On 2010-11-24 09:32 PDT, passfree wrote: > Hi there, > > I am developing a generic SSL pipe XPCOM component which can be used > on any Input/Output stream pair. So far it sort of works but I am > facing one problem and I am not sure how to deal with it. The problem > arrises when a client connects to a server but refuses to continue > because of certificate errors. Lets say that we have an input stream > from a ServerSocket.
You have a ServerSocket in Firefox? Firefox does not initialize the server components of libSSL, because it does not ever expect to behave as a server. > This input stream is wrapped with my SSL pipe > component. If the client connects but refuses to continue, due to the > SSL certificate is invalid for the current domain name, the code will > fail with a crash within ssl3con.c, ssl3_HandleAlert function, on the > following line: > > if (level == alert_fatal) { > ss->sec.uncache(ss->sec.ci.sid); > > The reason it fails is because ss->sec.uncache is set to null, 0, i.e. > nothing there to access. That's an uninitialized (or incompletely initialized) socket. Possibilities include: - You've closed the socket, then continued to use it - You initialized the socket as a client socket, then used it as a server socket without initializing the server components. - You initialized one PRSocket, then somehow switched to using another. - You added SSL to the socket after the socket was connected, but then didn't call SSL_ResetHandshake, or called it with the wrong argument values. > The question is why is this happening and what I should do to fix the > problem. Perhaps I need to init my ssl fd differently? There's something wrong with the way your code is using libSSL. Don't know what though. Could be any one of many things. > The obvious solution will be to add my own handler on that place but > then shouldn't that be handled by NSS? I haven't seen example code > which comes down to such hacks. Right, that would be a hack, and it wouldn't help you. You'd get a little farther before you'd run into the next problem due to the socket's uninitialized state. -- /Nelson Bolyard -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto