Hi passfree: On Wed, Nov 24, 2010 at 9:32 AM, passfree <passf...@googlemail.com> wrote: > > I am developing a generic SSL pipe XPCOM component which can be used > on any Input/Output stream pair. So far it sort of works but I am > facing one problem and I am not sure how to deal with it. The problem > arrises when a client connects to a server but refuses to continue > because of certificate errors. Lets say that we have an input stream > from a ServerSocket. This input stream is wrapped with my SSL pipe > component. If the client connects but refuses to continue, due to the > SSL certificate is invalid for the current domain name, the code will > fail with a crash within ssl3con.c, ssl3_HandleAlert function, on the > following line: > > if (level == alert_fatal) { > ss->sec.uncache(ss->sec.ci.sid); > > The reason it fails is because ss->sec.uncache is set to null, 0, i.e. > nothing there to access. > > The question is why is this happening and what I should do to fix the > problem. Perhaps I need to init my ssl fd differently?
You are running into a variant of NSS bug 540535: https://bugzilla.mozilla.org/show_bug.cgi?id=540535 Your report shows both SSL3_SendAlert and ssl3_HandleAlert have this problem. You can avoid this problem by configuring an SSL server session ID cache, with either a SSL_ConfigServerSessionIDCache or SSL_ConfigMPServerSIDCache call. If you build NSS from source code, can you print in the debugger if ss->sec.ci.sid is NULL at that point? Then, please try changing the code to: if (level == alert_fatal) { if (ss->sec.uncache) { ss->sec.uncache(ss->sec.ci.sid); } Does that fix the problem? Thanks. Wan-Teh -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto