On 2009-10-14 05:27 PDT, star_ni...@my-deja.com wrote: > Nelson, > > Thank you for your response. > > The module is an access manager Apache agent module from Sun > (libamapc2). This gets loaded when Apache starts and handles handles > authentication of AM protected applications. > > You are correct that I don't see sec_error_ext_not_found in logs, but > I found it is happening from tracing AM agent module.
As I suspected. That error code, extension not found, is the single most common error code that occurs in NSS. If you set a breakpoint in the function that sets error codes (PR_SetError), you will find that about half of the calls set that value. But you should essentially ignore it. > The error message in the AM agent module is > > all: Connection::read(): NSPR Error while reading data:-5990 > AuthService: BaseService::doRequest() caught NSPRException: PR_Recv > called by Connection::read() returned PR_IO_TIMEOUT_ERROR IO Timeout error means that the thread waited for a read or a write to finish on a socket for some application-specified time (might be 30 seconds, or 5 minutes), after which it gave up. You won't learn much about that by tracing through the code. I don't want to discourage your from learning about NSS internals. :) We can always use more help from more people familiar with NSS code internals. :) But that's not the fast path to resolving IO timeout errors, IMO. > The NSS/NSPR/SSL library that we are using is the one shipped with > Solaris 10 update 6. > > NSPR version = 4.6.7 > NSS version = 3.11.7 > libssl is also the same version as NSS > > we have a working config > NSS 3.11.10 > NSPR 4.7.1 > > The AM agent modules itself is not configured with a CA cert that > trusts, that's what I have been told and I have also been told it is > configured to trust all certs since this only involves internal SSL > communication with internal load balancer. Well, given that the error you're experiencing is an IO timeout error and not a certificate error (extension not found doesn't count ;) I wouldn't worry about trusted certs at this point. I'd suggest you try using a program like ssltap or ssldump to monitor the traffic on the SSL connection(s). That will probably get you to the point of being able to see what's wrong a LOT faster than tracing through code. > Is the application (AM agent module) trying to create some temp > certificate when it calls __CERT_NewTempCertificate? Any reference > where I can get more info is appreciated. When an application that uses NSS receives a certificate from some other source (e.g. over a wire, or in a file) and wants to check the certificate, it must first "import" the certificate into NSS. There are two ways to import a certificate into NSS. Those two ways are known as "temporary" and "permanent" or "temp" and "perm" for short. In this case, the SSL code has received a certificate from the other system to which it is connected, and is trying to import the certificate as a temporary cert for the purpose of verifying the validity of the cert. But I think you should ignore the extension not found error code completely. It's not the real problem that you need to solve. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
