Closed Bug 964493 Opened 11 years ago Closed 11 years ago

CERT_CheckOCSPStatus / ocsp_GetCachedOCSPResponseStatus can return SECFailure without calling PR_SetError

Categories

(NSS :: Libraries, defect, P2)

Product:
NSS
Component:
Libraries
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
3.15.5

People

(Reporter: keeler, Assigned: keeler)

References

Details

Attachments

(2 files, 1 obsolete file)

fix
(deleted), patch
briansmith
: review+
wtc
: review+
briansmith
: checked-in+
Details | Diff | Splinter Review
test v1.1
(deleted), patch
keeler
: review+
briansmith
: checked-in+
Details | Diff | Splinter Review
If there is a freshly cached, invalid OCSP response, ocsp_GetCachedOCSPResponseStatus will set rvOcsp to SECFailure, but there is never a call to PR_SetError. To reproduce, set security.OCSP.require to true, visit https://www.certigna.fr/Certigna/PC (there should be an OCSP failure), and refresh the page (you should also see an error like "###!!! ASSERTION: no error set during certificate validation failure: 'Not Reached', file /home/keeler/mozilla-central/security/manager/ssl/src/SSLServerCertVerification.cpp, line 994" in the console for a debug version of Firefox).
Keeler, Thanks for creating this bug. Note that this is a regression.
Attached patch fix (deleted) — Splinter Review
Calling PORT_SetError with the cached error code should do the trick. This is a patch against mozilla-central, but it applies to nss with `patch -p3`.
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Attachment #8366806 - Flags: review?(brian)
Attached patch test (obsolete) (deleted) — Splinter Review
This tests the fix in PSM.
Attachment #8366807 - Flags: review?(brian)
Attachment #8366806 - Flags: review?(brian) → review+
Comment on attachment 8366807 [details] [diff] [review] test Review of attachment 8366807 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/manager/ssl/tests/unit/test_ocsp_required.js @@ +11,5 @@ > + > +function run_test() { > + do_get_profile(); > + Services.prefs.setBoolPref("security.OCSP.require", true); > + Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); Why do we need to set security.ssl.enable_ocsp_stapling to true for this test?
Attachment #8366807 - Flags: review?(brian) → review+
Attached patch test v1.1 (deleted) — Splinter Review
(In reply to Brian Smith (:briansmith, :bsmith; NEEDINFO? for response) from comment #4) lPref("security.OCSP.require", true); > > + Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true); > > Why do we need to set security.ssl.enable_ocsp_stapling to true for this > test? No good reason - I fixed it. My impression from the NSS meeting was that the fix is going into a release soon - do we want to wait for that or have a private patch until then?
Attachment #8366807 - Attachment is obsolete: true
Attachment #8368730 - Flags: review+
NSS trunk (3.16): http://hg.mozilla.org/projects/nss/rev/5eddfe83330d NSS 3.15.5: http://hg.mozilla.org/projects/nss/rev/4e2f6a631150 Leaving open because Gecko trees are closed, so I can't land the Gecko test.
Target Milestone: --- → 3.15.5
Comment on attachment 8366806 [details] [diff] [review] fix Review of attachment 8366806 [details] [diff] [review]: ----------------------------------------------------------------- r=wtc.
Attachment #8366806 - Flags: review+
Status: ASSIGNED → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Priority: -- → P2
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: