On 2010-11-24 09:32 PDT, passfree wrote:
> Hi there,
>
> I am developing a generic SSL pipe XPCOM component which can be used
> on any Input/Output stream pair. So far it sort of works but I am
> facing one problem and I am not sure how to deal with it. The problem
> arrises when a client connects to a server but refuses to continue
> because of certificate errors. Lets say that we have an input stream
> from a ServerSocket.
You have a ServerSocket in Firefox? Firefox does not initialize the
server components of libSSL, because it does not ever expect to behave
as a server.
> This input stream is wrapped with my SSL pipe
> component. If the client connects but refuses to continue, due to the
> SSL certificate is invalid for the current domain name, the code will
> fail with a crash within ssl3con.c, ssl3_HandleAlert function, on the
> following line:
>
> if (level == alert_fatal) {
> ss->sec.uncache(ss->sec.ci.sid);
>
> The reason it fails is because ss->sec.uncache is set to null, 0, i.e.
> nothing there to access.
That's an uninitialized (or incompletely initialized) socket.
Possibilities include:
- You've closed the socket, then continued to use it
- You initialized the socket as a client socket, then used it as a server
socket without initializing the server components.
- You initialized one PRSocket, then somehow switched to using another.
- You added SSL to the socket after the socket was connected, but then
didn't call SSL_ResetHandshake, or called it with the wrong argument values.
> The question is why is this happening and what I should do to fix the
> problem. Perhaps I need to init my ssl fd differently?
There's something wrong with the way your code is using libSSL.
Don't know what though. Could be any one of many things.
> The obvious solution will be to add my own handler on that place but
> then shouldn't that be handled by NSS? I haven't seen example code
> which comes down to such hacks.
Right, that would be a hack, and it wouldn't help you. You'd get a little
farther before you'd run into the next problem due to the socket's
uninitialized state.
--
/Nelson Bolyard
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
