Bugzilla version 2.15
This is Bugzilla: the Mozilla bug system. For more
information about
what Bugzilla is and what it can do, see
mozilla.org's
bug pages.
|
|
SSL handshake cut-off with incorrect server configuration
|
Bug List: (130 of 149)
First
Last
Prev
Next
Show list
Query page
Enter new bug
This is a follow-up to bug 134122 .
The server was configured with a model socket and client auth required, but no
trusted CAs in its database.
When connecting with Communicator 4.79, the client displayed a "network error".
Mozilla 0.9.9 just ignored the URL I type, keeping a blank page !!!
IE just said that the page could not be displayed.
NES logged the following :
[28/Mar/2002:20:43:21] failure ( 4235): Error receiving connection
(SSL_ERROR_NO_TRUSTED_SSL_CLIENT_CA - the CA that signed the client certificate
is not trusted locally)
An ssltap (shown below) showed that the client was sending the clienthelo
message, but the server was not sending anything, apparently just closing the
connection.
I attached to the server and it showed that the above error was coming from the
first PR_Recv on the newly-imported SSL socket after PR_Accept.
Connection 1 is with Communicator 4.79 , 2 and 3 with Mozilla 0.9.9 (i did just
one attempt, it made 2 connections), 4 and 5 with IE6 (again, just one browser
attempt, but got two connections).
Version: $Revision: 1.2 $ ($Date: 2002/03/15 06:04:32 $) $Author:
wtc%netscape.com $
Connection #1 [Thu Mar 28 20:26:24 2002]
Connected to strange:3000
--> [
alloclen = 72 bytes
(72 bytes of 72)
[Thu Mar 28 20:26:24 2002] [ssl2] ClientHelloV2 {
version = {0x03, 0x00}
cipher-specs-length = 45 (0x2d)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x010080) SSL2/RSA/RC4-128/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x040080) SSL2/RSA/RC2CBC40/MD5
(0x060040) SSL2/RSA/DES56-CBC/MD5
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x000004) SSL3/RSA/RC4-128/MD5
(0x00feff) ????/????????/?????????/???
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x00fefe) ????/????????/?????????/???
(0x000009) SSL3/RSA/DES56-CBC/SHA
(0x000064) TLS/RSA_EXPORT1024/RC4-56/SHA
(0x000062) TLS/RSA_EXPORT1024/DES56_CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
(0x000006) SSL3/RSA/RC2CBC40/MD5
}
session-id = { }
challenge = { 0xd9b9 0x432a 0x4c5a 0x0988 0xa69b 0xba97
0x8b7d 0xaeeb }
}
]
Read EOF on Server socket. [Thu Mar 28 20:26:24 2002]
Read EOF on Client socket. [Thu Mar 28 20:26:24 2002]
Connection #2 [Thu Mar 28 20:26:37 2002]
Connected to strange:3000
--> [
alloclen = 72 bytes
(72 bytes of 72)
[Thu Mar 28 20:26:37 2002] [ssl2] ClientHelloV2 {
version = {0x03, 0x01}
cipher-specs-length = 45 (0x2d)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x010080) SSL2/RSA/RC4-128/MD5
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x060040) SSL2/RSA/DES56-CBC/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x040080) SSL2/RSA/RC2CBC40/MD5
(0x000004) SSL3/RSA/RC4-128/MD5
(0x00feff) ????/????????/?????????/???
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x00fefe) ????/????????/?????????/???
(0x000009) SSL3/RSA/DES56-CBC/SHA
(0x000064) TLS/RSA_EXPORT1024/RC4-56/SHA
(0x000062) TLS/RSA_EXPORT1024/DES56_CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
(0x000006) SSL3/RSA/RC2CBC40/MD5
}
session-id = { }
challenge = { 0x95be 0x81ab 0xd2da 0x0b5b 0xa3bb 0x284f
0x3097 0x5761 }
}
]
Read EOF on Server socket. [Thu Mar 28 20:26:37 2002]
Read EOF on Client socket. [Thu Mar 28 20:26:37 2002]
Connection #3 [Thu Mar 28 20:26:37 2002]
Connected to strange:3000
--> [
alloclen = 72 bytes
(72 bytes of 72)
[Thu Mar 28 20:26:37 2002] [ssl2] ClientHelloV2 {
version = {0x03, 0x00}
cipher-specs-length = 45 (0x2d)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x010080) SSL2/RSA/RC4-128/MD5
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x060040) SSL2/RSA/DES56-CBC/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x040080) SSL2/RSA/RC2CBC40/MD5
(0x000004) SSL3/RSA/RC4-128/MD5
(0x00feff) ????/????????/?????????/???
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x00fefe) ????/????????/?????????/???
