Closed Bug 72753 Opened 24 years ago Closed 24 years ago

new certs reported as expired when clock is slow

Categories

(NSS :: Libraries, defect, P3)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED

People

(Reporter: sonja.mirtitsch, Assigned: nelson)

Details

Attachments

(5 files)

output log
4.33 KB, text/plain
Details
patch, convert slop time to microseconds before using it
916 bytes, patch
Details | Diff | Splinter Review
modified patch incorporates suggestions above
3.70 KB, patch
Details | Diff | Splinter Review
Corresponding changes to header files
1.42 KB, patch
Details | Diff | Splinter Review
Patch for NSS_3_2_BRANCH for PSM 2.0
1.47 KB, patch
Details | Diff | Splinter Review
distributed stress test was run: client and servercerts were generated on kentuckyderby selfsrv -r -r was started on kentuckyderby strsclnt was started on jordan using the certs created on kentuckyderby strsclnt complains about invalid servercert jordans clock is 1min 19sec slower than kentuckyderby's (no ntp daemon running) the same test passsed on box and washer (linux) charm (HP) and hbombaix (AIX) the test passes on jordan, if I use a certdatabase that is 10 minutes old TZ is set to: jordan: PST8PDT box: TZ: Undefined variable. washer: TZ: Undefined variable. charm: PST8PDT rsh hbombaix: PST8PDT kentuckyderby: US/Pacific
Priority: -- → P3
Target Milestone: --- → 3.3
Attached file output log
More info: 1. the cert DBs get generated on the server system, kentuckyderby, in this case. 2. The client running on jordan receives the newly minted server cert from the SSL server running on kentuckyderby and reports that it has expired (probably thinking it is not yet valid). The 24 hour "pending slop time" doesn't seem to be working here. Is this a bug introduced in rev 1.8 of certdb.c ? Or is there a problem with LL_ macros on AIX? or ??
Status: NEW → ASSIGNED
I am not sure if this problem is the same, but just in case...: Patrick wrote: Hello, It looks like NSS operates in GMT time by default. So if I have a cert issued for 11:00 EST, and I run an NSS-enabled app, the certificate will be considered "expired" or not valid yet because NSS thinks it was issued for 15:00 EST...At least that's how I interpreted this problem. In my lab I did have such a scneario and the way I got my app to accept the cert was to change the timezone and set it to GMT (TZ=GMT). So is there a way to configure NSS to use EST instead of GMT? -- Patrick
Please review this patch. I'd also like someone to review the functions in util/dertime.c, especially DER_AsciiToTime(). I'm not convinced it's right. If its method of turning a yymmddhhmmss+hhmm string into a number of microseconds since Jan 1 1970 is wrong then we'll see more problems.
I reviewed the patch. It is fine. So seems like the slop time for CERT_CheckCertValidTimes() could never have worked before, or did NSS use a datatype for time whose unit was seconds before switching to PRTime? Some of the 'int64' types in certdb.c should be changed to 'PRTime' to be self-documenting. It would also be nice to add a comment near PENDING_SLOP and pendingSlop to indicate the time unit is seconds, although that can be inferred from the (24L*60L*60L) constant and is documented in cert.h. the cert.h header file
I concur that the slop time has apparently never worked before. At one time, it was necessary that NSS be able to compile against either NSPR1 or NSPR2 headers. In NSPR1, the type PRTime was a structure equivalent to NSPR2's PRExplodedTime type, so it was not possible to use the type PRTime in sources that had to compile against either set of headers. That is why NSS uses int64 instead of PRTime almost everywhere in the cert library. However, I believe there is no further requirement for NSS to continue to build with NSPR headers, so it is now appropriate to change all those int64s to PRTimes. The next patch does that, as well as fixes one other place where the slop time needed to be converted to microseconds.
This bug is now fixed on the trunk. The patch shown above for the NSS_3_2_BRANCH would also fix it for PSM.
Status: ASSIGNED → RESOLVED
Closed: 24 years ago
OS: Windows NT → All
Hardware: PC → All
Resolution: --- → FIXED
Summary: strsclnt: certs reported as expired when clock is off → new certs reported as expired when clock is slow
Component: Tools → Libraries
I checked Nelsons patch for NSS 3.2 into the NSS_3_2_BRANCH.
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: