Open Bug 733232 Opened 8 years ago Updated 1 year ago

Stop caching intermediate certificates collected off the internet in cert8.db

Categories

(Core :: Security: PSM, defect, P3)

defect

Tracking

()

People

(Reporter: briansmith, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-backlog])

In the review of the profile reset feature, we realized that it is unfortunate that we mix the intermediate SSL certificate cache with the user's explicitly-added certificates, especially their client certificates. It would be better to store cached intermediate certificates in another location, if we need to continue to store them at all.

The caching of intermediate certificates has contributed to problems in the past, such as bug 634074.

Ryan S. told me that Google Chrome no longer caches intermediate certificates it receives as part of SSL handshakes, due to similar problems.

We rely on the cached intermediate certificates in order to correctly report errors and to report the certificate chain in the Larry UI. We would need bug 731485 to be fixed, and/or we will need to cache built certificate chains from CERT_PKIXVerifyCert, in order to avoid breaking this functionality.

At a minimum, if we need to store the certs in the database, we should store some flag indicating that the certs were stored automatically as part of this cache, and were not added explicitly by the user.
Bug 629558 is about adding a pref to control this. This bug can be about resetting the pref.
Depends on: 629558
See Also: → 399045
I asked Brian about this, and he sent me the following in email. It helped me understand this, so copying here:
The net effect of Firefox saving these intermediates is to encourage website administrators to misconfigure their websites:

1. Website administrator goes to https://startssl.com/ to get a certificate
2. Firefox saves the StartSSL intermediate into the administrator's cache.
3. Website administrator installs the end-entity certificate on their
server without the intermediate.
4. Website administrator tests website in Firefox and it works.
5. Other users visit the website without having visited some
correctly-configured StartSSL-certificate-using website first, and the
website doesn't load because the intermediate is missing.
What would happen with cached pages? do we want to cache the complete chain (currently we only cache the certificate in the cache, since the intermediates are in nss trustdb)
(In reply to Camilo Viecco (:cviecco) from comment #3)
> What would happen with cached pages? do we want to cache the complete chain
> (currently we only cache the certificate in the cache, since the
> intermediates are in nss trustdb)

Yes, we would need to cache the complete chain (and probably the revocation information too, though that is a separate issue). Also see bug 1038098 and other things (some probably not filed) that need to be changed for this to work.
Duplicate of this bug: 1106128
You need to log in before you can comment on or make changes to this bug.