(0x000009) SSL3/RSA/DES56-CBC/SHA
(0x000064) TLS/RSA_EXPORT1024/RC4-56/SHA
(0x000062) TLS/RSA_EXPORT1024/DES56_CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
(0x000006) SSL3/RSA/RC2CBC40/MD5
}
session-id = { }
challenge = { 0xc24f 0xe0e8 0x59e3 0xa769 0x1ca4 0x3ac0
0x894f 0xc1ba }
}
]
Read EOF on Server socket. [Thu Mar 28 20:26:37 2002]
Read EOF on Client socket. [Thu Mar 28 20:26:37 2002]
Connection #4 [Thu Mar 28 20:27:06 2002]
Connected to strange:3000
--> [
alloclen = 78 bytes
(78 bytes of 78)
[Thu Mar 28 20:27:06 2002] [ssl2] ClientHelloV2 {
version = {0x03, 0x00}
cipher-specs-length = 51 (0x33)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x000004) SSL3/RSA/RC4-128/MD5
(0x000005) SSL3/RSA/RC4-128/SHA
(0x00000a) SSL3/RSA/3DES192EDE-CBC/SHA
(0x010080) SSL2/RSA/RC4-128/MD5
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x000009) SSL3/RSA/DES56-CBC/SHA
(0x060040) SSL2/RSA/DES56-CBC/MD5
(0x000064) TLS/RSA_EXPORT1024/RC4-56/SHA
(0x000062) TLS/RSA_EXPORT1024/DES56_CBC/SHA
(0x000003) SSL3/RSA/RC4-40/MD5
(0x000006) SSL3/RSA/RC2CBC40/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x040080) SSL2/RSA/RC2CBC40/MD5
(0x000013) SSL3/DHE-DSS/DES192EDE3CBC/SHA
(0x000012) SSL3/DHE_DSS/DES56-CBC/SHA
(0x000063) TLS/DHE-DSS_EXPORT1024/DES56-CBC/SHA
}
session-id = { }
challenge = { 0x389a 0x5f60 0xdfdd 0xeeb6 0x1228 0xe692
0x4034 0x7f0a }
}
]
Read EOF on Server socket. [Thu Mar 28 20:27:06 2002]
Read EOF on Client socket. [Thu Mar 28 20:27:06 2002]
Connection #5 [Thu Mar 28 20:27:06 2002]
Connected to strange:3000
--> [
alloclen = 45 bytes
(45 bytes of 45)
[Thu Mar 28 20:27:06 2002] [ssl2] ClientHelloV2 {
version = {0x00, 0x02}
cipher-specs-length = 18 (0x12)
sid-length = 0 (0x00)
challenge-length = 16 (0x10)
cipher-suites = {
(0x010080) SSL2/RSA/RC4-128/MD5
(0x0700c0) SSL2/RSA/3DES192EDE-CBC/MD5
(0x030080) SSL2/RSA/RC2CBC128/MD5
(0x060040) SSL2/RSA/DES56-CBC/MD5
(0x020080) SSL2/RSA/RC4-40/MD5
(0x040080) SSL2/RSA/RC2CBC40/MD5
}
session-id = { }
challenge = { 0x4b09 0x2f49 0x3ca6 0x984a 0x8e8c 0x17bc
0x1f5d 0x3c68 }
}
]
<-- [
alloclen = 5 bytes
(5 bytes of 5)
[Thu Mar 28 20:27:06 2002] [ssl2] UnknownType 0x00 {...}
]
Read EOF on Client socket. [Thu Mar 28 20:27:06 2002]
Read EOF on Server socket. [Thu Mar 28 20:27:06 2002]
This indicates that the client sent the Clienthelo message. But there is nothing
coming from the server.
I think what's going on is that when we get to the SSL layer in PR_Recv, we
check the socket's properties and find that they are wrong (no CA certs). So we
return the error back to the caller, without even reading the clienthelo message
or bothering to send an SSL alert to the client telling them that our server is
basically hosed .
------- Additional Comment #1 From Julien Pierre 2002-03-28 21:10 -------
Assigning to Nelson per our talk.
------- Additional Comment #2 From Julien Pierre 2002-03-28 21:39 -------
Created an attachment (id=76702)
cert database for use with selfserv
------- Additional Comment #3 From Julien Pierre 2002-03-28 21:40 -------
Created an attachment (id=76703)
key database for use with selfserv
------- Additional Comment #4 From Julien Pierre 2002-03-28 21:44 -------
I have attached cert and key DBs to use with selfserv to reproduce this problem.
The test command is as below.
(strange)/u/jpierre/nss/34/mozilla/dist/SunOS5.8_DBG.OBJ/bin{72} !68
./selfserv -n Server-Cert -p 2000 -m -r -r -w enterprise
As soon as you connect with a browser, you get the following message on the
console :
selfserv: HDX PR_Read returned error -12199:
No certificate authority is trusted for SSL client authentication.
FYI, I tried to use my GAT client to debug this problem on the client side also.
What happens on the client is is :
error: PR_Send failure - NSPR rc = -5938 , OS rc = 0
End of file
There doesn't appear to be any SSL reported there, which is a little odd.
Bug List: (130 of 149)
First
Last
Prev
Next
Show list
Query page
Enter new bug
This is Bugzilla: the Mozilla bug system. For more
information about
what Bugzilla is and what it can do, see
mozilla.org's
bug pages.
| |