Bug 1397486
| Summary: | strsclnt gets stuck during session resumption when using client certificates [rhel-6] | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 6 | Reporter: | Frantisek Sumsal <fsumsal> |
| Component: | nss | Assignee: | Daiki Ueno <dueno> |
| Status: | CLOSED ERRATA | QA Contact: | Stefan Dordevic <sdordevi> |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | 6.8 | CC: | hkario, kengert, mkolaja, mthacker, nss-nspr-maint, qe-baseos-security, sdordevi |
| Target Milestone: | rc | Keywords: | TestBlocker |
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | nss-3.36.0-4.el6 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1397472 | Environment: | |
| Last Closed: | 2018-06-19 05:10:04 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1397472, 1485481 | ||
| Bug Blocks: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2018:1865 |
Description of problem: strsclnt gets stuck during session resumption (for both SessionTicket and sessionID) when using client certificates and when the server has enabled client certificate verification. Version-Release number of selected component (if applicable): nss-3.21.3-2.el6_8.x86_64 How reproducible: always Steps to Reproduce: # NSS_CIPHER="002F" # OPENSSL_CIPHER="AES128-SHA" # openssl req -out ca.pem -new -x509 -nodes -subj "/CN=CA" # openssl genrsa -out server.key 2048 # openssl req -key server.key -new -out server.req -subj "/CN=localhost" # echo 00 > serial.srl # openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out server.pem # openssl genrsa -out client.key 2048 -nodes # openssl req -key client.key -new -out client.req -subj "/CN=client" # openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out client.pem # openssl pkcs12 -name client -export -inkey client.key -out client.p12 -in client.pem -passout "pass:" # mkdir nssdb # certutil -N --empty-password -d sql:./nssdb # certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i ca.pem # pk12util -i client.p12 -d sql:./nssdb -W '' # openssl s_server -www -key server.key -cert server.pem -CAfile ca.pem -cipher $OPENSSL_CIPHER -Verify 1 & # sleep 2 # /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost Actual results: # /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost strsclnt: -- SSL: Server Certificate Validated. Expected results: # /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost strsclnt: -- SSL: Server Certificate Validated. strsclnt: 0 cache hits; 1 cache misses, 0 cache not reusable 0 stateless resumes <...snip...> ACCEPT strsclnt: 80 cache hits; 20 cache misses, 0 cache not reusable 0 stateless resumes