tstclnt emits "SSL peer is in another FORTEZZA domain." error messages

RESOLVED FIXED in 3.13

Status

NSS
Libraries
P1
normal
RESOLVED FIXED
7 years ago
6 years ago

People

(Reporter: Wan-Teh Chang, Assigned: Elio Maldonado)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment, 2 obsolete attachments)

(Reporter)

Description

7 years ago
The NSS tinderboxes have tstclnt SSL socket write failures
with strange error messages:

tstclnt: write to SSL socket failed: Cannot connect: SSL peer is in another FORTEZZA domain.

tstclnt: write to SSL socket failed: Cannot connect: SSL is disabled.

Note that the tests passed, so this bug is about the
unreasonable error message.

"Cannot connect: SSL peer is in another FORTEZZA domain."
is the error message for SSL_ERROR_FORTEZZA_PQG, and this
MXR query shows NSS does not set that error:
http://mxr.mozilla.org/security/ident?i=SSL_ERROR_FORTEZZA_PQG
(Reporter)

Comment 1

7 years ago
On the NSS 3.12 branch, the error messages are:

tstclnt.exe: write to SSL socket failed: SSL peer rejected your certificate as revoked.

tstclnt.exe: write to SSL socket failed: SSL peer cannot verify your certificate.

So the error messages are off by three error codes.  I bet
this offset is caused by the three missing error code entries
in SSLerrs.h:
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/security/nss/lib/ssl/SSLerrs.h&rev=1.12&mark=55,69,77-79#55
Priority: P2 → P1
Target Milestone: --- → 3.13
Version: trunk → 3.13

Comment 2

7 years ago
Oops...  We need place holders for the unused error codes. In some cases the error.h files are used to construct tables, so the table needs to be complete and in order.

bob
(Reporter)

Comment 3

6 years ago
This bug fell through the cracks.  Elio, could you write a patch?  Thanks.
Assignee: nobody → emaldona
Status: NEW → ASSIGNED
(Assignee)

Comment 4

6 years ago
Created attachment 564886 [details] [diff] [review]
cover the unused error codes

Covers error code mapping for unused slots 5, 10, and 13. Used "obsolete" in two and "undefined" on the third because it looked as if someone may have intended to define one at some point.
Attachment #564886 - Flags: review?(wtc)
(Assignee)

Comment 5

6 years ago
Bad patch.
(Assignee)

Updated

6 years ago
Attachment #564886 - Flags: review?(wtc)
(Reporter)

Comment 6

6 years ago
Comment on attachment 564886 [details] [diff] [review]
cover the unused error codes

Nit: I suggest just naming the unused errors
SSL_ERROR_UNUSED_5 and SSL_ERROR_UNUSED_10.
(Assignee)

Comment 7

6 years ago
Created attachment 564902 [details] [diff] [review]
cover the unused error codes revised

My tests are still running.
Attachment #564886 - Attachment is obsolete: true
Attachment #564902 - Flags: review?(wtc)
(Assignee)

Comment 8

6 years ago
(In reply to Wan-Teh Chang from comment #6)
> SSL_ERROR_UNUSED_5 and SSL_ERROR_UNUSED_10.
I hadn't seen that comment when I resend the patch. Yes, will use those names instead. I now use the same error string for all three, 5, 10, and 13.
(Reporter)

Comment 9

6 years ago
Comment on attachment 564902 [details] [diff] [review]
cover the unused error codes revised

r=wtc.  I suggest the following changes.

In mozilla/security/nss/lib/ssl/SSLerrs.h:

>+ER3(SSL_ERROR_UNUSED_FIFTH,					SSL_ERROR_BASE + 5,
>+"Unrecognized ssl error code.")

Capitalize "SSL" in the three error messages.

Nit: name the unused error codes SSL_ERROR_UNUSED_5, SSL_ERROR_UNUSED_10.

In mozilla/security/nss/lib/ssl/sslerr.h:

>+SSL_ERROR_UNUSED_FIFTH			= (SSL_ERROR_BASE +  5),
>+SSL_ERROR_UNUSED_TENTH			= (SSL_ERROR_BASE + 10),

Nit: name these error codes SSL_ERROR_UNUSED_5, SSL_ERROR_UNUSED_10.
Attachment #564902 - Flags: review?(wtc) → review+
(Assignee)

Comment 10

6 years ago
Created attachment 564920 [details] [diff] [review]
unused error codes V3 - applieed wtc suggested renaming

all tests passed.
Attachment #564902 - Attachment is obsolete: true
Attachment #564920 - Flags: review?(wtc)
(Reporter)

Comment 11

6 years ago
Comment on attachment 564920 [details] [diff] [review]
unused error codes V3 - applieed wtc suggested renaming

Nit: In mozilla/security/nss/lib/ssl/SSLerrs.h, you have an extra TAB
character in the middle of these two lines:

>+ER3(SSL_ERROR_UNUSED_10,					SSL_ERROR_BASE + 10,

>+ER3(SSL_ERROR_POST_WARNING,					SSL_ERROR_BASE + 13,
Attachment #564920 - Flags: review?(wtc) → review+
(Assignee)

Comment 12

6 years ago
Patch committed to trunk:
Checking in mozilla/security/nss/lib/ssl/SSLerrs.h;
/cvsroot/mozilla/security/nss/lib/ssl/SSLerrs.h,v  <--  SSLerrs.h
new revision: 1.13; previous revision: 1.12
done
Checking in mozilla/security/nss/lib/ssl/sslerr.h;
/cvsroot/mozilla/security/nss/lib/ssl/sslerr.h,v  <--  sslerr.h
new revision: 1.14; previous revision: 1.13
done
(Assignee)

Updated

6 years ago
Status: ASSIGNED → RESOLVED
Last Resolved: 6 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.