Hi passfree:
On Wed, Nov 24, 2010 at 9:32 AM, passfree <passf...@googlemail.com> wrote:
>
> I am developing a generic SSL pipe XPCOM component which can be used
> on any Input/Output stream pair. So far it sort of works but I am
> facing one problem and I am not sure how to deal with it. The problem
> arrises when a client connects to a server but refuses to continue
> because of certificate errors. Lets say that we have an input stream
> from a ServerSocket. This input stream is wrapped with my SSL pipe
> component. If the client connects but refuses to continue, due to the
> SSL certificate is invalid for the current domain name, the code will
> fail with a crash within ssl3con.c, ssl3_HandleAlert function, on the
> following line:
>
> if (level == alert_fatal) {
> ss->sec.uncache(ss->sec.ci.sid);
>
> The reason it fails is because ss->sec.uncache is set to null, 0, i.e.
> nothing there to access.
>
> The question is why is this happening and what I should do to fix the
> problem. Perhaps I need to init my ssl fd differently?
You are running into a variant of NSS bug 540535:
https://bugzilla.mozilla.org/show_bug.cgi?id=540535
Your report shows both SSL3_SendAlert and ssl3_HandleAlert
have this problem.
You can avoid this problem by configuring an SSL server session
ID cache, with either a SSL_ConfigServerSessionIDCache or
SSL_ConfigMPServerSIDCache call.
If you build NSS from source code, can you print in the
debugger if ss->sec.ci.sid is NULL at that point? Then,
please try changing the code to:
if (level == alert_fatal) {
if (ss->sec.uncache) {
ss->sec.uncache(ss->sec.ci.sid);
}
Does that fix the problem? Thanks.
Wan-Teh
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
