Closed
Bug 51913
Opened 24 years ago
Closed 24 years ago
NSS/SSL won't send self-signed server or client-auth certs
Categories
(NSS :: Libraries, defect, P3)
Tracking
(Not tracked)
RESOLVED
FIXED
3.0.1
People
(Reporter: nelson, Assigned: nelson)
Details
When NSS's libssl wants to send a cert chain, such as when sending
a server cert chain or a client cert chain, it calls a function
in the cert library named CERT_CertChainFromCert() to construct an
array of SECItems pointing to DER-encoded certs to send. It passes
an argument to that function that says "do not include the root CA
cert in the chain".
The function CERT_CertChainFromCert() constructs an array containing
the entire chain, including the root CA cert. Then, if the caller
has asked it not to include the root CA cert, it subtracts one from
the number of elements in the array. If the cert passed to
CERT_CertChainFromCert() was self signed, then it is the only cert
in the array, and when CERT_CertChainFromCert() subtracts 1, it
tells the caller that the chain has zero elements. The caller then
sends a cert message with zero certs in it. This is acceptable
behavior for client auth certs in TLS, but not for SSL 3, and it is
never acceptable for server certs.
The solution appears to be in two parts:
a) in CERT_CertChainFromCert(), if the number of certs in the list
is one, don't subtract one from it.
b) in the SSL code, in the places that call CERT_CertChainFromCert()
check the length argument in the return value for a length of zero
and treat it as an error rather than blinding sending a malformed
SSL message.
I'm making another unrelated change to this code for NSS 3.1, so
I'll fix this bug in NSS 3.1, also.
The diffs for the first part of this fix are:
RCS file: /cvsroot/mozilla/security/nss/lib/certhigh/certhigh.c,v
retrieving revision 1.2
diff -c -r1.2 certhigh.c
*** certhigh.c 2000/06/13 21:56:21 1.2
--- certhigh.c 2000/09/08 21:16:03
***************
*** 980,989 ****
node->cert = NULL;
if (rv < 0) goto loser;
}
! if ( includeRoot ) {
! chain->len = len;
! } else {
chain->len = len - 1;
}
chain->arena = arena;
--- 980,989 ----
node->cert = NULL;
if (rv < 0) goto loser;
}
! if ( !includeRoot && len > 1) {
chain->len = len - 1;
+ } else {
+ chain->len = len;
}
chain->arena = arena;
Assignee | ||
Comment 1•24 years ago
|
||
Fixed by checkin:
/cvsroot/mozilla/security/nss/lib/certhigh/certhigh.c,v <-- certhigh.c
new revision: 1.3; previous revision: 1.2
Status: NEW → RESOLVED
Closed: 24 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.1
You need to log in
before you can comment on or make changes to this bug.
Description
•