Closed
Bug 964493
Opened 11 years ago
Closed 11 years ago
CERT_CheckOCSPStatus / ocsp_GetCachedOCSPResponseStatus can return SECFailure without calling PR_SetError
Categories
(NSS :: Libraries, defect, P2)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
FIXED
3.15.5
People
(Reporter: keeler, Assigned: keeler)
References
Details
Attachments
(2 files, 1 obsolete file)
(deleted),
patch
|
briansmith
:
review+
wtc
:
review+
briansmith
:
checked-in+
|
Details | Diff | Splinter Review |
(deleted),
patch
|
keeler
:
review+
briansmith
:
checked-in+
|
Details | Diff | Splinter Review |
If there is a freshly cached, invalid OCSP response, ocsp_GetCachedOCSPResponseStatus will set rvOcsp to SECFailure, but there is never a call to PR_SetError.
To reproduce, set security.OCSP.require to true, visit https://www.certigna.fr/Certigna/PC (there should be an OCSP failure), and refresh the page (you should also see an error like "###!!! ASSERTION: no error set during certificate validation failure: 'Not Reached', file /home/keeler/mozilla-central/security/manager/ssl/src/SSLServerCertVerification.cpp, line 994" in the console for a debug version of Firefox).
Comment 1•11 years ago
|
||
Keeler, Thanks for creating this bug. Note that this is a regression.
Assignee | ||
Comment 2•11 years ago
|
||
Calling PORT_SetError with the cached error code should do the trick.
This is a patch against mozilla-central, but it applies to nss with `patch -p3`.
Assignee | ||
Comment 3•11 years ago
|
||
This tests the fix in PSM.
Attachment #8366807 -
Flags: review?(brian)
Updated•11 years ago
|
Attachment #8366806 -
Flags: review?(brian) → review+
Comment 4•11 years ago
|
||
Comment on attachment 8366807 [details] [diff] [review]
test
Review of attachment 8366807 [details] [diff] [review]:
-----------------------------------------------------------------
::: security/manager/ssl/tests/unit/test_ocsp_required.js
@@ +11,5 @@
> +
> +function run_test() {
> + do_get_profile();
> + Services.prefs.setBoolPref("security.OCSP.require", true);
> + Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
Why do we need to set security.ssl.enable_ocsp_stapling to true for this test?
Attachment #8366807 -
Flags: review?(brian) → review+
Assignee | ||
Comment 5•11 years ago
|
||
(In reply to Brian Smith (:briansmith, :bsmith; NEEDINFO? for response) from comment #4)
lPref("security.OCSP.require", true);
> > + Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
>
> Why do we need to set security.ssl.enable_ocsp_stapling to true for this
> test?
No good reason - I fixed it.
My impression from the NSS meeting was that the fix is going into a release soon - do we want to wait for that or have a private patch until then?
Attachment #8366807 -
Attachment is obsolete: true
Attachment #8368730 -
Flags: review+
Comment 6•11 years ago
|
||
NSS trunk (3.16):
http://hg.mozilla.org/projects/nss/rev/5eddfe83330d
NSS 3.15.5:
http://hg.mozilla.org/projects/nss/rev/4e2f6a631150
Leaving open because Gecko trees are closed, so I can't land the Gecko test.
Target Milestone: --- → 3.15.5
Updated•11 years ago
|
Attachment #8366806 -
Flags: checked-in+
Comment 7•11 years ago
|
||
Comment on attachment 8366806 [details] [diff] [review]
fix
Review of attachment 8366806 [details] [diff] [review]:
-----------------------------------------------------------------
r=wtc.
Attachment #8366806 -
Flags: review+
Comment 8•11 years ago
|
||
Comment on attachment 8368730 [details] [diff] [review]
test v1.1
https://hg.mozilla.org/integration/mozilla-inbound/rev/370064a33b61
Attachment #8368730 -
Flags: checked-in+
Updated•11 years ago
|
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Comment 9•11 years ago
|
||
Flags: in-testsuite+
Updated•11 years ago
|
Priority: -- → P2
Comment 10•11 years ago
|
||
You need to log in
before you can comment on or make changes to this bug.
Description
•