Closed Bug 68869 Opened 24 years ago Closed 23 years ago

tstclnt: write to SSL socket failed: TCP connection reset by peer

Categories

(NSS :: Tools, defect, P2)

Product:
NSS
Component:
Tools
Platform:
x86
Windows NT
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sonja.mirtitsch, Assigned: nelson)

References

Details

Testclient has a wrong password, on Unix the read on the server hits EOF which
is the expected behavior, but on NT the client gets ECONNRESET.

The errormessage is:
tstclnt: write to SSL socket failed: TCP connection reset by peer.

Example output on Unix
=======================
***** TLS Require client auth (bad password) ****
selfserv -v -p 8443 -d
/h/hs-sca15c/export/builds/mccrel/nss/nsstip/builds/20010213.1/y2sun2_Solaris8/mozilla/tests_results/security/compaqtor.1/server
-n compaqtor.red.iplanet.com -w nss -r -r -i /tmp/tests_pid.112445 & tstclnt -p
8443 -h compaqtor -q -d
/h/hs-sca15c/export/builds/mccrel/nss/nsstip/builds/20010213.1/y2sun2_Solaris8/mozilla/tests_results/security/compaqtor.1/client
redir from
/tmp_mnt/h/hs-sca15c/export/builds/mccrel/nss/nsstip/builds/20010213.1/y2sun2_Solaris8/mozilla/security/nss/tests/ssl/sslreq.txt
/tmp_mnt/h/hs-sca15c/export/builds/mccrel/nss/nsstip/builds/20010213.1/y2sun2_Solaris8/mozilla/tests_results/security/compaqtor.1/client
tstclnt -p 8443 -h compaqtor -f -d
/h/hs-sca15c/export/builds/mccrel/nss/nsstip/builds/20010213.1/y2sun2_Solaris8/mozilla/tests_results/security/compaqtor.1/client
-w bogus -n TestUser redir from
/tmp_mnt/h/hs-sca15c/export/builds/mccrel/nss/nsstip/builds/20010213.1/y2sun2_Solaris8/mozilla/security/nss/tests/ssl/sslreq.txt



selfserv: About to call accept.



selfserv: About to call accept.



selfserv: About to call accept.
selfserv: HDX PR_Read hit EOF returned error -5938:
Encountered end of file.
selfserv: HDX PR_Read returned error -12285:
Unable to find the certificate or key necessary for authentication.
tstclnt: write to SSL socket failed: SSL peer cannot verify your certificate.
test TLS Require client auth (bad password) produced a returncode of 254 as
expected
./ssl.sh: 112973 Terminated

Example NT
===========
**** TLS Require client auth (bad password) ****
selfserv -v -p 8443 -d
w:/nss/nsstip/builds/20010213.1/blowfish_NT4.0_Win95/mozilla/tests_results/security/sonjant.1/server
-n sonjant.red.iplanet.com -w nss -r -r -i C:/TEMP/tests_pid.236 & tstclnt -p
8443 -h sonjant -q -d
w:/nss/nsstip/builds/20010213.1/blowfish_NT4.0_Win95/mozilla/tests_results/security/sonjant.1/client
redir from
W:/nss/nsstip/builds/20010213.1/blowfish_NT4.0_Win95/mozilla/security/nss/tests/ssl/sslreq.txt
W:/nss/nsstip/builds/20010213.1/blowfish_NT4.0_Win95/mozilla/tests_results/security/sonjant.1/client
tstclnt -p 8443 -h sonjant -f -d
w:/nss/nsstip/builds/20010213.1/blowfish_NT4.0_Win95/mozilla/tests_results/security/sonjant.1/client
-w bogus -n TestUser redir from
W:/nss/nsstip/builds/20010213.1/blowfish_NT4.0_Win95/mozilla/security/nss/tests/ssl/sslreq.txt
tstclnt: write to SSL socket failed: TCP connection reset by peer.
[6] + Done(134) ?
  266	Abort	tstclnt
test TLS Require client auth (bad password) produced a returncode of 134 as
expected

============================

Note that 134 is ENOTCONN and not ECONNRESET

This behavior has been known for at least 5 months, as a sideeffect it causes
differnt returncodes on NT and Unix

When this bug is fixed please reassign to me, so I can fix the script.
Summary: bad password causes unexpected bahavior → bad client password causes unexpected bahavior on NT
There is some ifdef _WINDOWS code in tstclnt.c
that I don't quite understand.  For example, if
the -f option is specified (which is true in our
test), tstclnt would call PR_Poll with a zero
timeout and modify the return value so that it
is always > 0.  Such ifdef _WINDOWS code could
explain the different behavior of tstclnt on
Windows.  Moreover, we are not supposed to check
the out_flags fields unless PR_Poll returns a
positive (> 0) value, but tstclnt modifies the
return value of PR_Poll to make it positive.
Assignee: wtc → relyea
Priority: -- → P2
Target Milestone: --- → 3.3
Bob informs me that the reason this test uses a bad password
is to ensure that the client does NOT send a client certificate
to the server when the server requests it.  

So, I request that the test script be changed.  Instead of 
using a bad password, it should use a nickname that is known
not to exist, e.g.  -n nonexistant   instead of -w badpassword

I don't know the significance of the number 134 in the "done"
message in the NT output, but I'm pretty certain that it 
means neither ENOTCONN nor ECONNRESET.  134 is the value of 
ENOTCONN on UNIX.  On NT, the value is 10057.  The value for
the NSPR equivalent error is -5978.  

main() returns -2 after the PR_Write error.  I'd expect that
to be the return mode (modulo 256).

Also, on Unix, the server's PR_Read gets error -12285:
Unable to find the certificate or key necessary for authentication.
which means that the server did not receive the required 
authentication certificate from the client.

