Closed
Bug 1261936
Opened 9 years ago
Closed 9 years ago
stop using the subject common name in certificate verification error messages
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla48
| Tracking | Status | |
|---|---|---|
| firefox48 | --- | fixed |
People
(Reporter: keeler, Assigned: keeler)
References
Details
Attachments
(1 file)
As of bug 1245280, Firefox doesn't use the subject common name for name information (on Nightly - on release this will happen for new certificates (issued after August 23, 2016)). The error messages as provided by PSM in the case of hostname mismatches shouldn't do so either.
|
Assignee | |
Comment 1•9 years ago
|
||
Review commit: https://reviewboard.mozilla.org/r/44395/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/44395/
Attachment #8738259 -
Flags: review?(cykesiopka.bmo)
|
|
Assignee | |
Updated•9 years ago
|
Assignee: nobody → dkeeler
|
|
||
Comment 2•9 years ago
|
||
Comment on attachment 8738259 [details]
MozReview Request: bug 1261936 - stop using the subject common name in certificate verification error messages r?Cykesiopka
https://reviewboard.mozilla.org/r/44395/#review41257
LGTM.
::: security/manager/ssl/TransportSecurityInfo.cpp:712
(Diff revision 1)
> - nsIX509Cert* ix509,
> - nsINSSComponent *component,
> - bool wantsHtml,
> - nsString &returnedMessage)
> -{
> - const char16_t *params[1];
> + nsINSSComponent* component, bool wantsHtml,
> + nsString& returnedMessage)
> +{
> + // Prepare a default "not valid for <hostname>" string in case anything
> + // goes wrong (or in case the certificate is not valid for any hostnames).
> + nsString notValidForHostnameString;
Nit: I believe nsAutoString is preferred for stack strings because of the internal 64 char buffer.
(Then again, the base value of "certErrorMismatch" is already 42 chars, so maybe it doesn't matter.)
::: security/manager/ssl/TransportSecurityInfo.cpp:745
(Diff revision 1)
> - const char *stringID;
> - if (wantsHtml)
> + const char* stringID;
> + if (wantsHtml) {
> stringID = "certErrorMismatchSingle2";
> - else
> + } else {
> stringID = "certErrorMismatchSinglePlain";
> + }
Nit: Ternary if might look nicer here.
::: security/manager/ssl/tests/unit/head_psm.js:645
(Diff revision 1)
>
> // Utility functions for adding tests relating to certificate error overrides
>
> // Helper function for add_cert_override_test. Probably doesn't need to be
> // called directly.
> -function add_cert_override(aHost, aExpectedBits, aSecurityInfo) {
> +function add_cert_override(aHost, aExpectedBits, aExpectedErrorRegexp,
Optional: Maybe do |aExpectedErrorRegexp = null| or |aExpectedErrorRegexp = undefined| here to make it clearer that aExpectedErrorRegexp is optional?
::: security/manager/ssl/tests/unit/head_psm.js:647
(Diff revision 1)
>
> // Helper function for add_cert_override_test. Probably doesn't need to be
> // called directly.
> -function add_cert_override(aHost, aExpectedBits, aSecurityInfo) {
> +function add_cert_override(aHost, aExpectedBits, aExpectedErrorRegexp,
> + aSecurityInfo) {
> + aSecurityInfo.QueryInterface(Ci.nsITransportSecurityInfo);
Is this line necessary?
Attachment #8738259 -
Flags: review?(cykesiopka.bmo) → review+
|
|
Assignee | |
Comment 3•9 years ago
|
||
https://reviewboard.mozilla.org/r/44395/#review41257
Thanks!
> Nit: I believe nsAutoString is preferred for stack strings because of the internal 64 char buffer.
> (Then again, the base value of "certErrorMismatch" is already 42 chars, so maybe it doesn't matter.)
Ok - hostnames are sometimes short.
> Nit: Ternary if might look nicer here.
Agreed.
> Optional: Maybe do |aExpectedErrorRegexp = null| or |aExpectedErrorRegexp = undefined| here to make it clearer that aExpectedErrorRegexp is optional?
Sounds good.
> Is this line necessary?
Apparently not.
|
|
Assignee | |
Comment 4•9 years ago
|
||
Comment on attachment 8738259 [details]
MozReview Request: bug 1261936 - stop using the subject common name in certificate verification error messages r?Cykesiopka
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/44395/diff/1-2/
Attachment #8738259 -
Attachment description: MozReview Request: bug 1261936 - stop using the subject common name in certificate verification error messages → MozReview Request: bug 1261936 - stop using the subject common name in certificate verification error messages r?Cykesiopka
|
|
Assignee | |
Comment 5•9 years ago
|
||
|
|
Assignee | |
Comment 6•9 years ago
|
||
Comment on attachment 8738259 [details]
MozReview Request: bug 1261936 - stop using the subject common name in certificate verification error messages r?Cykesiopka
Review request updated; see interdiff: https://reviewboard.mozilla.org/r/44395/diff/2-3/
|
||
Comment 8•9 years ago
|
||
| bugherder | ||
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla48
You need to log in
before you can comment on or make changes to this bug.
Description
•