Closed Bug 651996 Opened 13 years ago Closed 2 years ago

Cannot determine the certificate chain & trusted usages for a resumed SSL session

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1728648

People

(Reporter: briansmith, Unassigned)

References

(Depends on 1 open bug, Blocks 1 open bug)

Details

(Whiteboard: [psm-backlog])

Attachments

(2 files)

Cache peer's certificate chain in session ID
4.90 KB, patch
Details | Diff | Splinter Review
Add the SSL_PeerCertificateChain function
2.18 KB, patch
Details | Diff | Splinter Review 
+++ This bug was initially created as a clone of Bug #651994 +++

This is very similar to to bug 650296 and 651994 and has a similar cause. When we resume a SSL session, we are relying on a trust decision that was made during the initial full handshake. But, we don't have a way, during the resumption, from extracting the actual validated certificate chain or usage trust information from the SSL session cache. We can't get that validated certificate chain from the SSL cache is because the libssl APIs do not provide a way for the certificate authentication callback to return the validated chain and/or to save application-specific data in the SSL session cache.
Cache the peer's intermediate CA certificates in session ID, so that
they're available when we resume a session.

The certificates are the ones in the SSL Certificate message.
The certificate authentication callback is given the SSL
socket 'fd'.  Pass 'fd' to SSL_PeerCertificateChain to get
the certificate chain in the peer's Certificate message.

The SSL token cache provides this functionality.

Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: