Closed Bug 351873 Opened 14 years ago Closed 14 years ago

OCSP checking not happening when viewing certificates.


(Core :: Security: PSM, defect, P1)

1.8 Branch





(Reporter: ckannan, Assigned: KaiE)



(Keywords: regression, Whiteboard: [would take patch])


(1 file)

I have a client cert which has an AIA extension that points to an OCSP server.
I have imported that certificate onto firefox.
I have also imported and trusted the CA that issued this certificate.

On windows, for example, when using firefox 2.0b2, I goto,



Use OCSP to validate only certificates that specify an OCSP URL

then, I close firefox. relaunch it. I goto,

Tools->options->Advanced->Encryption->View Certificates.

If I select the certificate and Click 'View', OCSP request is not 
sent to the OCSP server.

But the UI still says 'verified'.
See bug 149834 for a description of the issue.

This bug happens whenever the user uses a "view cert" button in the application.

When OCSP is enabled, this will result in OCSP being ignored and a false positive verification result can be displayed to the user.

Severity: normal → major
Depends on: 149834
Flags: blocking1.8.1?
Keywords: regression
Priority: -- → P1
Summary: OCSP checking not happening when selecting 'view certificate' in the Certificate Manager Window → OCSP checking not happening when viewing certificates.
Target Milestone: --- → mozilla1.8.1
Version: Trunk → 1.8 Branch
Attached patch Patch v1Splinter Review
This patch fixes the issue for me.

As described in "bug 149834 comment 23", NSS does not call OCSP when asked to verify a cert for usage "status responder".

This patch uses two separate calls, so OCSP will be checked for all usages except the responder usage.
Attachment #237407 - Flags: superreview?(rrelyea)
Attachment #237407 - Flags: review?(julien.pierre.bugs)
Not going to block for something we don't enable by default anywhere, but we will likely take a well-tested and reviewed patch before freeze.
Flags: blocking1.8.1? → blocking1.8.1-
Whiteboard: [would take patch]
Comment on attachment 237407 [details] [diff] [review]
Patch v1


I think this is better fixed in NSS than in PSM.

CERT_VerifyCertificateNow was designed to be functionally equivalent to a series of CERT_VerifyCertNow calls. So, it should do one OCSP check. It should only skip the OCSP check if the certificateUsageStatusResponder is the only usage requested.
Attachment #237407 - Flags: review?(julien.pierre.bugs) → review-
Depends on: 351897
Patch fixed with check in to bug 351897.

*** This bug has been marked as a duplicate of 351897 ***
Closed: 14 years ago
No longer depends on: 351897
Resolution: --- → DUPLICATE
Attachment #237407 - Flags: superreview?(rrelyea)
You need to log in before you can comment on or make changes to this bug.