In NSSErrorsService.cpp, NSSErrorsService::GetErrorClass should also consider the following NSS errors as ERROR_CLASS_BAD_CERT: SEC_ERROR_REVOKED_CERTIFICATE SEC_ERROR_INADEQUATE_CERT_TYPE Other PSM functions that have NSS certificate error lists: 1. nsNSSCertificate.cpp: nsNSSCertificate::VerifyForUsage 2. nsNSSIOLayer.cpp: nsNSSBadCertHandler 3. nsUsageArrayHelper.cpp: nsUsageArrayHelper::verifyFailed It would be nice to review them and see if they should handle the same set of NSS certificate errors.
I may not remember correctly, but I believe the error class decides which error page you get. Either you'll get "bad is untrusted, but you can override", or you'll get "ssl protocol error, full stop". I think the mentioned error codes should result in the "full stop" error page. When working on this, let's make your proposal does not introduce the opposite behaviour.
David: Based on the specific errors listed, is this a WONTFIX?
Yes - treating those errors as ERROR_CLASS_BAD_CERT would allow overrides for them, which is not something we want to do.
Status: NEW → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.