Add more NSS certificate errors to NSSErrorsService::GetErrorClass

RESOLVED WONTFIX

Status

()

Core
Security: PSM
--
minor
RESOLVED WONTFIX
7 years ago
4 years ago

People

(Reporter: Wan-Teh Chang, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(URL)

(Reporter)

Description

7 years ago
In NSSErrorsService.cpp, NSSErrorsService::GetErrorClass should
also consider the following NSS errors as ERROR_CLASS_BAD_CERT:

  SEC_ERROR_REVOKED_CERTIFICATE
  SEC_ERROR_INADEQUATE_CERT_TYPE

Other PSM functions that have NSS certificate error lists:
1. nsNSSCertificate.cpp: nsNSSCertificate::VerifyForUsage
2. nsNSSIOLayer.cpp: nsNSSBadCertHandler
3. nsUsageArrayHelper.cpp: nsUsageArrayHelper::verifyFailed

It would be nice to review them and see if they should
handle the same set of NSS certificate errors.

Comment 1

7 years ago
I may not remember correctly, but I believe the error class decides which error page you get.

Either you'll get "bad is untrusted, but you can override",
or you'll get "ssl protocol error, full stop".

I think the mentioned error codes should result in the "full stop" error page.
When working on this, let's make your proposal does not introduce the opposite behaviour.

Comment 2

4 years ago
David: Based on the specific errors listed, is this a WONTFIX?
Flags: needinfo?(dkeeler)
Yes - treating those errors as ERROR_CLASS_BAD_CERT would allow overrides for them, which is not something we want to do.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Flags: needinfo?(dkeeler)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.