Closed Bug 714477 Opened 14 years ago Closed 13 years ago

Extended validation check should not check that OCSP fetching is enabled

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED FIXED
Milestone:
mozilla21

People

(Reporter: briansmith, Assigned: briansmith)

References

Details

Attachments

(1 file, 1 obsolete file)

Do not check the OCSP enabled pref during extended validation, and remove nsIX509CertDB.isOcspOn
9.55 KB, patch
rrelyea
: review+
briansmith
: superreview+
Details | Diff | Splinter Review
When OCSP fetching is disabled, we should still validate the certificate, because we might have got the revocation information through some other means, such as through OCSP stapling or through OCSP caching. Instead, we should disable do the validation but avoid doing the OCSP fetch. Without this, a site that uses OCSP stapling will be shown as non-EV when OCSP fetching is disabled.
Assignee: nobody → bsmith
Attachment #585580 - Flags: review?(kaie)
No longer blocks: 624514
Brian, shouldn't this change be postponed until we're actually supporting OCSP stapling? Before we disable this check, shouldn't we test that EV still works with OCSP stapling enabled and this check disabled?
Depends on: 360420
Just another note. I agree it is reasonable to assume that the NSS verification call will check for the presence of fresh revocation information, because that's what we've coded. But we should test to confirm this is true, before landing this patch.
Kai, it is good to fix this soon because it blocks bug 585706 which blocks some work that the toolkit team wants to do to tighten up the preferences API. I will figure out how to automated a test for this.
No longer depends on: 360420
An automated test is probably difficult to come up with, since we don't cache OCSP responses across sessions. A manual test might be sufficient. Use Firewall rules that prevent connections to the OCSP server (very easy to do on Linux with iptables). Start Firefox and verify "no EV with OCSP blocked". Restart Firefox and verify "EV with OCSP connections allowed".
Google Chrome is getting rid of OCSP checks. It really doesn't provide any added security (in fact it introduces privacy issues). Mozilla, consider that EV Certs should still display green even when OCSP is disabled in settings.
Could we get some traction on the review here and in bug 624514? PSM is the only thing that is blocking us from making touching the pref service off the main thread fatal.
In my understanding EV requires by policy that revocation checking is active.
Comment on attachment 585580 [details] [diff] [review] Do not check the OCSP enabled pref during extended validation please find a different reviewer
Attachment #585580 - Flags: review?(kaie) → review?
Comment on attachment 585580 [details] [diff] [review] Do not check the OCSP enabled pref during extended validation When validating EV certificates, we pass CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE which means the validation will only succeed if we already have a cached OCSP response (or cached CRL) when OCSP fetching is disabled. The old (current) way did not take into consideration the fact that we may have received revocation information for the certificate from alternate means. This change (and maybe more) will be needed for OCSP stapling.
Attachment #585580 - Flags: superreview?(honzab.moz)
Attachment #585580 - Flags: review?(rrelyea)
Attachment #585580 - Flags: review?
Comment on attachment 585580 [details] [diff] [review] Do not check the OCSP enabled pref during extended validation Review of attachment 585580 [details] [diff] [review]: ----------------------------------------------------------------- ::: security/manager/ssl/public/nsIX509CertDB.idl @@ +287,3 @@ > * Whether OCSP is enabled in preferences. > */ > + /*[deprecated]*/ readonly attribute boolean isOcspOn; And what about removing it completely?
Attachment #585580 - Flags: superreview?(honzab.moz) → superreview+
Honza, I don't remember why I didn't remove it, because I wrote that patch so long ago. I have removed it in this version.
Attachment #585580 - Attachment is obsolete: true
Attachment #585580 - Flags: review?(rrelyea)
Attachment #680365 - Flags: superreview+
Attachment #680365 - Flags: review?(rrelyea)
