Closed
Bug 542510
Opened 14 years ago
Closed 11 years ago
Move certificate verification into HandleServerHelloDone
Categories
(NSS :: Libraries, defect)
NSS
Libraries
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: agl, Unassigned)
References
Details
Attachments
(1 file)
7.89 KB,
patch
|
Details | Diff | Splinter Review |
Currently, the certificate verification callbacks are made in HandleCertificate. With OCSP stapling, a CertificateStatus message may come after the Certificate mesage. However, we would rather have the OCSP stapling information available at certificate validation time. This patch moves the verification callbacks into HandleServerHelloDone for the client. This means that any OCSP stapled data will be ready by the time that the callbacks are made. (Note that this is only the first patch in a series - on OCSP stapling code is inclued). I'm most worried about the badCertHandler. It can return SECWouldBlock and cause the handshake to pause. Previously, a client would pause before sending the CSS, Finished messages etc. Whilst with this patch it will do so afterwards. I'm not sure of the use case here and if this changes anything important.
Reporter | ||
Updated•14 years ago
|
Attachment #423797 -
Flags: review?(nelson)
Comment 1•14 years ago
|
||
I'll guess you haven't considered the impact on the callers of SSL_RestartHandshakeAfterServerCert().
Updated•14 years ago
|
Attachment #423797 -
Attachment is patch: true
Attachment #423797 -
Attachment mime type: application/octet-stream → text/plain
Reporter | ||
Comment 2•14 years ago
|
||
> I'll guess you haven't considered the impact on the callers of
> SSL_RestartHandshakeAfterServerCert().
Isn't that what I was getting at in my 3rd paragraph, above?
If the sending of the additional messages is a problem for these clients then:
1) This patch can be dropped completely. Clients that want OCSP stapling data can check the certificate in the handshake complete callback (as Chromium does).
2) HandleServerHelloDone can be split in two: the bottom half sends the messages only if the badCertHandler doesn't return SECWouldBlock. Restarting the handshake then needs to call this bottom half in addition to its current work.
Comment 3•14 years ago
|
||
Adam, I think the goal you're trying to achieve is worthy, and we should pursue it. I don't wish to "throw out" your patch. It may require a little more work to figure out what to do for callers of that one function. I don't think the problem is intractable.
Updated•14 years ago
|
OS: Linux → All
Hardware: x86 → All
Comment 4•11 years ago
|
||
I believe this bug can be marked as obsolete. The SSL client protocol patches in bug 360420 will ensure that a potential cert status message gets processed prior to certificate authentication.
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•