The EOF is from the previous run of  tstclnt -q, I believe.
Nelson is right.  134 is not ENOTCONN or ECONNRESET.
(Winsock errors are defined in winsock.h or winsock2.h,
not errno.h, and are in the 10XXX range.)  In fact,
134 is not related to the error code.  The main()
function in tstclnt returns -2, not the error code.
How the MKS Korn Shell gets 134 from -2 is beyond me.

On Unix, the parent process can only retrieve the
lowest 8 bits of the value the child returns.  This
is the modulo 256 operation that Nelson mentioned.
-2 modulo 256 = 254, which is the expected return
status on Unix.

It is best to modify tstclnt to return a value
in the range 0 through 255.
So, should I just fix the testclient's returncodes and the script, and the rest
of the problem (different behavior due to strange ifdef WINDOWS on NT) can be
ignored?
Assigned the bug to Nelson.
Assignee: relyea → nelsonb
Status: NEW → ASSIGNED
I'm narrowing the scope of this bug.  This bug is now about just one
issue, namely, this message:
tstclnt: write to SSL socket failed: TCP connection reset by peer.

At least that is what I intended it for originally!
OS: All → Windows NT
Summary: bad client password causes unexpected bahavior on NT → tstclnt: write to SSL socket failed: TCP connection reset by peer
Sonja,
Is this problem still occuring?
Does it only occur on NT?
or does it also occur on other operating systems?
Still occuring.
No, Win NT and Win 2K
see #ifdef _WINDOWS in tstclnt.c
paste in yesterday's QA of clio
---------------------

ssl.sh: TLS Require client auth (bad password) ----
selfserv -D -p 8443 -d ../server -n clio.red.iplanet.com \
         -w nss -r -r -i ../tests_pid.756  &
selfserv started at Mon Jun 11 01:13:51 PDT 2001
tstclnt -p 8443 -h clio -q -d . <
W:/nss/nsstip/builds/20010611.1/blowfish_NT4.0_Win95/mozilla/security/nss/tests/ssl/sslreq.txt

tstclnt -p 8443 -h clio -f -d . -w bogus -n TestUser \
        <
W:/nss/nsstip/builds/20010611.1/blowfish_NT4.0_Win95/mozilla/security/nss/tests/ssl/sslreq.txt
tstclnt: write to SSL socket failed: TCP connection reset by peer.
[6] + Done(134) ?
  596	Abort	tstclnt
ssl.sh: WARNING! Testclient returned 134, expect 
             254 (no error as tmp workaround)


This is a good catch!

There are numerous problems here.  

First, when the server demands client authentication, and the attempts to 
connect to the server without doing client authentication, both the client 
and the server should report error codes.  But in the log files the server 
does not always report an error for this.  

Second, On Unix it is reporting EOF received and on NT it is reporting 
connection reset by peer.  Neither of these is the expected error message
for this type of situation.   These are both socket errors, not SSL/TLS
errors.  We expect to see an SSL/TLS error number.

For TLS and SSL we expect to see the log look something like this:

tstclnt -p 8443 -h windmere -f -d . -T -n TestUser -w bogus \
        < D:/nss_tip/mozilla/security/nss/tests/ssl/sslreq.txt
selfserv: HDX PR_Read returned error -12285:
Unable to find the certificate or key necessary for authentication.
tstclnt: write to SSL socket failed: SSL peer cannot verify your certificate.

I'm working on fixing this now. 
I have checked the fix into rev 1.21 of ssl3con.c.  On my NT box, 
the logfile from ssl.sh now contains these excerpts:

ssl.sh: TLS Require client auth (bad password) ----
selfserv -D -p 8443 -d ../server -n windmere.red.iplanet.com \
         -w nss -r -r -i ../tests_pid.344  &
selfserv started at Wed Jun 13 14:04:21 PDT 2001
tstclnt -p 8443 -h windmere -q -d . < D:/nss_tip/mozilla/security/nss/tests/ssl/
sslreq.txt
tstclnt -p 8443 -h windmere -f -d . -w bogus -n TestUser \
        < D:/nss_tip/mozilla/security/nss/tests/ssl/sslreq.txt
selfserv: HDX PR_Read returned error -12285:
Unable to find the certificate or key necessary for authentication.
tstclnt: write to SSL socket failed: SSL peer cannot verify your certificate.
[6] + Done(134) ?
  306   Abort   tstclnt
ssl.sh: WARNING! Testclient returned 134, expect
             254 (no error as tmp workaround)
ssl.sh: TLS Require client auth (bad password) produced a returncode of 134, exp
ected is 134 PASSED

and

ssl.sh: SSL3 Require client auth (bad password) ----
selfserv -D -p 8443 -d ../server -n windmere.red.iplanet.com \
         -w nss -r -r -i ../tests_pid.344  &
selfserv started at Wed Jun 13 14:04:30 PDT 2001
tstclnt -p 8443 -h windmere -q -d . < D:/nss_tip/mozilla/security/nss/tests/ssl/
sslreq.txt
tstclnt -p 8443 -h windmere -f -d . -T -n TestUser -w bogus \
        < D:/nss_tip/mozilla/security/nss/tests/ssl/sslreq.txt
selfserv: HDX PR_Read returned error -12285:
Unable to find the certificate or key necessary for authentication.
tstclnt: write to SSL socket failed: SSL peer cannot verify your certificate.
[12] + Done(134) ?
  388   Abort   tstclnt
ssl.sh: WARNING! Testclient returned 134, expect
             254 (no error as tmp workaround)
ssl.sh: SSL3 Require client auth (bad password) produced a returncode of 134, ex
pected is 134 PASSED

If you get different results than this on Unix, please file a bug about that.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.