Bug 1397472

Summary: strsclnt gets stuck during session resumption when using client certificates [rhel-7]
Product: Red Hat Enterprise Linux 7 Reporter: Frantisek Sumsal <fsumsal>
Component: nssAssignee: Daiki Ueno <dueno>
Status: CLOSED ERRATA QA Contact: Hubert Kario <hkario>
Severity: low Docs Contact:
Priority: low    
Version: 7.3CC: hkario, kengert, nmavrogi, szidek
Target Milestone: pre-dev-freezeKeywords: TestBlocker
Target Release: 7.5   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: nss-3.33.0-3.el7 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1397486 (view as bug list) Environment:
Last Closed: 2018-04-10 09:23:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On:    
Bug Blocks: 1397486    

Description Frantisek Sumsal 2016-11-22 15:35:03 UTC
Description of problem:
strsclnt gets stuck during session resumption (for both SessionTicket and sessionID) when using client certificates and when the server has enabled client certificate verification.

Version-Release number of selected component (if applicable):
nss-3.21.0-17.el7.x86_64

How reproducible:
always

Steps to Reproduce:
# NSS_CIPHER="002F"
# OPENSSL_CIPHER="AES128-SHA"
# openssl req -out ca.pem -new -x509 -nodes -subj "/CN=CA"
# openssl genrsa -out server.key 2048
# openssl req -key server.key -new -out server.req -subj "/CN=localhost"
# echo 00 > serial.srl
# openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out server.pem
# openssl genrsa -out client.key 2048 -nodes
# openssl req -key client.key -new -out client.req -subj "/CN=client"
# openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out client.pem
# openssl pkcs12 -name client -export -inkey client.key -out client.p12 -in client.pem -passout "pass:"
# mkdir nssdb
# certutil -N --empty-password -d sql:./nssdb
# certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i ca.pem
# pk12util -i client.p12 -d sql:./nssdb -W ''
# openssl s_server -www -key server.key -cert server.pem -CAfile ca.pem -cipher $OPENSSL_CIPHER -Verify 1 &
# sleep 2
# /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost

Actual results:
# /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost
strsclnt: -- SSL: Server Certificate Validated.

Expected results:
# /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: 0 cache hits; 1 cache misses, 0 cache not reusable
          0 stateless resumes
<...snip...>
ACCEPT
strsclnt: 80 cache hits; 20 cache misses, 0 cache not reusable
          0 stateless resumes

Comment 10 errata-xmlrpc 2018-04-10 09:23:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0679