Closed Bug 351873 Opened 14 years ago Closed 14 years ago
OCSP checking not happening when viewing certificates
I have a client cert which has an AIA extension that points to an OCSP server. I have imported that certificate onto firefox. I have also imported and trusted the CA that issued this certificate. On windows, for example, when using firefox 2.0b2, I goto, Tools->options->Advanced->Encryption->Verification select Use OCSP to validate only certificates that specify an OCSP URL then, I close firefox. relaunch it. I goto, Tools->options->Advanced->Encryption->View Certificates. If I select the certificate and Click 'View', OCSP request is not sent to the OCSP server. But the UI still says 'verified'.
See bug 149834 for a description of the issue. This bug happens whenever the user uses a "view cert" button in the application. When OCSP is enabled, this will result in OCSP being ignored and a false positive verification result can be displayed to the user.
Severity: normal → major
Depends on: 149834
Priority: -- → P1
Summary: OCSP checking not happening when selecting 'view certificate' in the Certificate Manager Window → OCSP checking not happening when viewing certificates.
Target Milestone: --- → mozilla1.8.1
Version: Trunk → 1.8 Branch
This patch fixes the issue for me. As described in "bug 149834 comment 23", NSS does not call OCSP when asked to verify a cert for usage "status responder". This patch uses two separate calls, so OCSP will be checked for all usages except the responder usage.
Not going to block for something we don't enable by default anywhere, but we will likely take a well-tested and reviewed patch before freeze.
Flags: blocking1.8.1? → blocking1.8.1-
Whiteboard: [would take patch]
Comment on attachment 237407 [details] [diff] [review] Patch v1 Kai, I think this is better fixed in NSS than in PSM. CERT_VerifyCertificateNow was designed to be functionally equivalent to a series of CERT_VerifyCertNow calls. So, it should do one OCSP check. It should only skip the OCSP check if the certificateUsageStatusResponder is the only usage requested.
Attachment #237407 - Flags: review?(julien.pierre.bugs) → review-
Patch fixed with check in to bug 351897. *** This bug has been marked as a duplicate of 351897 ***
Status: NEW → RESOLVED
Closed: 14 years ago
No longer depends on: 351897
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.