Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-57787

Selfserv -q flag is not enabling compressed certificate support

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • rhel-9.5
    • nss
    • No
    • Low
    • 1
    • rhel-sst-security-crypto
    • ssg_security
    • 3.5
    • False
    • Hide

      None

      Show
      None
    • None
    • Crypto25Q1
    • Hide

      Certificate compression is:

      • advertised by default
      • smoke-tested against openssl for both server and client certificates
      • (optional) smoke-tested against gnutls for both server and client certificates
      • (optional) for zlib certificate decompressing to longer than uncompressed_length,
      • + selfserv rejects the zipbomb cert connection with `bad certificate` alert,
        and extra memory usage does not exceed 2^25 (32 MB)
      Show
      Certificate compression is: advertised by default smoke-tested against openssl for both server and client certificates (optional) smoke-tested against gnutls for both server and client certificates (optional) for zlib certificate decompressing to longer than uncompressed_length, + selfserv rejects the zipbomb cert connection with `bad certificate` alert, and extra memory usage does not exceed 2^25 (32 MB)
    • None
    • None
    • None

      What were you trying to do that didn't work?

      when we try to use selfserv with the -q flag to enable compressed support

      Please provide the package NVR for which the bug is seen:

      nss-3.101.0-6.el9_4 nss-tools-3.101.0-6.el9_4

      How reproducible is this bug?:

      always

      Steps to reproduce

      1. download and setup tlsfuzzer
      2. selfserv -n server -d sql:nssdb -q -p 4433
      3. Run tlsfuzzer/scripts/test-tls13-certificate-compression.py "smoke, zlib" against the server

      Expected results

      Receive a compressed certificate message from the server. "smoke, zlib" test case is passing.

      Actual results

      Received a certificate message from the server. "smoke, zlib" test case is failing.

              fkrenzel František Krenželok
              rh-ee-gpantela George Pantelakis
              František Krenželok František Krenželok
              Ondrej Moris Ondrej Moris
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: