As subject notes, this bug is about support of the session tickets when the server has only an ECDSA certificate.
+++ This bug was initially created as a clone of Bug #1397410 +++
Description of problem:
selfserv segfaults during handshake while using SessionTicket extension for session resumption. This issue although does not occur when using client certificates.
Version-Release number of selected component (if applicable):
nss-3.21.0-17.el7.x86_64
nss-util-3.21.0-2.2.el7_2.x86_64
How reproducible:
always
Steps to Reproduce:
# NSS_CIPHER="C00A"
# OPENSSL_CIPHER="ECDHE-ECDSA-AES256-SHA"
# ulimit -c unlimited
# openssl ecparam -genkey -name prime256v1 -out ec.key
# openssl req -new -x509 -key ec.key -out ec-cert.pem -days 3650 -subj "/CN=localhost" -nodes
# openssl pkcs12 -name ec -export -inkey ec.key -out ec.p12 -in ec-cert.pem -passout "pass:"
# mkdir nssdb
# certutil -N --empty-password -d sql:./nssdb
# certutil -A -d sql:./nssdb/ -n ec -t ',,' -a -i ec-cert.pem
# pk12util -i ec.p12 -d sql:./nssdb -W ''
# /usr/lib64/nss/unsupported-tools/selfserv -d sql:./nssdb/ -p 4433 -V tls1.0: -H 1 -e ec -c :$NSS_CIPHER -u &
# sleep 3
# openssl s_client -connect localhost:4433 -CAfile ec-cert.pem -cipher $OPENSSL_CIPHER -sess_out sess.pem > full.log < /dev/null
# grep "New, TLSv1/SSLv3" full.log || echo "ERROR: HANDSHAKE ERROR"
# openssl s_client -connect localhost:4433 -CAfile ec-cert.pem -cipher $OPENSSL_CIPHER -sess_in sess.pem > resumption.log < /dev/null
# grep "Reused, TLSv1/SSLv3" resumption.log || echo "ERROR: RESUMPTION EXPECTED"
Actual results:
# openssl s_client -connect localhost:4433 -CAfile ec-cert.pem -cipher $OPENSSL_CIPHER -sess_out sess.pem > full.log < /dev/null
depth=0 CN = localhost
verify return:1
140699908630432:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:184:
# grep "New, TLSv1/SSLv3" full.log || echo "ERROR: HANDSHAKE ERROR"
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA
# openssl s_client -connect localhost:4433 -CAfile ec-cert.pem -cipher $OPENSSL_CIPHER -sess_in sess.pem > resumption.log < /dev/null
Can't open session file sess.pem
140226465114016:error:02001002:system library:fopen:No such file or directory:bss_file.c:169:fopen('sess.pem','r')
140226465114016:error:2006D080:BIO routines:BIO_new_file:no such file:bss_file.c:172:
# grep "Reused, TLSv1/SSLv3" resumption.log || echo "ERROR: RESUMPTION EXPECTED"
[1]+ Segmentation fault (core dumped) /usr/lib64/nss/unsupported-tools/selfserv -d sql:./nssdb/ -p 4433 -V tls1.0: -H 1 -e ec -c :$NSS_CIPHER -u
ERROR: RESUMPTION EXPECTED
Expected results:
Handshake and session resumption should finish successfully.
