Closed Bug 51913 Opened 24 years ago Closed 24 years ago

NSS/SSL won't send self-signed server or client-auth certs

Categories

(NSS :: Libraries, defect, P3)

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: nelson, Assigned: nelson)

Details

When NSS's libssl wants to send a cert chain, such as when sending a server cert chain or a client cert chain, it calls a function in the cert library named CERT_CertChainFromCert() to construct an array of SECItems pointing to DER-encoded certs to send. It passes an argument to that function that says "do not include the root CA cert in the chain". The function CERT_CertChainFromCert() constructs an array containing the entire chain, including the root CA cert. Then, if the caller has asked it not to include the root CA cert, it subtracts one from the number of elements in the array. If the cert passed to CERT_CertChainFromCert() was self signed, then it is the only cert in the array, and when CERT_CertChainFromCert() subtracts 1, it tells the caller that the chain has zero elements. The caller then sends a cert message with zero certs in it. This is acceptable behavior for client auth certs in TLS, but not for SSL 3, and it is never acceptable for server certs. The solution appears to be in two parts: a) in CERT_CertChainFromCert(), if the number of certs in the list is one, don't subtract one from it. b) in the SSL code, in the places that call CERT_CertChainFromCert() check the length argument in the return value for a length of zero and treat it as an error rather than blinding sending a malformed SSL message. I'm making another unrelated change to this code for NSS 3.1, so I'll fix this bug in NSS 3.1, also. The diffs for the first part of this fix are: RCS file: /cvsroot/mozilla/security/nss/lib/certhigh/certhigh.c,v retrieving revision 1.2 diff -c -r1.2 certhigh.c *** certhigh.c 2000/06/13 21:56:21 1.2 --- certhigh.c 2000/09/08 21:16:03 *************** *** 980,989 **** node->cert = NULL; if (rv < 0) goto loser; } ! if ( includeRoot ) { ! chain->len = len; ! } else { chain->len = len - 1; } chain->arena = arena; --- 980,989 ---- node->cert = NULL; if (rv < 0) goto loser; } ! if ( !includeRoot && len > 1) { chain->len = len - 1; + } else { + chain->len = len; } chain->arena = arena;
Fixed by checkin: /cvsroot/mozilla/security/nss/lib/certhigh/certhigh.c,v <-- certhigh.c new revision: 1.3; previous revision: 1.2
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.1
Changed target fix version to 3.0.1
Target Milestone: 3.1 → 3.0.1
You need to log in before you can comment on or make changes to this bug.