ssl.sh fails multiple times if NSS_ENABLE_TLS_1_3 is enabled. While this is to expect as long as it's not fully implemented and the tests are not adapted to it. > tstclnt: read from socket failed: SSL_ERROR_BAD_CERT_ALERT: SSL peer cannot verify your certificate. > tstclnt: write to SSL socket failed: SSL_ERROR_FEATURE_NOT_SUPPORTED_FOR_VERSION: SSL feature not supported for the protocol version. However, it creates core dumps most of the time (I couldn't reliably determine yet when) coming from NSS_Shutdown. Backtraces in the coredumps looks like this: > * thread #1: tid = 0x0000, 0x00007fff90834f06 libsystem_kernel.dylib`__pthread_kill + 10, stop reason = signal SIGSTOP > * frame #0: 0x00007fff90834f06 libsystem_kernel.dylib`__pthread_kill + 10 > frame #1: 0x00007fff97cb44ec libsystem_pthread.dylib`pthread_kill + 90 > frame #2: 0x00007fff930046e7 libsystem_c.dylib`abort + 129 > frame #3: 0x000000010eb74aed libnspr4.dylib`PR_Assert(s="secmod_PrivateModuleCount == 0", file="pk11util.c", ln=88) + 109 at prlog.c:553 > frame #4: 0x000000010e9505a0 libnss3.dylib`SECMOD_Shutdown + 304 at pk11util.c:88 > frame #5: 0x000000010e8ee0f8 libnss3.dylib`nss_Shutdown + 120 at nssinit.c:1088 > frame #6: 0x000000010e8ee32e libnss3.dylib`NSS_Shutdown + 158 at nssinit.c:1146 > frame #7: 0x000000010e7e0ea1 tstclnt`main(argc=15, argv=0x00007fff51422538) + 9201 at tstclnt.c:1651 > frame #8: 0x00007fff94db45ad libdyld.dylib`start + 1 > frame #9: 0x00007fff94db45ad libdyld.dylib`start + 1 or this: > * thread #1: tid = 0x0000, 0x00007fff90834f06 libsystem_kernel.dylib`__pthread_kill + 10, stop reason = signal SIGSTOP > * frame #0: 0x00007fff90834f06 libsystem_kernel.dylib`__pthread_kill + 10 > frame #1: 0x00007fff97cb44ec libsystem_pthread.dylib`pthread_kill + 90 > frame #2: 0x00007fff930046e7 libsystem_c.dylib`abort + 129 > frame #3: 0x0000000101a51aed libnspr4.dylib`PR_Assert(s="secmod_PrivateModuleCount == 0", file="pk11util.c", ln=88) + 109 at prlog.c:553 > frame #4: 0x00000001018305a0 libnss3.dylib`SECMOD_Shutdown + 304 at pk11util.c:88 > frame #5: 0x00000001017ce0f8 libnss3.dylib`nss_Shutdown + 120 at nssinit.c:1088 > frame #6: 0x00000001017ce32e libnss3.dylib`NSS_Shutdown + 158 at nssinit.c:1146 > frame #7: 0x00000001016c11fb selfserv`main(argc=21, argv=0x00007fff5e5454b8) + 8555 at selfserv.c:2772 > frame #8: 0x00007fff94db45ad libdyld.dylib`start + 1 > frame #9: 0x00007fff94db45ad libdyld.dylib`start + 1 I don't think this is security sensitive but might be able to crash NSS.

see bug 1168425

(In reply to Martin Thomson [:mt:] from comment #1) > see bug 1168425 hm, interesting that the probability of this popping up is significantly higher when NSS_ENABLE_TLS_1_3 is set. (Maybe because it fails more often.)

Or perhaps because we have a leak...

Running ssl.sh with the proposed patch in bug 1168425 yields 123 failures but no core dumps.

Patch at: https://codereview.appspot.com/297560043 The problem seems to be that selfserv starts with the default range, that's ssl3:tls1.2. With TLS 1.3 enabled this becomes tls1.0:tls1.3 as we don't support ssl3 and tls1.3 in the same range. Similarly, just specifying :ssl3 fails if we have a default range with min=tls1.0. Now we could try to extend the existing tests to tls1.3 but the value of ssl.sh seems rather low with a growing ssl_gtests suite that is able to check for a lot more than just a specific exit code. We also would probably need two runs as we either hit the ssl3:tls1.2 code (ssl3con.c) or the tls1.3 code (tls13con.c), depending on the version negotiated. I think the best solution would be to let ssl.sh continue to cover only ssl3:tls1.2, and ignore tls1.3. So we can work on improving and extending the ssl_gtests suite for the new protocol version and don't have to fiddle with old test suites.

I agree, I think ssl_gtests have enough coverage for TLS 1.3.

This is the right solution. r+ I don't agree that we have enough coverage in ssl_gtests, but that is where we are putting the effort in. And ssl.sh doesn't have better coverage.

We missed one: https://hg.mozilla.org/projects/nss/rev/b93c325045f6