Closed
Bug 690980
Opened 14 years ago
Closed 13 years ago
selfserv -n option is broken with TLS SNI
Categories
(NSS :: Tools, defect, P3)
Tracking
(Not tracked)
RESOLVED
FIXED
3.13.4
People
(Reporter: julien.pierre, Assigned: julien.pierre)
Details
Attachments
(1 file)
|
1.44 KB,
patch
|
rrelyea
:
review+
|
Details | Diff | Splinter Review |
When using selfserv -n <nickname> where nickname is NOT a DNSname, and without setting the -a option , if a client sends the SNI the server always fails and returns an "unrecognized name" alert in response to clients that send the SNI extension .
In practice, this translates to Firefox not being able to connect to selfserv.
This is particularly problematic when using a hardware token, where the nickname can never match a DNSname since it will be of the form "token:nickname".
IE eventually falls down to SSL 3 and does not send an SNI extension, and is then able to connect successfully.
The fix is simple enough - selfserv should not call SSL_SNISocketConfigHook if the -a option has not been set.
I would also suggest that the -a option be changed to be a pair of strings, such as{DNSname,nickname} rather than assuming that they are both the same. As currently implemented, it is impossible to use certs in hardware tokens with SNI and selfserv.
|
Assignee | |
Comment 1•13 years ago
|
||
|
|
Assignee | |
Updated•13 years ago
|
Attachment #597660 -
Flags: review?
|
|
Assignee | |
Updated•13 years ago
|
Attachment #597660 -
Flags: review? → review?(rrelyea)
|
|
Assignee | |
Updated•13 years ago
|
OS: Windows 7 → All
Priority: -- → P3
Hardware: x86_64 → All
|
|
||
Updated•13 years ago
|
Assignee: nobody → julien.pierre
|
|
Assignee | |
Comment 2•13 years ago
|
||
Ed, I'm a previous NSS contributor, but no longer have my SSH key for NSS checkin priviledge, so the assignee should be somebody else.
|
|
||
Comment 3•13 years ago
|
||
I can change if you'd rather, but the assignee is typically the patch author, since checkin-needed in the keywords field can be used to ask someone to commit. (The main thing I wanted to avoid was having an empty assignee, since it makes it more time consuming for contributors to find bugs that have not yet been started).
|
||
Comment 4•13 years ago
|
||
Comment on attachment 597660 [details] [diff] [review]
Don't setup SNI unless some hostnames were specified on the command-line
r+
Initially I say a local variable turned to a global and thought 'bleh', but I see it's really associated with another global array. I would not be upset if the name changed from virtServerNameIndex to virtServerNameCount between now and checkin:).
bob
Attachment #597660 -
Flags: review?(rrelyea) → review+
|
|
||
Updated•13 years ago
|
Keywords: checkin-needed
Target Milestone: --- → 3.12.4
|
||
Comment 5•13 years ago
|
||
Checking in selfserv.c;
/cvsroot/mozilla/security/nss/cmd/selfserv/selfserv.c,v <-- selfserv.c
new revision: 1.99; previous revision: 1.98
done
Status: NEW → RESOLVED
Closed: 13 years ago
Keywords: checkin-needed → #relman/triage/defer-to-group
Resolution: --- → FIXED
Target Milestone: 3.12.4 → 3.13.4
You need to log in
before you can comment on or make changes to this bug.
Description
•