Due to a recent update on Javascript code a full page refresh on your browser might be needed.
Bug 693252 - nss needs to be able to use pem files interchangeably in a single process
Summary: nss needs to be able to use pem files interchangeably in a single process
Keywords:
Status: CLOSED DUPLICATE of bug 694294
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: curl
Version: 6.1
Hardware: Unspecified
OS: Unspecified
unspecified
medium
Target Milestone: rc
: ---
Assignee: Kamil Dudka
QA Contact: BaseOS QE Security Team
URL:
Whiteboard:
Depends On: 689031 694294 695747 696665 765921 806043
Blocks: 568421
TreeView+ depends on / blocked
 
Reported: 2011-04-03 22:49 UTC by Kamil Dudka
Modified: 2014-01-21 06:20 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of: 689031
Environment:
Last Closed: 2011-04-07 06:06:32 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Bugzilla 761086 None None None Never

Internal Links: 761086

Description Kamil Dudka 2011-04-03 22:49:29 UTC
+++ This bug was initially created as a clone of Bug #689031 +++

Description of problem:

using curl which uses nss. When I attempt to use pem files with curl (through pycurl) the first pem file I put in as a client-side key is the only one nss will ever use. It won't let me change the in-use key/cert pair.

--- Additional comment from kdudka on 2011-04-01 12:18:40 CEST ---

I think we should hook somewhere around the following condition:

        /* If we previously did client-auth, make sure that the token that
        ** holds the private key still exists, is logged in, hasn't been
        ** removed, etc.
        */
        if (sidOK && !ssl3_ClientAuthTokenPresent(sid)) {
            sidOK = PR_FALSE;
        }

If I return PR_FALSE from ssl3_ClientAuthTokenPresent() in a debugger, it connects fine with unpatched libcurl.  Any chance to invalidate the client authentication for a particular SSL socket?

--- Additional comment from kdudka on 2011-04-01 16:34:50 CEST ---

Created attachment 489418 [details]
less intrusive patch for libcurl

I am not sure if there is a better way to force nss to use the right client cert on the second attempt...

--- Additional comment from emaldona on 2011-04-04 00:30:08 CEST ---

I had done some some downgrades last night and forgot to restore the patch curl builds. Kamil, it does work with your reproducer. Having some problems with the yum test that (404) I'll look into tomorrow.

Comment 1 Kamil Dudka 2011-04-04 16:19:38 UTC
I have prepared a new scratch build of libcurl that includes also a patch for bug #690273 (default build with -O2, since we mostly debug at the NSS level anyway):

https://brewweb.devel.redhat.com/taskinfo?taskID=3226621

Comment 2 Kamil Dudka 2011-04-07 06:06:32 UTC

*** This bug has been marked as a duplicate of bug 694294 ***


Note You need to log in before you can comment on or make changes to this bug.