The checkin for bug 255010 added some new error codes and error strings to NSS 3.11.7 and NSS 3.12. Among them is this one: ER3(SEC_ERROR_OCSP_RESPONDER_CERT_INVALID, (SEC_ERROR_BASE + 156), "OCSP Trusted Responder Cert is invalid.") That string in flawed. A cert cannot be both trusted and invalid. I should have caught this in review. :-/ The error message refers to an ocsp responder that has been locally user-configured to handle all OCSP queries. Such a responder is described in RFC 2560 as a "locally configured" responder. NSS also describes it as a "default responder" (which name is misleading because it suggests that the responder is used only when some other responder is not explicitly specified, but in fact when an OCSP responder is "locally configured", it is used for all OCSP requests). Some (new) NSS code internally refers to a locally configured OCSP responder as a "Trusted Responder", and that appears to be the origin of this string. The proposed new string value is: "Configured OCSP responder's certificate is invalid." Patch forthcoming.
Created attachment 286915 [details] [diff] [review] patch v1
Comment on attachment 286915 [details] [diff] [review] patch v1 r=kaie
Attachment #286915 - Flags: review?(kengert) → review+
Comment on attachment 286915 [details] [diff] [review] patch v1 seeking second review for branch, for 3.11.8
Attachment #286915 - Flags: review?(julien.pierre.boogz)
Attachment #286915 - Flags: review?(julien.pierre.boogz) → review+
Attachment #286915 - Flags: superreview?(alexei.volkov.bugs) → superreview+
Nelson, you might have missed this got all the reviews and is ready for check in. If you want me to land it, just let me know.
I'm holding off this checkin (and others) because the 3.11 branch is still closed.
On trunk: Checking in cmd/lib/SECerrs.h; new: 1.15; previous: 1.14 On branch: Checking in cmd/lib/SECerrs.h; new: 18.104.22.168; previous: 22.214.171.124
Status: NEW → RESOLVED
Last Resolved: 11 years ago
Resolution: --- → FIXED
Target Milestone: 3.11.8 → 3.11.9
You need to log in before you can comment on or make changes to this bug.