Closed Bug 1560353 Opened 5 years ago Closed 5 years ago

Cert verification cache

Categories

(Core :: Security: PSM, enhancement, P1)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla71
Tracking Flags:
Tracking Status
firefox71 --- fixed

People

(Reporter: dragana, Assigned: kershaw)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(2 files)

Bug 1560353 - Extend SSLTokensCache to store the result of VerifySSLServerCert
47 bytes, text/x-phabricator-request
Details | Review
Bug 1560353 - Add test for external session cache
47 bytes, text/x-phabricator-request
Details | Review
No description provided.
Blocks: 1512471
Type: defect → enhancement
Assignee: nobody → dd.mozilla
Priority: -- → P1
Whiteboard: [psm-assigned]

We want to remove call to VerifySSLServerCert( in this line). For this we will need:

  • use TLS session cache implemented in necko instead the one implemented in nss. Currently this cache is not used.
  • we will extend that cache to add information that function RebuildVerifiedCertificateInformation gets from VerifySSLServerCert. (Background: when we have a session resumption, we do not call AuthenticationHook and all info about certs are not added to nsNSSSocketInfo, therefore we need to call VerifySSLServerCert and get these info and these info is added to nsNSSSocketInfo in RebuildVerifiedCertificateInformation).
  • TLS session cache contains resumption token that can be used for the next session resumption we need to add:
    whether certificate validation was successful
    evOidPolicy != SEC_OID_UNKNOWN
    certificateTransparencyInfo
    server certificate
    certificate built chain
    What we need is to call this lines with infromation from the case instead of calling VerifySSLServerCert.
    The session that sets resumption token gets the info above stored in nNSSSocketInfo after certificate validation in lines.
Assignee: dd.mozilla → kershaw
Depends on: 1580138
Pushed by kjang@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/73a76edb175f
Extend SSLTokensCache to store the result of VerifySSLServerCert r=dragana,keeler
https://hg.mozilla.org/integration/autoland/rev/f472f9a312c9
Add test for external session cache r=keeler

https://hg.mozilla.org/mozilla-central/rev/73a76edb175f
https://hg.mozilla.org/mozilla-central/rev/f472f9a312c9

Status: NEW → RESOLVED
Closed: 5 years ago
status-firefox71: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: