Description of problem: Current NSS version support RSA-PSS signatures on Server Key Exchange message (among others), unfortunately nss-pem does not, leading to problems like in bug 1383809. Version-Release number of selected component (if applicable): nss-pem-1.0.2-2.fc24.x86_64 How reproducible: Always Steps to Reproduce: 1. Use current NSS server with nss-pem provided private key 2. Connect with current NSS client Actual results: Connection goes kaboom at point where server should send Server Key Exchange message Expected results: Server Key Exchange signed with RSA-PSS sent and accepted. Additional info: While the kaboom is caused by NSS forcing module to do what it can't do, RSA-PSS is still nice thing to have (and actually a requirement for TLSv1.3 support) thus this is an RFE, not a bug
Is it necessary to debug this issue at server's side? I would prefer to debug this within curl. Any idea how to run into this bug at client's side?
I haven't tested if NSS implemented this part, but at least in theory, you should run into exactly the same problem with client trying to sign Certificate Verify message - try using RSA client certificates.
Issue still reproducible with nss-3.28.3-1.0.fc25.x86_64 nss-pem-1.0.2-2.fc25.x86_64 Also, I have verified that 3.28 will send rsa-pss signature algorithms in Certificate Request message so a test with client certificates should allow for debugging that on client side/with curl.
This message is a reminder that Fedora 25 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 25. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '25'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 25 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
as far as I am aware, there was no work done on this subject
This message is a reminder that Fedora 26 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 26. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as EOL if it remains open with a Fedora 'version' of '26'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version. Thank you for reporting this issue and we are sorry that we were not able to fix it before Fedora 26 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior this bug is closed as described in the policy above. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
I am afraid this is WONTFIX. I do not have time to work on this myself and nss-pem does not have any other contributors these days. Feel free to reopen with link to an upstream pull request that implements it.