Bug 1397486 - strsclnt gets stuck during session resumption when using client certificates [rhel-6]
Summary: strsclnt gets stuck during session resumption when using client certificates ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: nss
Version: 6.8
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: rc
: ---
Assignee: Daiki Ueno
QA Contact: Stefan Dordevic
URL:
Whiteboard:
Depends On: 1397472 1485481
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-11-22 15:57 UTC by Frantisek Sumsal
Modified: 2018-06-19 05:11 UTC (History)
7 users (show)

Fixed In Version: nss-3.36.0-4.el6
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1397472
Environment:
Last Closed: 2018-06-19 05:10:04 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)


Links
System ID Private Priority Status Summary Last Updated
Mozilla Foundation 1320708 0 -- RESOLVED strsclnt gets stuck during session resumption when using client certificates 2020-04-23 16:50:50 UTC
Red Hat Product Errata RHEA-2018:1865 0 None None None 2018-06-19 05:11:25 UTC

Description Frantisek Sumsal 2016-11-22 15:57:05 UTC 
Description of problem:
strsclnt gets stuck during session resumption (for both SessionTicket and sessionID) when using client certificates and when the server has enabled client certificate verification.

Version-Release number of selected component (if applicable):
nss-3.21.3-2.el6_8.x86_64

How reproducible:
always

Steps to Reproduce:
# NSS_CIPHER="002F"
# OPENSSL_CIPHER="AES128-SHA"
# openssl req -out ca.pem -new -x509 -nodes -subj "/CN=CA"
# openssl genrsa -out server.key 2048
# openssl req -key server.key -new -out server.req -subj "/CN=localhost"
# echo 00 > serial.srl
# openssl x509 -req -in server.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out server.pem
# openssl genrsa -out client.key 2048 -nodes
# openssl req -key client.key -new -out client.req -subj "/CN=client"
# openssl x509 -req -in client.req -CA ca.pem -CAkey privkey.pem -CAserial serial.srl -out client.pem
# openssl pkcs12 -name client -export -inkey client.key -out client.p12 -in client.pem -passout "pass:"
# mkdir nssdb
# certutil -N --empty-password -d sql:./nssdb
# certutil -A -d sql:./nssdb/ -n ca -t 'cC,,' -a -i ca.pem
# pk12util -i client.p12 -d sql:./nssdb -W ''
# openssl s_server -www -key server.key -cert server.pem -CAfile ca.pem -cipher $OPENSSL_CIPHER -Verify 1 &
# sleep 2
# /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost

Actual results:
# /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost
strsclnt: -- SSL: Server Certificate Validated.

Expected results:
# /usr/lib64/nss/unsupported-tools/strsclnt -p 4433 -d sql:./nssdb/ -c 100 -P 20 -n client -V tls1.0: -C :$NSS_CIPHER localhost
strsclnt: -- SSL: Server Certificate Validated.
strsclnt: 0 cache hits; 1 cache misses, 0 cache not reusable
          0 stateless resumes
<...snip...>
ACCEPT
strsclnt: 80 cache hits; 20 cache misses, 0 cache not reusable
          0 stateless resumes
Comment 9 errata-xmlrpc 2018-06-19 05:10:04 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHEA-2018:1865
Note You need to log in before you can comment on or make changes to this bug.