star_ni...@my-deja.com wrote: > We are getting this error from a library.
What library function? PR_Write? What NSS library version? How did you get this copy of NSS? As binaries directly from Mozilla? As binaries from from Linux distribution? (which one?) As sources? (where from? Have you modified them?) > I have been told the module is configured trust all certs. I wonder what that means. > Can someone shed some light on libssl, libnss stack trace and the error? Yes. There are very few functions in NSS that set the error code SEC_ERROR_EXTENSION_NOT_FOUND. They are all functions that look in a certificate to try to find an extension. If they do not find the extension for which they have been told to look, they return that error code. The error code is not "fatal" in any sense. It simply means that the operation, looking for the extension, failed because the extension was not present, as opposed to failing for some other reason, such as having run out of allocatable memory. Generally, the functions that try to find an extension in a cert are called by other functions deep down inside of NSS. If they do not find an extension, they record this fact and go on doing the next task to be done. Rarely does the absence of an extension cause an outright failure, and in all cases where it does, the function that decides that the absence of the extension is an outright failure is obligated to replace that error code with a different one, one that explains WHY (or in what way) the absence of the extension was fatal the operation. Some very old versions of NSS didn't always ensure that that error code got replaced with a better one in those cases, which is why I asked what version of NSS you're using. With modern versions of NSS, I think it is VERY unlikely that the error code SEC_ERROR_EXTENSION_NOT_FOUND would have been output all the way up the stack, so that it appeared that ssl_Write returned that error code. I suspect that you're tracing through SSL code, and came across this error code, and wonder about it. My advice is: ignore that error code. And, if you're using some old version of NSS, my advice is: upgrade to a newer version. > the trace > > libnss3.so`cert_FindExtensionByOID+0x1c > libnss3.so`CERT_FindBitStringExtension+0x5c > libnss3.so`cert_GetCertType+0x1c > libnss3.so`CERT_DecodeDERCertificate+0x190 > libnss3.so`nssDecodedPKIXCertificate_Create+0x30 > libnss3.so`STAN_GetCERTCertificate+0x30 > libnss3.so`__CERT_NewTempCertificate+0x154 > libssl3.so`ssl3_HandleCertificate+0x2a4 > libssl3.so`ssl3_HandleHandshakeMessage+0x2a0 > libssl3.so`ssl3_HandleHandshake+0x114 > libssl3.so`ssl3_HandleRecord+0x510 > libssl3.so`ssl3_GatherCompleteHandshake+0x58 > libssl3.so`ssl_GatherRecord1stHandshake+0x30 > libssl3.so`ssl_Do1stHandshake+0xf0 > libssl3.so`ssl_SecureSend+0x1cc > libssl3.so`ssl_Write+0x5c > -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
