Bug 1718289

Summary: NSS issues with client certificate selection [rhel-7]
Product: Red Hat Enterprise Linux 7 Reporter: Alicja Kario <hkario>
Component: nssAssignee: nss-nspr-maint <nss-nspr-maint>
Status: CLOSED DEFERRED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 7.7CC: asosedki, rrelyea, ssorce
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1718293 (view as bug list) Environment:
Last Closed: 2021-03-10 17:40:34 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1509396    
Bug Blocks: 1718293    

Description Alicja Kario 2019-06-07 12:29:22 UTC 
Description of problem:
NSS will reply with internal_error when the signature algorithms or certificate selected can't be used with negotiated protocol version

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. setup server that asks in CertificateRequest message only for rsa_pkcs1_* signature algorithms
2. connect with nss client with rsa certificate
3.

Actual results:
internal_error sent

on client side:
tstclnt: connect: PR_IN_PROGRESS_ERROR: Operation is still in progress (probably a non-blocking connect)
tstclnt: about to call PR_Poll for connect completion!
tstclnt: PR_Poll returned 0x02 for socket out_flags.
tstclnt: ready...
tstclnt: about to call PR_Poll !
tstclnt: PR_Poll returned!
tstclnt: PR_Poll returned 0x00 for stdin out_flags.
tstclnt: PR_Poll returned 0x01 for socket out_flags.
tstclnt: PR_Poll returned 0x01 for socket out_flags.
tstclnt: Read from server -1 bytes
tstclnt: about to call PR_Poll !
tstclnt: PR_Poll returned!
tstclnt: PR_Poll returned 0x00 for stdin out_flags.
tstclnt: PR_Poll returned 0x01 for socket out_flags.
tstclnt: PR_Poll returned 0x01 for socket out_flags.
tstclnt: Read from server -1 bytes
tstclnt: about to call PR_Poll !
tstclnt: PR_Poll returned!
tstclnt: PR_Poll returned 0x00 for stdin out_flags.
tstclnt: PR_Poll returned 0x01 for socket out_flags.
tstclnt: PR_Poll returned 0x01 for socket out_flags.
tstclnt: using asynchronous certificate validation
tstclnt: Read from server -1 bytes
tstclnt: read from socket failed: SEC_ERROR_LIBRARY_FAILURE: security library failure.
tstclnt: exiting with return code 1

Expected results:
handshake_failure

Additional info:
Upstream analysis (MZBZ#1552254) indicates that the way NSS processes client certificates is problematic in general - thus the subject.