IPsec usage is too restrictive for existing deployments
Categories
(NSS :: Libraries, enhancement, P1)
Tracking
(Not tracked)
People
(Reporter: rrelyea, Assigned: rrelyea)
Details
Attachments
(1 file)
Assignee | ||
Comment 1•6 years ago
|
||
OK, I pushed enter to soon and it created this bug without a full description. Here is the full description:
In bug 1252891 we added the a new IPSEC usage. The code was a compromise between strict and completely open usage. That compromise violated existing cert processing RFC's, namely the RFC requires that if you parse and extension, setting that extension to critical should not change how you parse said extension.
This created customer issues when they had keyUsage extensions, which were marked critical, but did not contain any IPSEC usage oids.
The libreSwan development team has suggested that IPSEC should accept all certificate usages. This seems problematic for the security team and the final agreement was that:
IPSEC should accept the current ipsec usages (including some deprecated usages), SSL server, SSL client, and S/MIME usages. Other specialized usages are still not accepted (code signing, OCSP and CRL signing, etc), and it's possible to issue IPSEC only certificates by using the IPSEC usages.
This new semantic also has the advantage of simplifying the previous IPSEC patch by making IPSEC work just like our SSLServer or S/MIME usages.
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Updated•6 years ago
|
Assignee | ||
Comment 2•6 years ago
|
||
try: -b do -p all -u all -t all -e all
Assignee | ||
Comment 3•6 years ago
|
||
Updated•5 years ago
|
Comment 4•5 years ago
|
||
Comment 5•5 years ago
|
||
Bob, ABI check failures:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=244950795&repo=nss&lineNumber=3212
Looks like the ABI line numbers are slightly off.
Assignee | ||
Comment 6•5 years ago
|
||
Yup, Not sure why the nss-try build didn't catch it. Might have been a merge issue. Updated the ABI file.
bob
Assignee | ||
Comment 7•5 years ago
|
||
Ah, the try build didn't do ABI.
bob
Comment 8•5 years ago
|
||
Description
•