Use lib::pkix as default validator instead of the old-one
Categories
(NSS :: Build, enhancement)
Tracking
(Not tracked)
People
(Reporter: fkrenzel, Unassigned)
Details
Attachments
(1 file)
Steps to reproduce:
Actual results:
The old pkix validator is used.
Expected results:
As the old validator is rarely used, we propose to change the default to the lib:pkix
The legacy NSS validator doesn't support some extensions that are becoming to be popular. Change the default validator to use lib::pkix.
Bob, I have looked into this, and it seems that the only option enabling the use of old-validator is the 'disable_libpkix%': 1, in coreconf/config.gypi which defines the NSS_DISABLE_LIBPKIX thus using the old-validator.
Isn't the coreconf/config.gypi used only by the ./build.sh i.e., that only the gyp-ninja build are affected.
If so, the make build is not affected and the only required change is to change the default for coreconf/config.gypi.
|
||
Comment 4•10 months ago
|
||
Sigh, I had a nice long explaination here for you and I must not of hit 'save changes' ...
This is not about doing anthing with mozilla libpkix, which isn't yet integrated into NSS. When it is we will replace libpkix with the mozilla version.
It's about changing what cert_VerifyCertChain() in lib/certdb/certvfy.c uses. Currently it defaults to cert_VerifyCertChainOld() instead of cert_VerifyCertChainPkix(). There's a function it calls to determine which is uses called CERT_GetUsePKIXForValidation(). You need to change that function from a default of FALSE (overridden by an environment variable) to a default of TRUE (with a different value for the environment variable setting it back).
I wouldn't change the default in coreconf/config.gypi, but you should use the define to help decide your default.
Someday mozpkix will be integrated and we can get rid of libpkix with mozpkix taking over. We should eventually be able to ditch cert_VerifyCertChainOld() as well and get down to one validator.
|
||
Comment 5•10 months ago
|
||
Description
•