Open Bug 769067 Opened 13 years ago Updated 2 years ago

Add option to recognise and report OCSP unauthorized status

Tracking

(Not tracked)

Status:

NEW

People

(Reporter: agl, Unassigned)

Details

Attachments

(1 file)

patch 13 years ago Adam Langley 10.71 KB, patch		Details \| Diff \| Splinter Review

Adam Langley

Reporter

Description

•

13 years ago

Attached patch patch — Details — Splinter Review

This patch adds an option to treat OCSP `unauthorized' statuses as errors and return SEC_ERROR_OCSP_UNAUTHORIZED_REQUEST. Since the unauthorized status is unsigned, it can be returned for unknown certificates without having online signing ability at the OCSP responder. At least Symantec and GoDaddy report that their OCSP responders have this behaviour. It doesn't enable the behaviour by default because it's not clear how safe that would be. (There might be broken OCSP servers out there that are currently being ignored because the client is soft-fail.) But it allows clients that are prepared to handle it, to enable it. (Note: I am not well versed in libpkix's code.)

Ryan Sleevi

Updated

•

13 years ago

Attachment #637276 - Attachment is patch: true

BMO Automation

Updated

•

3 years ago

Severity: normal → S3

Benjamin Beurdouche [:beurdouche]

Updated

•

2 years ago

Severity: S3 → N/A

Priority: -- → P4

You need to log in before you can comment on or make changes to this bug.

Bugzilla

Add option to recognise and report OCSP unauthorized status

Categories

(NSS :: Libraries, enhancement, P4)

Tracking

(Not tracked)

People

(Reporter: agl, Unassigned)

References

Details

Crash Data

Security

(public)

User Story

Attachments

(1 file)

Description

Updated

Updated

Updated

Attachment

General

Description

File Name

Content Type