SessionID example:
# /usr/lib64/nss/unsupported-tools/selfserv -d sql:./nssdb/ -p 4433 -V tls1.0: -H 1 -e ec -c :$NSS_CIPHER &
[1] 14341
# sleep 3
# openssl s_client -connect localhost:4433 -CAfile ec-cert.pem -cipher $OPENSSL_CIPHER -no_ticket -sess_out sess.pem > full.log < /dev/null
depth=0 CN = localhost
verify return:1
DONE
# grep "New, TLSv1/SSLv3" full.log || echo "ERROR: HANDSHAKE ERROR"
New, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA
# openssl s_client -connect localhost:4433 -CAfile ec-cert.pem -cipher $OPENSSL_CIPHER -no_ticket -sess_in sess.pem > resumption.log < /dev/null
DONE
# grep "Reused, TLSv1/SSLv3" resumption.log || echo "ERROR: RESUMPTION EXPECTED"
Reused, TLSv1/SSLv3, Cipher is ECDHE-ECDSA-AES256-SHA
Additional info:
Offending ciphersuites (openssl/nss):
ECDHE-ECDSA-AES256-SHA/C00A
ECDHE-ECDSA-AES128-SHA256/C023
ECDHE-ECDSA-AES128-GCM-SHA256/C02B
ECDHE-ECDSA-AES256-GCM-SHA384/C02C
Backtrace:
#0 0x00007f7deb81f42e in ssl3_GenerateSessionTicketKeysPKCS11 () from /lib64/libssl3.so
#1 0x00007f7deaa57c95 in PR_CallOnceWithArg () from /lib64/libnspr4.so
#2 0x00007f7deb81e672 in ssl3_GetSessionTicketKeysPKCS11 () from /lib64/libssl3.so
#3 0x00007f7deb8206c2 in ssl3_SendNewSessionTicket () from /lib64/libssl3.so
#4 0x00007f7deb8159c6 in ssl3_HandleHandshakeMessage () from /lib64/libssl3.so
#5 0x00007f7deb818051 in ssl3_HandleRecord () from /lib64/libssl3.so
#6 0x00007f7deb8194a2 in ssl3_GatherCompleteHandshake () from /lib64/libssl3.so
#7 0x00007f7deb81a285 in ssl_GatherRecord1stHandshake () from /lib64/libssl3.so
#8 0x00007f7deb822925 in ssl_Do1stHandshake () from /lib64/libssl3.so
#9 0x00007f7deb823e6f in ssl_SecureRecv () from /lib64/libssl3.so
#10 0x00007f7deb827fe8 in ssl_Read () from /lib64/libssl3.so
#11 0x0000000000408512 in handle_connection ()
#12 0x0000000000409004 in jobLoop ()
#13 0x0000000000407641 in thread_wrapper ()
#14 0x00007f7deaa6596b in _pt_root () from /lib64/libnspr4.so
#15 0x00007f7dea5eadc5 in start_thread () from /lib64/libpthread.so.0
#16 0x00007f7dea11573d in clone () from /lib64/libc.so.6
--- Additional comment from Kai Engert (:kaie) on 2017-01-30 05:17:08 EST ---
fixed upstream, we must pick up the fix.
Might require backporting.
We must investigate how difficult to backport, because Daiki said, it might depend on recent upstream refactoring after 3.28, and we currently intend to rebase to 3.28, only.
Maybe we must change the plan, and rebase 7.4.0 to something newer?
--- Additional comment from Hubert Kario on 2017-01-30 09:06:27 EST ---
given problems with ecdsa signatures in 3.28 (see bug 1417644), we'll probably need to rebase to something later for 7.3.z anyway, let alone 7.4.0
--- Additional comment from Kai Engert (:kaie) on 2017-01-30 10:46:58 EST ---
(a)
This bug was reported against 3.21
Why is urgent and is required for 7.3.z ?
If the bug was known with old NSS, why can't the fix wait until the next y-stream 7.4.0 ?
(b)
We shouldn't rebase 7.3.z to NSS 3.29, that's not even released yet, and hasn't been tested anywhere in production.
Daiki, what is your recommendation, if a fix to 7.3.z is required?
(c)
For the other bug 1417644 you mentioned, the fix is a minimal downstream patch that changes a bool parameter.
--- Additional comment from Kai Engert (:kaie) on 2017-02-08 12:29:36 EST ---
-> should get fixed for 7.4.0
-> not immediately required for z-stream
--- Additional comment from Kai Engert (:kaie) on 2017-02-08 12:31:51 EST ---
Daiki, could you please recommend how we should fix this for NSS 3.28.x in RHEL 7.4.0
--- Additional comment from Daiki Ueno on 2017-02-20 07:45:48 EST ---
There are two distinct issues discussed here (linked to the upstream bugs), which seem to be causing a confusion:
- with 3.21.x, the steps cause segmentation fault
- with 3.28.x, the steps doesn't cause segmentation fault, but session ticket doesn't work
The former should be fixed with our rebase to 3.28.x. Also, while the former might be a security issue, I don't think the latter is.
So, I would suggest to close this bug and open a new bug for the latter (with a lower severity), if we want to track it.
--- Additional comment from Kai Engert (:kaie) on 2017-02-22 15:44:58 EST ---
I agree to split the issues into two separate bugs.
If anyone thinks we must track support for sessions-tickets-with-EC-key-only-configuration with a RHEL bug, which will be supported by upstream NSS 3.30, then please go ahead and file a bug.
Let's keep the focus of this bug on the crash.
Because we know we will fix the crash bug with the rebase, maybe we should keep this bug open, until the rebase and crash fix is actually completed?
Comment 2Kai Engert (:kaie) (inactive account)
2017-09-01 11:31:00 UTC
This was apparently fixed upstream, and we'd get this fix by rebasing to NSS 3.30 or later.
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHEA-2018:0679