Closed Bug 1537927 Opened 2 years ago Closed 2 years ago

IPsec usage is too restrictive for existing deployments

Categories

(NSS :: Libraries, enhancement, P1)

enhancement

Tracking

(Not tracked)

RESOLVED FIXED

People

(Reporter: rrelyea, Assigned: rrelyea)

Details

Attachments

(1 file)

No description provided.

OK, I pushed enter to soon and it created this bug without a full description. Here is the full description:

In bug 1252891 we added the a new IPSEC usage. The code was a compromise between strict and completely open usage. That compromise violated existing cert processing RFC's, namely the RFC requires that if you parse and extension, setting that extension to critical should not change how you parse said extension.

This created customer issues when they had keyUsage extensions, which were marked critical, but did not contain any IPSEC usage oids.
The libreSwan development team has suggested that IPSEC should accept all certificate usages. This seems problematic for the security team and the final agreement was that:

IPSEC should accept the current ipsec usages (including some deprecated usages), SSL server, SSL client, and S/MIME usages. Other specialized usages are still not accepted (code signing, OCSP and CRL signing, etc), and it's possible to issue IPSEC only certificates by using the IPSEC usages.

This new semantic also has the advantage of simplifying the previous IPSEC patch by making IPSEC work just like our SSLServer or S/MIME usages.

Assignee: nobody → rrelyea
Status: NEW → ASSIGNED

try: -b do -p all -u all -t all -e all

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
Target Milestone: --- → 3.44

Bob, ABI check failures:

https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=244950795&repo=nss&lineNumber=3212

Looks like the ABI line numbers are slightly off.

Flags: needinfo?(rrelyea)

Yup, Not sure why the nss-try build didn't catch it. Might have been a merge issue. Updated the ABI file.

bob

Flags: needinfo?(rrelyea)

Ah, the try build didn't do ABI.

bob

You need to log in before you can comment on or make changes to this bug.