Bug 1397472
| Summary: | strsclnt gets stuck during session resumption when using client certificates [rhel-7] | |||
|---|---|---|---|---|
| Product: | Red Hat Enterprise Linux 7 | Reporter: | Frantisek Sumsal <fsumsal> | |
| Component: | nss | Assignee: | Daiki Ueno <dueno> | |
| Status: | CLOSED ERRATA | QA Contact: | Hubert Kario <hkario> | |
| Severity: | low | Docs Contact: | ||
| Priority: | low | |||
| Version: | 7.3 | CC: | hkario, kengert, nmavrogi, szidek | |
| Target Milestone: | pre-dev-freeze | Keywords: | TestBlocker | |
| Target Release: | 7.5 | |||
| Hardware: | Unspecified | |||
| OS: | Unspecified | |||
| Whiteboard: | ||||
| Fixed In Version: | nss-3.33.0-3.el7 | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | ||
| Clone Of: | ||||
| : | 1397486 (view as bug list) | Environment: | ||
| Last Closed: | 2018-04-10 09:23:57 UTC | Type: | Bug | |
| Regression: | --- | Mount Type: | --- | |
| Documentation: | --- | CRM: | ||
| Verified Versions: | Category: | --- | ||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
| Cloudforms Team: | --- | Target Upstream Version: | ||
| Embargoed: | ||||
| Bug Depends On: | ||||
| Bug Blocks: | 1397486 | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:0679 |
Description of problem: strsclnt gets stuck during session resumption (for both SessionTicket and sessionID) when using client certificates and when the server has enabled client certificate verification. Version-Release number of selected component (if applicable): nss-3.21.0-17.el7.x86_64 How reproducible: always Steps to Reproduce: # NSS_CIPHER="002F" # OPENSSL_CIPHER="AES128-SHA" # openssl req -out ca.pem -new -x509 -nodes -subj "/CN=CA" # openssl genrsa -out server.key 2048 # openssl req -key server.key -new -out server.req -subj "/CN=localhost" # echo 00 > serial.srl # openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out server.pem # openssl genrsa -out client.key 2048 -nodes # openssl req -key client.key -new -out client.req -subj "/CN=client" # openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out client.pem # openssl pkcs12 -name client -export -inkey client.key -out client.p12 -in client.pem -passout "pass:" # mkdir nssdb # certutil -N --empty-password -d sql:./nssdb # certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i ca.pem # pk12util -i client.p12 -d sql:./nssdb -W '' # openssl s_server -www -key server.key -cert server.pem -CAfile ca.pem -cipher $OPENSSL_CIPHER -Verify 1 & # sleep 2 # /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost Actual results: # /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost strsclnt: -- SSL: Server Certificate Validated. Expected results: # /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost strsclnt: -- SSL: Server Certificate Validated. strsclnt: 0 cache hits; 1 cache misses, 0 cache not reusable 0 stateless resumes <...snip...> ACCEPT strsclnt: 80 cache hits; 20 cache misses, 0 cache not reusable 0 stateless resumes