Closed
Bug 526910
Opened 15 years ago
Closed 14 years ago
maxResponseLength (initialized to PKIX_DEFAULT_MAX_RESPONSE_LENGTH) is too small for downloading some CRLs.
Categories
(NSS :: Libraries, defect, P2)
Tracking
(Not tracked)
RESOLVED
FIXED
3.12.6
People
(Reporter: wtc, Assigned: wtc)
Details
Attachments
(1 file)
|
4.26 KB,
patch
|
alvolkov.bgs
:
review+
|
Details | Diff | Splinter Review |
This bug was originally reported in Chromium issue 18559 (http://crbug.com/18559). Starting in NSS 3.12.4, libpkix can download CRLs using the CRL distribution point certificate extensions. However, libpkix's DownloadCrl function in pkix_pl_pk11certstore.c passes 64 * 1024 as the maximum acceptable response data length to the HTTP client. Many CRLs are larger than 64 KB. For example, just visit https://www.verisign.com/ and https://www.thawte.com/, and CRLs of sizes 338759 and 439035 will be downloaded. The HTTP client is forced to fail the download because the CRLs are larger than 64 * 1024. For CRL download, the acceptable maximum response data length should be at least 512 * 1024. The maxResponseLength member of PKIX_PL_NssContext is set in only two places: http://mxr.mozilla.org/security/search?string=maxResponseLength+= The first place sets that value to the default PKIX_DEFAULT_MAX_RESPONSE_LENGTH (64 * 1024). The second place is a function PKIX_PL_NssContext_SetMaxResponseLen that we can call the change the value. But I don't know how to call that function. That function is not being used: http://mxr.mozilla.org/security/ident?i=PKIX_PL_NssContext_SetMaxResponseLen
|
Assignee | |
Updated•15 years ago
|
Summary: PKIX_DEFAULT_MAX_RESPONSE_LENGTH is too small for downloading some CRLs. → maxResponseLength (initialized to PKIX_DEFAULT_MAX_RESPONSE_LENGTH) is too small for downloading some CRLs.
|
|
Assignee | |
Comment 1•14 years ago
|
||
Alexei, please review this patch for NSS 3.12.6. Thanks.
Attachment #426101 -
Flags: review?(alexei.volkov.bugs)
|
|
Assignee | |
Updated•14 years ago
|
Assignee: alexei.volkov.bugs → wtc
Status: NEW → ASSIGNED
Priority: -- → P2
Target Milestone: --- → 3.12.6
|
|
Assignee | |
Comment 2•14 years ago
|
||
Another option is to simply change PKIX_DEFAULT_MAX_RESPONSE_LENGTH to 512 * 1024, but that higher limit will apply to all downloads (OCSP responses and AIA cert fetches, in particular). I'm not sure if that's OK. It depends on the answer to the following question: Do we create a single PKIX_PL_NssContext object for the entire lifetime of the process, or do we create a PKIX_PL_NssContext object for each libpkix operation?
|
||
Comment 3•14 years ago
|
||
Comment on attachment 426101 [details] [diff] [review] Bump max response length to 512KB for CRL downloads Looks good. r=alexei
Attachment #426101 -
Flags: review?(alexei.volkov.bugs) → review+
|
|
Assignee | |
Comment 4•14 years ago
|
||
I checked in the patch on the NSS trunk (NSS 3.12.6). Checking in pkix_pl_pk11certstore.c; /cvsroot/mozilla/security/nss/lib/libpkix/pkix_pl_nss/module/pkix_pl_pk11certstore.c,v <-- pkix_pl_pk11certstore.c new revision: 1.18; previous revision: 1.17 done
Status: ASSIGNED → RESOLVED
Closed: 14 years ago
Resolution: --- → FIXED
You need to log in
before you can comment on or make changes to this bug.
Description
•