Comment on attachment 680365 [details] [diff] [review] Do not check the OCSP enabled pref during extended validation, and remove nsIX509CertDB.isOcspOn Hi Brian, I think I need a little more information on this patch. The previous code checked to see whether or not OCSP was turned on and blew out if it was turned off. The new code skips that, and looks at the certwrapper to see if OCSP was used on the cert? and changes some flags. Without any explanation of the code, it looks like some magic variable (ocsp_on) determines that the ocsp was used, and then we set some flag that "prevents network fetching", while the old code magically just failed to turn on the OCSP indicator. It's not clear that the new code is having the same effect. (The problem with having me review psm code is you get to explain what is going on;). bob
http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSComponent.cpp?rev=b9a8253986f7#1062 and http://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsNSSComponent.cpp?rev=b9a8253986f7#1095 nsCERTValInParamWrapper just transforms the security.* preferences related to certificate validation into a CERTValInParam structure suitable for passing to CERT_PKIXVerifyCert (though, ironically, we cannot use that pre-built structure for *this* invocation of CERT_PKIXVerifyCert, because it ignores some of those options by design). In particular, nsCERTValInParamWrapper::IsOCSPDownloadEnabled() just returns the current value of the "security.OCSP.enabled" pref (true if OCSP is enabled, false if disabled). It is definitely intentional that the new code has a different effect. The original code effectively disabled EV completely if security.OCSP.enabled=false, even if we have fresh revocation information available from elsewhere (e.g. a CRL or a cached OCSP response, such as one from a stapled OCSP response). This patch tries to rectify that. Also, the more urgent part of this patch is simply avoiding the use of the pref service in this method, because the pref service is only allowed to be used on the main thread (it isn't thread safe), and this code executes off of the main thread.
My question was how did we know we got valid revocation information. I think that is given in comment 8, but I didn't see any code changes that enabled it. Are you saying we already set the 'Require Fresh' option in CERT_PKIXVerifyCert()? bob
(In reply to Robert Relyea from comment #15) > My question was how did we know we got valid revocation information. I think > that is given in comment 8, but I didn't see any code changes that enabled > it. Are you saying we already set the 'Require Fresh' option in > CERT_PKIXVerifyCert()? Yes: https://mxr.mozilla.org/mozilla-central/source/security/manager/ssl/src/nsIdentityChecking.cpp?rev=57e047e64019#1232 1232 uint64_t revMethodIndependentFlags = 1233 CERT_REV_MI_TEST_ALL_LOCAL_INFORMATION_FIRST 1234 | CERT_REV_MI_REQUIRE_SOME_FRESH_INFO_AVAILABLE; 1235 1236 // We need a PRUint64 here instead of a nice int64_t (until bug 634793 is 1237 // fixed) to match the type used in security/nss/lib/certdb/certt.h for 1238 // cert_rev_flags_per_method. 1239 PRUint64 methodFlags[2]; 1240 methodFlags[cert_revocation_method_crl] = revMethodFlags; 1241 methodFlags[cert_revocation_method_ocsp] = revMethodFlags; 1242 1243 CERTRevocationFlags rev; 1244 1245 rev.leafTests.number_of_defined_methods = cert_revocation_method_ocsp +1; 1246 rev.leafTests.cert_rev_flags_per_method = methodFlags; 1247 rev.leafTests.number_of_preferred_methods = 1; 1248 rev.leafTests.preferred_methods = preferedRevMethods; 1249 rev.leafTests.cert_rev_method_independent_flags = 1250 revMethodIndependentFlags; 1251 1252 rev.chainTests.number_of_defined_methods = cert_revocation_method_ocsp +1; 1253 rev.chainTests.cert_rev_flags_per_method = methodFlags; 1254 rev.chainTests.number_of_preferred_methods = 1; 1255 rev.chainTests.preferred_methods = preferedRevMethods; 1256 rev.chainTests.cert_rev_method_independent_flags = 1257 revMethodIndependentFlags;
Comment on attachment 680365 [details] [diff] [review] Do not check the OCSP enabled pref during extended validation, and remove nsIX509CertDB.isOcspOn r+ rrelyea
Attachment #680365 - Flags: review?(rrelyea) → review+
Blocks: 624514
https://hg.mozilla.org/mozilla-central/rev/304b46261f2b
Status: NEW → RESOLVED
Closed: 13 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla21
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: