Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Segfault when using additional_trust_anchors #5279

Closed
vzr314 opened this issue Sep 7, 2016 · 8 comments
Closed

Segfault when using additional_trust_anchors #5279

vzr314 opened this issue Sep 7, 2016 · 8 comments
Assignees

Comments

@vzr314
Copy link

vzr314 commented Sep 7, 2016

OS: Windows 10 (x64)
Build: 0.17.0 SDK Win64

When additional_trust_anchors is used in package.json app wont start. Starting from terminal gives me Segmentation Fault error. Without this parameter application starts normally.

This issue may be somehow related to: #4210

@longsleep
Copy link

Also crashes on Linux x86_64 (nwjs-sdk-v0.17.3-linux-x64)

[28893:28915:0920/171230:ERROR:nss_util.cc(809)] After loading Root Certs, loaded==false: NSS error code: -8018
Segmentation fault

@rogerwang rogerwang self-assigned this Sep 21, 2016
@vzr314
Copy link
Author

vzr314 commented Sep 21, 2016

Tested latest SDK build (0.17.4) but bug is still here.

@rogerwang
Copy link
Member

This is fixed in git and will be available in the next nightly build.

@rogerwang
Copy link
Member

reopen since the fix has issue in windows.

@rogerwang rogerwang reopened this Sep 22, 2016
@rogerwang
Copy link
Member

@fancycode would you mind look into this? The patch in net/cert/cert_verify_proc_win.cc is broken with latest Chromium.

@rogerwang
Copy link
Member

@fancycode I just updated net/cert/cert_verify_proc_win.cc in nw17 branch. Please review: https://github.com/nwjs/chromium.src/blob/nw17/net/cert/cert_verify_proc_win.cc#L1081

And I'm not sure about the usage with your original patch: in windows the certification passed with package.json seems to be compared with the server certificate byte by byte so I have to put the server certification in our test case, while on other platforms using the CA certificate is the correct way...

@fancycode
Copy link
Contributor

Hmm, it's been a long time since I was working on this and I currently don't have a Windows dev environment to test locally.

From what I remember, the verification code stopped at the first unknown certificate, which I think was the CA certificate (assuming the server sends the complete certificate chain). This certificate is then compared against the additional trust anchor list.
Thinking about it, this should probably be changed to check if that unknown certificate was issued by one of the certs in the trust anchors list, so you don't have to modify your testcase for Windows.

@rogerwang
Copy link
Member

fixed in git and will be released with upcoming 0.17.5.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants