Closed Bug 1842872 Opened 2 years ago Closed 1 year ago

stop caching intermediate certificates

Categories

(Core :: Security: PSM, task, P1)

Product:
Core
Component:
Security: PSM
Type:
task

Tracking

()

Status:
RESOLVED FIXED
Milestone:
130 Branch
Tracking Flags:
Tracking Status
firefox130 --- fixed

People

(Reporter: keeler, Assigned: keeler)

References

Details

(Whiteboard: [psm-assigned])

Attachments

(1 file)

Bug 1842872 - stop caching intermediate certificates from TLS connections r?djackson
48 bytes, text/x-phabricator-request
Details | Review

Firefox caches intermediate certificates from verified TLS certificate chains. This feature is an attempt to paper over misconfigured servers that don't send the appropriate intermediate certificates in the TLS handshake. However, it often leads to confusion (e.g. connections to misconfigured servers succeeding in old profiles but failing in new ones). Now that we have intermediate preloading and third party intermediate certificates, caching intermediates shouldn't be necessary. Removing this feature will also simplify the implementation and improve the performance of TLS certificate verification.

Depends on: 1876435

<0.2% of users make use of the NSS cert DB when building certificate chains, so I think we're good to go ahead with this: https://sql.telemetry.mozilla.org/queries/101293/source#249613

Pushed by dkeeler@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/6c01a963ad7b stop caching intermediate certificates from TLS connections r=djackson

https://hg.mozilla.org/mozilla-central/rev/6c01a963ad7b

Status: NEW → RESOLVED
Closed: 1 year ago
status-firefox130: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → 130 Branch
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: