OCSP and CRL tests fail on Mac |
||||||
Issue descriptionTip of tree (5dfa2e4c9eee485cc60a851cf28445de16f91010) OSX 10.12.4 What steps will reproduce the problem? (1) Pull tip of tree and `glient sync` (2) Build and run net_unittests What is the expected result? Tests pass. What happens instead? The following tests fail: - HTTPSEVCRLSetTest.ExpiredCRLSet - HTTPSEVCRLSetTest.FreshCRLSetNotCovered - HTTPSEVCRLSetTest.MissingCRLSetAndInvalidOCSP - HTTPSOCSPTest.Invalid Haven't tested on other places, but presumably these aren't caught by trybots because we don't run Sierra. (That's what happened in Issue 701222 .)
,
Apr 14 2017
When you say these fail on Mac, do you mean they fail on Mac Sierra, or more generally?
,
Apr 14 2017
,
Apr 14 2017
> When you say these fail on Mac, do you mean they fail on Mac Sierra, or more generally? I have no idea. All I know is they fail on my Sierra machine.
,
Apr 20 2017
These tests all use SpawnedTestServer::SSLOptions::OCSP_INVALID_RESPONSE, which makes the test ocsp server return a garbage response.
On Sierra we only get:
SecTrustGetCssmResultCode = CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK ("revocation check not successful for each cert")
and a chain_info[0].StatusCodes[0] = CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK
These get mapped to CERT_STATUS_NO_REVOCATION_MECHANISM which is then masked off before returning.
On 10.9 we get:
SecTrustGetCssmResultCode = "revocation check not successful for each cert"
chain_info[0].StatusCodes[0] = "unparseable OCSP response"
chain_info[0].StatusCodes[1] = "OCSP service unavailable"
The "unparseable OCSP response" gets mapped to CERT_STATUS_UNABLE_TO_CHECK_REVOCATION, which is what the test is expecting.
,
Apr 20 2017
(And because the CERT_STATUS_NO_REVOCATION_MECHANISM gets masked off, the cert verifies as EV even though the revocation wasn't checked.)
,
Jul 27 2017
,
Jul 28 2017
The following revision refers to this bug: https://chromium.googlesource.com/chromium/src.git/+/66538437a3ea88aebca9413fee12746e6558d063 commit 66538437a3ea88aebca9413fee12746e6558d063 Author: Matt Mueller <mattm@chromium.org> Date: Fri Jul 28 02:48:28 2017 remap CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK to CERT_STATUS_UNABLE_TO_CHECK_REVOCATION Starting with later 10.12 versions, CSSMERR_APPLETP_INCOMPLETE_REVOCATION_CHECK is a catch-all code for failures to check revocation status. Bug: 711588 Change-Id: Idf466d89ede45ef0a04250714b5f8ca8680188ab Reviewed-on: https://chromium-review.googlesource.com/590104 Commit-Queue: Matt Mueller <mattm@chromium.org> Reviewed-by: Ryan Sleevi <rsleevi@chromium.org> Cr-Commit-Position: refs/heads/master@{#490224} [modify] https://crrev.com/66538437a3ea88aebca9413fee12746e6558d063/net/cert/cert_verify_proc_mac.cc
,
Jul 28 2017
,
Aug 1 2017
Thanks! https://luci-milo.appspot.com/buildbot/chromium.fyi/Chromium%20Mac%2010.13/27 |
||||||
►
Sign in to add a comment |
||||||
Comment 1 by ricea@chromium.org
, Apr 14 2017