OCSP request to same CA will fail


(NSS :: Libraries, defect)

Not set


(Not tracked)



(Reporter: rcritten, Assigned: alvolkov.bgs)



(1 file)

Attached file sample program
All testing done on Red Hat Enterprise Linux 5.3, nss-

I'm seeing this problem in mod_nss, an SSL module for Apache that uses NSS.

If I enable OCSP, only the first certificate verified is successful (one verify occurs during startup: the server cert).

Subsequent requests fail with -8071 The OCSP server experienced an internal error

It looks like it is failing in the pkix libraries. It has some session caching code to save connections to remote servers. When the 2nd request comes in it finds a connection to the CA server and the state is HTTP_CONNECTED. Unfortunately the connection is gone so the first write returns PR_CONNECT_RESET_ERROR (-5961) causing the OCSP request to fail.

I wrote a small program to demonstrate the problem. You provide 2 certs, a server cert and a client cert. The server cert gets validated first, then the client cert is attempted. The second request fails every time for me. 

A sample run is: 
% ./ocsp -d . -n Server-Cert -m alpha -c secret
Initializing NSS in .
server 0
client -1
Shutdown successful.
Closed: 14 years ago
Resolution: --- → DUPLICATE
Rob, can you try this with current trunk NSS code and verify that it's fixed
Still not working. In fact, OCSP doesn't work at all in the tip for me.

The failure seems to come around pkix_pl_Socket_Connect(). It opens a connection but then it seems to get closed (almost immediately goes into CLOSE_WAIT). Of course it still thinks the socket is connected and ends up waiting forever when it tries to do the POST.
Assignee: nobody → alexei.volkov.bugs
Attachment #379207 - Attachment mime type: text/x-csrc → text/plain
Alexei, please see if you can reproduce this with NSS from trunk tip.
(In reply to comment #3)
> Still not working. In fact, OCSP doesn't work at all in the tip for me.

Rob, that is a different problem.  Please file a separate bug and include
steps to reproduce, etc.  OCSP on the trunk is passing all of our own tests.
I re-tested on the CVS HEAD and my test program is passing. The previous tip I was testing I think was the head of the browser mercurial repo.
You need to log in before you can comment on or make changes to this bug.