Closed Bug 1560353 Opened 5 years ago Closed 5 years ago

Cert verification cache

Categories

(Core :: Security: PSM, enhancement, P1)

enhancement

Tracking

()

RESOLVED FIXED
mozilla71
Tracking Status
firefox71 --- fixed

People

(Reporter: dragana, Assigned: kershaw)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(2 files)

No description provided.
Blocks: 1512471
Type: defect → enhancement
Assignee: nobody → dd.mozilla
Priority: -- → P1
Whiteboard: [psm-assigned]

We want to remove call to VerifySSLServerCert( in this line). For this we will need:

  • use TLS session cache implemented in necko instead the one implemented in nss. Currently this cache is not used.
  • we will extend that cache to add information that function RebuildVerifiedCertificateInformation gets from VerifySSLServerCert. (Background: when we have a session resumption, we do not call AuthenticationHook and all info about certs are not added to nsNSSSocketInfo, therefore we need to call VerifySSLServerCert and get these info and these info is added to nsNSSSocketInfo in RebuildVerifiedCertificateInformation).
  • TLS session cache contains resumption token that can be used for the next session resumption we need to add:
    whether certificate validation was successful
    evOidPolicy != SEC_OID_UNKNOWN
    certificateTransparencyInfo
    server certificate
    certificate built chain
    What we need is to call this lines with infromation from the case instead of calling VerifySSLServerCert.
    The session that sets resumption token gets the info above stored in nNSSSocketInfo after certificate validation in lines.
Assignee: dd.mozilla → kershaw
Depends on: 1580138
Pushed by kjang@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/73a76edb175f Extend SSLTokensCache to store the result of VerifySSLServerCert r=dragana,keeler https://hg.mozilla.org/integration/autoland/rev/f472f9a312c9 Add test for external session cache r=keeler
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla71
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Created:
Updated:
Size: