Bug 1718293

Summary: NSS issues with client certificate selection [rhel-8]
Product: Red Hat Enterprise Linux 8 Reporter: Alicja Kario <hkario>
Component: nssAssignee: nss-nspr-maint <nss-nspr-maint>
Status: CLOSED DEFERRED QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: medium Docs Contact:
Priority: medium    
Version: 8.0CC: nss-nspr-maint, qe-baseos-security, rrelyea
Target Milestone: rcKeywords: Triaged
Target Release: 8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1718289 Environment:
Last Closed: 2021-01-08 23:02:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1718289    
Bug Blocks:    

Description Alicja Kario 2019-06-07 12:34:07 UTC 
+++ This bug was initially created as a clone of Bug #1718289 +++

Description of problem:
NSS will reply with internal_error when the signature algorithms or certificate selected can't be used with negotiated protocol version

Version-Release number of selected component (if applicable):
3.44

How reproducible:
Always

Steps to Reproduce:
1. setup server that asks in CertificateRequest message only for rsa_pkcs1_* signature algorithms
2. connect with nss client with rsa certificate
3.

Actual results:
internal_error sent

on client side:
tstclnt: connect: PR_IN_PROGRESS_ERROR: Operation is still in progress (probably a non-blocking connect)
tstclnt: about to call PR_Poll for connect completion!
tstclnt: PR_Poll returned 0x02 for socket out_flags.
tstclnt: ready...
tstclnt: about to call PR_Poll !
tstclnt: PR_Poll returned!
tstclnt: PR_Poll returned 0x00 for stdin out_flags.
tstclnt: PR_Poll returned 0x01 for socket out_flags.
tstclnt: PR_Poll returned 0x01 for socket out_flags.
tstclnt: Read from server -1 bytes
tstclnt: about to call PR_Poll !
tstclnt: PR_Poll returned!
tstclnt: PR_Poll returned 0x00 for stdin out_flags.
tstclnt: PR_Poll returned 0x01 for socket out_flags.
tstclnt: PR_Poll returned 0x01 for socket out_flags.
tstclnt: Read from server -1 bytes
tstclnt: about to call PR_Poll !
tstclnt: PR_Poll returned!
tstclnt: PR_Poll returned 0x00 for stdin out_flags.
tstclnt: PR_Poll returned 0x01 for socket out_flags.
tstclnt: PR_Poll returned 0x01 for socket out_flags.
tstclnt: using asynchronous certificate validation
tstclnt: Read from server -1 bytes
tstclnt: read from socket failed: SEC_ERROR_LIBRARY_FAILURE: security library failure.
tstclnt: exiting with return code 1

Expected results:
handshake_failure

Additional info:
Upstream analysis (MZBZ#1552254) indicates that the way NSS processes client certificates is problematic in general - thus the subject.