Closed
Bug 526910
Opened 16 years ago
Closed 16 years ago
maxResponseLength (initialized to PKIX_DEFAULT_MAX_RESPONSE_LENGTH) is too small for downloading some CRLs.
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.6
People
(Reporter: wtc, Assigned: wtc)
Details
Attachments
(1 file)
|
4.26 KB,
patch
|
alvolkov.bgs
:
review+
|
Details | Diff | Splinter Review |
This bug was originally reported in Chromium issue 18559
(http://crbug.com/18559).
Starting in NSS 3.12.4, libpkix can download CRLs using the CRL
distribution point certificate extensions.
However, libpkix's DownloadCrl function in pkix_pl_pk11certstore.c
passes 64 * 1024 as the maximum acceptable response data length
to the HTTP client. Many CRLs are larger than 64 KB. For example,
just visit https://www.verisign.com/ and https://www.thawte.com/,
and CRLs of sizes 338759 and 439035 will be downloaded. The HTTP
client is forced to fail the download because the CRLs are larger
than 64 * 1024.
For CRL download, the acceptable maximum response data length
should be at least 512 * 1024.
The maxResponseLength member of PKIX_PL_NssContext is set in
only two places:
http://mxr.mozilla.org/security/search?string=maxResponseLength+=
The first place sets that value to the default
PKIX_DEFAULT_MAX_RESPONSE_LENGTH (64 * 1024). The second place
is a function PKIX_PL_NssContext_SetMaxResponseLen that we can
call the change the value. But I don't know how to call that
function. That function is not being used:
http://mxr.mozilla.org/security/ident?i=PKIX_PL_NssContext_SetMaxResponseLen
|
Assignee | |
Updated•16 years ago
|
Summary: PKIX_DEFAULT_MAX_RESPONSE_LENGTH is too small for downloading some CRLs. → maxResponseLength (initialized to PKIX_DEFAULT_MAX_RESPONSE_LENGTH) is too small for downloading some CRLs.
|
|
Assignee | |
Comment 1•16 years ago
|
||
Alexei, please review this patch for NSS 3.12.6. Thanks.
Attachment #426101 -
Flags: review?(alexei.volkov.bugs)
|
|
Assignee | |
Updated•16 years ago
|
Assignee: alexei.volkov.bugs → wtc
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → 3.12.6
|
|
Assignee | |
Comment 2•16 years ago
|
||
Another option is to simply change
PKIX_DEFAULT_MAX_RESPONSE_LENGTH to 512 * 1024, but that
higher limit will apply to all downloads (OCSP responses
and AIA cert fetches, in particular). I'm not sure if
that's OK. It depends on the answer to the following
question:
Do we create a single PKIX_PL_NssContext object for the
entire lifetime of the process, or do we create a
PKIX_PL_NssContext object for each libpkix operation?
|
||
Comment 3•16 years ago
|
||
Comment on attachment 426101 [details] [diff] [review]
Bump max response length to 512KB for CRL downloads
Looks good. r=alexei
Attachment #426101 -
Flags: review?(alexei.volkov.bugs) → review+
|
|
Assignee | |
Comment 4•16 years ago
|
||
I checked in the patch on the NSS trunk (NSS 3.12.6).
Checking in pkix_pl_pk11certstore.c;
/cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c,v <-- pkix_pl_pk11certstore.c
new revision: 1.18; previous revision: 1.17
done
Status: ASSIGNED → RESOLVED
Closed: 16 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•