Closed
Bug 930209
Opened 11 years ago
Closed 11 years ago
ocsp stapling testing: differentiate between an empty stapled response and no stapled response
Categories
(Core :: Security: PSM, defect)
Core
Security: PSM
Tracking
()
RESOLVED
FIXED
mozilla28
People
(Reporter: keeler, Assigned: keeler)
References
Details
Attachments
(1 file, 2 obsolete files)
6.92 KB,
patch
|
keeler
:
review+
|
Details | Diff | Splinter Review |
There's a difference between a server not stapling an OCSP response and a server stapling an empty response. We're not explicitly testing the former. Also, we'll need this for testing OCSP must-staple.
Assignee | ||
Comment 1•11 years ago
|
||
This fixes an oversight in our OCSP stapling testing. (An empty OCSP response != not sending an OCSP response.)
Attachment #822643 -
Flags: review?(cviecco)
Comment 2•11 years ago
|
||
Comment on attachment 822643 [details] [diff] [review] patch Review of attachment 822643 [details] [diff] [review]: ----------------------------------------------------------------- There are some issues with the logic that could be improved. (unless I somehow misread the code). ::: security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp @@ +138,5 @@ > } > otherID.forget(); // owned by sr now > break; > } > case OSRTNone: With the logic changes below.. this case should never be reached? and thus error be created? Ditto below @@ +266,5 @@ > &cert, &certKEA)) { > return SSL_SNI_SEND_ALERT; > } > > + if (host->mOSRT != OSRTNone) { it is not easier to do a: if (host->mOSRT == OSRTNode) { return 0; } and keep the rest of the logic the same?
Attachment #822643 -
Flags: review?(cviecco) → review-
Assignee | ||
Comment 3•11 years ago
|
||
Good call. Updated the patch to return early if the OCSP response type is "none".
Attachment #822643 -
Attachment is obsolete: true
Attachment #823441 -
Flags: review?(cviecco)
Comment 4•11 years ago
|
||
Comment on attachment 823441 [details] [diff] [review] patch v2 Review of attachment 823441 [details] [diff] [review]: ----------------------------------------------------------------- r+ with comment addressed. ::: security/manager/ssl/tests/unit/tlsserver/cmd/OCSPStaplingServer.cpp @@ +217,5 @@ > PrintPRError("CERT_CreateEncodedOCSPErrorResponse failed"); > return nullptr; > } > break; > case OSRTNone: Forgot to explicitly ask to move this one to error too.
Attachment #823441 -
Flags: review?(cviecco) → review+
Assignee | ||
Comment 5•11 years ago
|
||
Thanks! Carrying over r+.
Attachment #823441 -
Attachment is obsolete: true
Attachment #823545 -
Flags: review+
Assignee | ||
Comment 6•11 years ago
|
||
https://hg.mozilla.org/integration/mozilla-inbound/rev/9677c6c4e94a
Comment 7•11 years ago
|
||
https://hg.mozilla.org/mozilla-central/rev/9677c6c4e94a
Status: NEW → RESOLVED
Closed: 11 years ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla28
Assignee | ||
Comment 8•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-beta/rev/dfb33820c920 (landed with bug 887321, bug 929617, bug 943115, bug 938805, bug 932519, and bug 934327)
status-firefox27:
--- → fixed
status-firefox28:
--- → fixed
Comment 9•10 years ago
|
||
https://hg.mozilla.org/releases/mozilla-b2g26_v1_2/rev/5a831cc94168
status-b2g-v1.2:
--- → fixed
You need to log in
before you can comment on or make changes to this bug.
Description
•