Closed Bug 1630434 Opened 4 years ago Closed 4 years ago

intermediate certificate preloading healer

Categories

(Core :: Security: PSM, enhancement, P1)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla79
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox-esr78 --- wontfix
firefox75 --- wontfix
firefox76 --- wontfix
firefox77 --- wontfix
firefox78 --- wontfix
firefox79 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Bug 1630434 - de-duplicate preloaded intermediates that may have been cached in cert9.db r?kjacobs!,bbeurdouche!
47 bytes, text/x-phabricator-request
Details | Review

Users may have cached intermediate certificates in their cert9.db that have also been downloaded via intermediate preloading. Some operations in NSS are linear (or worse) with the number of certificates in cert9.db, so we should consider removing those superfluous entries (as long as the user hasn't modified their trust bits). This could be done as a background task that periodically scans cert9.db and removes certificates as appropriate.

In general, PSM caches intermediates from verified certificate chains in the
NSS certdb. Before bug 1619021, this would include preloaded intermediates,
which is unnecessary because cert_storage has a copy of those certificates, and
so they don't need to take up time and space in the NSS certdb. This patch
introduces the intermediate preloading healer, which periodically runs on a
background thread, looks for these duplicate intermediates, and removes them
from the NSS certdb.

Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Priority: P3 → P1
Whiteboard: [psm-backlog] → [psm-assigned]
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/889d7cd14e4d
de-duplicate preloaded intermediates that may have been cached in cert9.db r=kjacobs,bbeurdouche

Thanks. Working on the underlying issue in bug 1644224.

Flags: needinfo?(dkeeler)
Pushed by dkeeler@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/49da6b99bde3
de-duplicate preloaded intermediates that may have been cached in cert9.db r=kjacobs,bbeurdouche

https://hg.mozilla.org/mozilla-central/rev/49da6b99bde3

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox79: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → mozilla79

Is this something we should consider uplifting to Beta so it's in the next ESR or can this fix ride 79 to release?

status-firefox75: affectedwontfix
status-firefox76: affectedwontfix
status-firefox77: affectedwontfix
Flags: needinfo?(dkeeler)

Since the next ESR won't have had intermediate preloading without also having bug 1619021, it's not as important. I think it would be best to be cautious and let this ride the trains.

Flags: needinfo?(dkeeler)
Regressions: 1650654
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: