Bug 733657
| Summary: | nss: select client certificates by DER | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Kamil Dudka <kdudka> | ||||||||||||||||
| Component: | curl | Assignee: | Kamil Dudka <kdudka> | ||||||||||||||||
| Status: | CLOSED RAWHIDE | QA Contact: | Fedora Extras Quality Assurance <extras-qa> | ||||||||||||||||
| Severity: | medium | Docs Contact: | |||||||||||||||||
| Priority: | medium | ||||||||||||||||||
| Version: | rawhide | CC: | emaldona, kdudka, paul, rcritten, rrelyea, thomas | ||||||||||||||||
| Target Milestone: | --- | Keywords: | Patch, Reopened | ||||||||||||||||
| Target Release: | --- | ||||||||||||||||||
| Hardware: | Unspecified | ||||||||||||||||||
| OS: | Unspecified | ||||||||||||||||||
| Whiteboard: | |||||||||||||||||||
| Fixed In Version: | curl-7.22.0-2.fc17 | Doc Type: | Bug Fix | ||||||||||||||||
| Doc Text: | Story Points: | --- | |||||||||||||||||
| Clone Of: | |||||||||||||||||||
| : | 733685 733749 733752 746629 (view as bug list) | Environment: | |||||||||||||||||
| Last Closed: | 2012-10-08 13:13:01 UTC | Type: | --- | ||||||||||||||||
| Regression: | --- | Mount Type: | --- | ||||||||||||||||
| Documentation: | --- | CRM: | |||||||||||||||||
| Verified Versions: | Category: | --- | |||||||||||||||||
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||||||||||||||
| Cloudforms Team: | --- | Target Upstream Version: | |||||||||||||||||
| Embargoed: | |||||||||||||||||||
| Bug Depends On: | 733685, 734760, 754771, 768669 | ||||||||||||||||||
| Bug Blocks: | 733749, 733752, 746629 | ||||||||||||||||||
| Attachments: |
|
||||||||||||||||||
|
Description
Kamil Dudka
2011-08-26 11:47:12 UTC
Created attachment 520096 [details]
first draft of the patch
Comment on attachment 520096 [details] first draft of the patch I did only some minor changes in order to return more precise error codes and wrote a workaround for bug #733657 -- Elio, could you please review these patches? Created attachment 520798 [details]
[PATCH 1/4] nss: select client certificates by DER
... instead of nicknames, which are not unique.
Created attachment 520799 [details]
[PATCH 2/4] nss: refactor fmt_nickname() -> dup_nickname()
Do not use artificial nicknames for certificates from files.
Created attachment 520800 [details]
[PATCH 3/3] nss: big cleanup in nss_load_cert() and cert_stuff()
(In reply to comment #2) > I did only some minor changes in order to return more precise error codes and > wrote a workaround for bug #733657 I meant bug #734760 of course :-) Created attachment 521707 [details]
[PATCH 3/4] nss: big cleanup in nss_load_cert() and cert_stuff()
Updated version of the patch, just two cosmetic changes.
Created attachment 521708 [details] [PATCH 4/4] nss: avoid a SIGSEGV with immature version of NSS workaround for bug #733685 comment #1 Comment on attachment 521708 [details]
[PATCH 4/4] nss: avoid a SIGSEGV with immature version of NSS
ok until 733685 gets fixed.
Thanks for review Elio. We are now one step forward to get those patches to upstream and Fedora. The patch 2/4 did not get review+. Does it mean there is still something to be improved? (In reply to comment #10) I just forgot click on +, done now. Great! I will send the patches upstream as soon as curl-7.22.0 is out. They have a feature freeze right now... patches sent upstream: http://thread.gmane.org/gmane.comp.web.curl.library/32984 fixed in curl-7.22.0-2.fc17 pushed upstream: https://github.com/bagder/curl/compare/d47d95ac3b...491c5a497c This patch breaks curl for me. I use a client certificate and private key. Before this patch, I was able to make multiple requests using pycurl (so, reusing the curl library, instead of using the curl command line tool which can only do single shot requests). Due to this patch, the second request made (even if it is exactly the same as the first one) fails. $ python credex.py * About to connect() to api.test.credex.net.local port 9001 (#0) * Trying 127.0.0.1... * connected * Initializing NSS with certpath: sql:/etc/pki/nssdb * CAfile: /home/thomas/credex/git/dev/partner/credexapp/credexapp/ca_bundle.pem CApath: none * NSS: client certificate from file * subject: C=US,ST=New York,L=New Jersey,E=client_app.credex.net.local,CN=TestClientAppLocal,OU=CredEx,O=http://www.credex.net.local/featcredex,O="Emerging Payment Technologies, Local" * start date: Jan 13 16:58:47 2012 GMT * expire date: Jan 11 16:58:47 2020 GMT * common name: TestClientAppLocal * issuer: C=US,ST=New York,L=New Jersey,E=featcredex.local,CN=FeatCredEx Development Gateway CA,OU=CredEx,O=http://www.credex.net.local/featcredex,O="Emerging Payment Technologies, Local" * SSL connection using TLS_RSA_WITH_AES_256_CBC_SHA * Server certificate: * subject: C=US,ST=New York,L=New Jersey,E=client_app.net.local,CN=api.test.credex.net.local,OU=CredEx,O=http://www.credex.net.local/featcredex,O="Emerging Payment Technologies, Local" * start date: Jan 13 16:58:46 2012 GMT * expire date: Jan 11 16:58:46 2020 GMT * common name: api.test.credex.net.local * issuer: C=US,ST=New York,L=New Jersey,E=featcredex.local,CN=FeatCredEx Development Gateway CA,OU=CredEx,O=http://www.credex.net.local/featcredex,O="Emerging Payment Technologies, Local" > POST /api/1.0/eva/reports HTTP/1.1 User-Agent: PycURL/7.21.3 Host: api.test.credex.net.local:9001 Accept: application/json Content-Type:application/json Content-Length: 146 * upload completely sent off: 146out of 146 bytes < HTTP/1.1 200 OK < Transfer-Encoding: chunked < Date: Sat, 08 Sep 2012 09:03:59 GMT < Connection: close < Cache-Control: no-cache < Content-Type: application/json < Server: TwistedWeb/11.1.0 < * Closing connection #0 * About to connect() to api.test.credex.net.local port 9001 (#0) * Trying 127.0.0.1... * connected * CAfile: /home/thomas/credex/git/dev/partner/credexapp/credexapp/ca_bundle.pem CApath: none * NSS error -5938 * Closing connection #0 * SSL connect error I narrowed it down to this patch by rebuilding curl from the fedora pkg repository. commit 95558f1 (which adds this patch) is the first one where it breaks - 7.22.0-2 commit eaba13 still works - 7.22.0-1 This is pretty critical for anyone using curl as a library with client certificates, and I can't see any other workaround right now except for downgrading curl. I ran into this problem on F17, F16 had a version of curl that still worked.
The current package for F17 (7.24.0-5) gives an explanation for the NSS error:
* About to connect() to api.test.credex.net.local port 9001 (#0)
* Trying 127.0.0.1...
* connected
* Connected to api.test.credex.net.local (127.0.0.1) port 9001 (#0)
* CAfile: /home/thomas/credex/git/dev/partner/credexapp/credexapp/ca_bundle.pem
CApath: none
* NSS error -5938 (PR_END_OF_FILE_ERROR)
* Encountered end of file
* Closing connection #0
From looking at the patch and comparing the output between successful and failed attempts, I'd say the changes in
static SECStatus SelectClientCert(void *arg, PRFileDesc *s
ock,
struct CERTCertificateStr **pRetCert,
struct SECKEYPrivateKeyStr **pRetKey)
have affected handling of client certificates.
Created attachment 610977 [details]
two connections in a row using a client certificate
Thanks for feedback! Could you please attach a pycurl-based minimal example that repeats the problem for you? You can use the attached one, which works for me, as a template...
Thomas, could you please provide additional info on how to trigger the bug? I'd be happy to write a fix for this, but I need to know what the problem is... The issue described in comment #0 is believed to be fixed. Please open a separate bug for the problem you are facing with some steps to reproduce. Thanks in advance! |