Add SHA-2 support to mozilla::pkix's OCSP implementation
Categories
(NSS :: Libraries, enhancement, P1)
Tracking
(firefox-esr9195+ fixed, firefox95+ fixed, firefox96+ fixed, firefox97+ fixed)
People
(Reporter: briansmith, Assigned: keeler)
References
Details
Attachments
(1 file, 1 obsolete file)
1. Make sure that SHA-2 hashes work in CertID 2. Test that SHA-2 signatures are accepted. 3. Ensure that we send the preferred signature algorithm extension in our OCSP requests (http://tools.ietf.org/html/rfc6960#section-4.4.7).
Reporter | ||
Updated•10 years ago
|
Reporter | ||
Updated•10 years ago
|
Reporter | ||
Updated•10 years ago
|
![]() |
Assignee | |
Comment 1•10 years ago
|
||
I rebased this on top of bug 969048 since it's about to land (once bug 915932 lands and sticks, which it looks like it will), but the only conflict should be with the telemetry tests. One thing to note is that since bug 663315 hasn't been finished, sha-2 is not supported in NSS/classic verification.
Reporter | ||
Comment 2•10 years ago
|
||
It will be a few days before I get to this. AFAICT, this is new functionality beyond the NSS-based verifier and I also want to write unit tests in bug 966856 for this.
![]() |
Assignee | |
Updated•10 years ago
|
![]() |
Assignee | |
Updated•10 years ago
|
![]() |
Assignee | |
Updated•10 years ago
|
![]() |
Assignee | |
Comment 3•10 years ago
|
||
Comment on attachment 8390145 [details] [diff] [review] patch This has probably bit-rotted quite a bit. Clearing review until we need this.
Reporter | ||
Updated•9 years ago
|
Reporter | ||
Comment 4•8 years ago
•
|
||
Dana, is there any chance of this happening soon? I think it would be great if we started moving towards a world where you don't need to implement SHA-1 at all. This is the last place on, AFAICT, where SHA-1 is required, after servers upgrade to TLS 1.2 with SHA-2 based certs.
![]() |
Assignee | |
Comment 5•8 years ago
|
||
I'll see what I can do. I agree this would be a good thing to do.
![]() |
Assignee | |
Comment 6•8 years ago
|
||
I'm not actively working on this at the moment.
![]() |
Assignee | |
Updated•7 years ago
|
Comment 8•2 years ago
|
||
It appears that docs.microsoft.com has recently started using OCSP stapling with SHA-256, which is causing Firefox to give certificate errors when connecting to it, unless OCSP stapling is disabled (security.ssl.enable_ocsp_stapling preference).
It might be good to revisit the priority here - the Microsoft docs site is a pretty major one used by a lot of developers.
Updated•2 years ago
|
![]() |
Assignee | |
Updated•2 years ago
|
![]() |
Assignee | |
Updated•2 years ago
|
![]() |
Assignee | |
Comment 9•2 years ago
|
||
Comment hidden (me-too) |
Comment hidden (me-too) |
Comment hidden (me-too) |
Comment hidden (me-too) |
Comment 14•2 years ago
|
||
Hey folks -- we understand your frustration, but please do not use this bug to post "me too"s. We're aware of this problem and a fix is in development. Let's keep this bug as clean as possible so that the work on the fix can progress without interruptions. :)
Updated•2 years ago
|
Comment 15•2 years ago
|
||
Comment 16•2 years ago
|
||
uplift |
https://hg.mozilla.org/projects/nss/rev/78d2f4a3339fa41c274c5ea189f8060da9d3a463 (NSS_3_68_2_BRANCH)
https://hg.mozilla.org/projects/nss/rev/e8211cfc2b2d6f763febcf64c8c3caf6f9fe08d5 (NSS_3_72_1_BRANCH)
https://hg.mozilla.org/projects/nss/rev/69c5a0c748ad36772a3ce03c60f8a1fa353776dc (NSS_3_73_1_BRANCH)
Updated•2 years ago
|
Description
•