Closed Bug 865440 Opened 7 years ago Closed 5 years ago

Sometimes we do OCSP fetches for certificates that do not have an EV OID

Categories

(Core :: Security: PSM, defect)

defect
Not set

Tracking

()

RESOLVED WORKSFORME

People

(Reporter: briansmith, Unassigned)

References

Details

We have seen pcaps where we are doing the OCSP fetch for two certificates in one handshake for a DV cert. Presumably, this is because we are fetching the OCSP for the intermediate, which is an EV-enabled intermediate. But, the end-entity certificate doesn't have an EV OID so we shouldn't be triggering the EV validation logic that does the intermediate certificate fetching in the first place. We need to figure out what is bad about it.
This was (probably) caused by the fact that NSS's OCSP response verification code was calling CERT_VerifyCert on the OCSP signing certificate and/or the issuer certificate in such a way that an extra OCSP fetch would be done. This is no longer a problem now that Gecko is using mozilla::pkix
Status: NEW → RESOLVED
Closed: 5 years ago
Depends on: mozilla::pkix
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.