Closed Bug 583531 Opened 14 years ago Closed 12 years ago

Suppressing SSL/cert errors is too complicated

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: Gavin, Unassigned)

References

Details

(Whiteboard: [psm-arch]) 

Problem: simply suppressing SSL/cert error messages requires implementing two separate interfaces (nsIBadCertListener2 and nsISSLErrorListener) and adding the relevant object as a notificationCallback on the channel. We do this in several places, and two helper utils have been added to make it easier (CertUtils.jsm and nsBadCertHandler.js), but it's still a hassle (especially for C++ code where instantiating an nsBadCertHandler may not be desirable, e.g. nsPrefetchService for bug 463117).

Proposed solution: 
It would be easier if it was as simple as adding a load flag to the channel.
1) add nsIRequest::LOAD_IGNORE_SSL_ERRORS loadFlag
2) add "suppressErrorMessages" attribute to nsISSLSocketControl
3) set suppressErrorMessages to (loadFlags & LOAD_IGNORE_SSL_ERRORS) in nsSocketTransport::BuildSocket (not sure exactly how to propagate from the channel)
4) have nsNSSBadCertHandler/nsHandleSSLError suppress the error accordingly

bz/biesi/jduell: is 1) feasible? any tips for 3)?

kaie: does 2)-4) sound good?
2-4 sounds good to me, as long as you still abort the channel on any cert errors not overridden.
Whiteboard: [psm-arch]
Yeah, I don't intend to change any of the behavior re: failing on errors.
Fixed by bug 682329. Now, you don't have to do anything to suppress dialog boxes. Instead, you must implement the UI yourself, if you want UI.
Status: NEW → RESOLVED
Closed: 12 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.