Bug 1397472 - strsclnt gets stuck during session resumption when using client certificates [rhel-7]
Summary: strsclnt gets stuck during session resumption when using client certificates ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: nss
Version: 7.3
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: pre-dev-freeze
: 7.5
Assignee: Daiki Ueno
QA Contact: Hubert Kario
URL:
Whiteboard:
Depends On:
Blocks: 1397486
TreeView+ depends on / blocked
 
Reported: 2016-11-22 15:35 UTC by Frantisek Sumsal
Modified: 2018-04-10 09:25 UTC (History)
4 users (show)

Fixed In Version: nss-3.33.0-3.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
: 1397486 (view as bug list)
Environment:
Last Closed: 2018-04-10 09:23:57 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHEA-2018:0679 None None None 2018-04-10 09:25:17 UTC
Mozilla Foundation 1320708 None None None 2016-11-28 17:00:53 UTC
Red Hat Bugzilla 1373286 None None None 2019-09-19 11:18:05 UTC
Red Hat Bugzilla 1397365 None CLOSED NSS session resumption using session ID does not work for DHE-DSS ciphersuites [rhel7] 2019-09-19 11:18:05 UTC
Red Hat Bugzilla 1426182 None CLOSED RfE: Support ticket based session resumption using only ECDSA certificate [rhel-7] 2019-09-19 11:18:05 UTC

Internal Links: 1373286 1397365 1426182

Description Frantisek Sumsal 2016-11-22 15:35:03 UTC
Description of problem:
strsclnt gets stuck during session resumption (for both SessionTicket and sessionID) when using client certificates and when the server has enabled client certificate verification.

Version-Release number of selected component (if applicable):
nss-3.21.0-17.el7.x86_64

How reproducible:
always

Steps to Reproduce:
# NSS_CIPHER="002F"
# OPENSSL_CIPHER="AES128-SHA"
# openssl req -out ca.pem -new -x509 -nodes -subj "/CN=CA"
# openssl genrsa -out server.key 2048
# openssl req -key server.key -new -out server.req -subj "/CN=localhost"
# echo 00 > serial.srl
# openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out server.pem
# openssl genrsa -out client.key 2048 -nodes
# openssl req -key client.key -new -out client.req -subj "/CN=client"
# openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out client.pem
# openssl pkcs12 -name client -export -inkey client.key -out client.p12 -in client.pem -passout "pass:"
# mkdir nssdb
# certutil -N --empty-password -d sql:./nssdb
# certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i ca.pem
# pk12util -i client.p12 -d sql:./nssdb -W ''
# openssl s_server -www -key server.key -cert server.pem -CAfile ca.pem -cipher $OPENSSL_CIPHER -Verify 1 &
# sleep 2
# /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost

Actual results:
# /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost
strsclnt: -- SSL: Server Certificate Validated.

Expected results:
# /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: 0 cache hits; 1 cache misses, 0 cache not reusable
          0 stateless resumes
<...snip...>
ACCEPT
strsclnt: 80 cache hits; 20 cache misses, 0 cache not reusable
          0 stateless resumes

Comment 10 errata-xmlrpc 2018-04-10 09:23:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:0679


Note You need to log in before you can comment on or make changes to this bug.