On Thu, 24 Mar 2011 00:16:17 +0100 roberth <rob...@openbsd.pap.st> wrote:
> On Wed, 23 Mar 2011 21:35:51 +0000 > Mikolaj Kucharski <miko...@kucharski.name> wrote: > > > Hi, > > > > Sorry, I cannot test this right now on OpenBSD but can anyone of you > > open following url: https://the.bucket.cc/ without a crash on > > Firefox 4 or 3.6.16 on OpenBSD? > > > > love these "hey, click my exploit!" ... ;) > > # openssl s_client -showcerts -connect the.bucket.cc:443 > > empty subject/issuer. > > bugzilla 644012 https://bugzilla.mozilla.org/show_bug.cgi?id=644012 and for those worried sick about this running firefox 3.3.16, and can't wait for an upstream release... --- www/mozilla-firefox/patches/patch-security_manager_ssl_src_nsNSSCallbacks_cpp.orig Thu Mar 24 01:24:11 2011 +++ www/mozilla-firefox/patches/patch-security_manager_ssl_src_nsNSSCallbacks_cpp Thu Mar 24 01:23:07 2011 @@ -0,0 +1,24 @@ +$OpenBSD$ +--- security/manager/ssl/src/nsNSSCallbacks.cpp.orig Thu Mar 24 01:18:45 2011 ++++ security/manager/ssl/src/nsNSSCallbacks.cpp Thu Mar 24 01:20:00 2011 +@@ -1007,8 +1007,11 @@ SECStatus PR_CALLBACK AuthCertificateCallback(void* cl + nsNSSShutDownPreventionLock locker; + + CERTCertificate *serverCert = SSL_PeerCertificate(fd); ++ CERTCertificateCleaner serverCertCleaner(serverCert); ++ + if (serverCert && + serverCert->serialNumber.data && ++ serverCert->issuerName && + !strcmp(serverCert->issuerName, + "CN=UTN-USERFirst-Hardware,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US")) { + +@@ -1051,8 +1054,6 @@ SECStatus PR_CALLBACK AuthCertificateCallback(void* cl + // We want to remember the CA certs in the temp db, so that the application can find the + // complete chain at any time it might need it. + // But we keep only those CA certs in the temp db, that we didn't already know. +- +- CERTCertificateCleaner serverCertCleaner(serverCert); + + if (serverCert) { + nsNSSSocketInfo* infoObject = (nsNSSSocketInfo*) fd->higher->secret;