Closed Bug 966856 Opened 10 years ago Closed 2 years ago

Add SHA-2 support to mozilla::pkix's OCSP implementation

Categories

(NSS :: Libraries, enhancement, P1)

Product:
NSS
Component:
Libraries
Type:
enhancement

Tracking

(firefox-esr9195+ fixed, firefox95+ fixed, firefox96+ fixed, firefox97+ fixed)

Status:
RESOLVED FIXED
Tracking Flags:
Tracking Status
firefox-esr91 95+ fixed
firefox95 + fixed
firefox96 + fixed
firefox97 + fixed

People

(Reporter: briansmith, Assigned: keeler)

References

Details

Attachments

(1 file, 1 obsolete file)

Bug 966856 - mozilla::pkix: support SHA-2 hashes in CertIDs in OCSP responses r?jschanck!,djackson!
48 bytes, text/x-phabricator-request
Details | Review 
1. Make sure that SHA-2 hashes work in CertID
2. Test that SHA-2 signatures are accepted.
3. Ensure that we send the preferred signature algorithm extension in our OCSP requests (http://tools.ietf.org/html/rfc6960#section-4.4.7).
Assignee: nobody → dkeeler
Status: NEW → ASSIGNED
Depends on: 915931
Priority: -- → P4
Attached patch patch (obsolete) — Splinter Review 
I rebased this on top of bug 969048 since it's about to land (once bug 915932 lands and sticks, which it looks like it will), but the only conflict should be with the telemetry tests. One thing to note is that since bug 663315 hasn't been finished, sha-2 is not supported in NSS/classic verification.
Attachment #8390145 - Flags: review?(brian)
It will be a few days before I get to this. AFAICT, this is new functionality beyond the NSS-based verifier and I also want to write unit tests in bug 966856 for this.
Summary: Add SHA-2 support to insanity::pkix's OCSP implementation → Add SHA-2 support to mozilla::pkix's OCSP implementation
Blocks: 942515
Comment on attachment 8390145 [details] [diff] [review]
patch

This has probably bit-rotted quite a bit. Clearing review until we need this.
Attachment #8390145 - Flags: review?(brian)
No longer blocks: 942515
See Also: → 942515
Dana, is there any chance of this happening soon? I think it would be great if we started moving towards a world where you don't need to implement SHA-1 at all. This is the last place on, AFAICT, where SHA-1 is required, after servers upgrade to TLS 1.2 with SHA-2 based certs.
Flags: needinfo?(dkeeler)
I'll see what I can do. I agree this would be a good thing to do.
Flags: needinfo?(dkeeler)
I'm not actively working on this at the moment.
Assignee: dkeeler → nobody
Status: ASSIGNED → NEW
Whiteboard: [psm-backlog]
Priority: P4 → P3

It appears that docs.microsoft.com has recently started using OCSP stapling with SHA-256, which is causing Firefox to give certificate errors when connecting to it, unless OCSP stapling is disabled (security.ssl.enable_ocsp_stapling preference).

It might be good to revisit the priority here - the Microsoft docs site is a pretty major one used by a lot of developers.

Flags: needinfo?(dkeeler)
Blocks: 1745600
Attachment #8390145 - Attachment is obsolete: true
Flags: needinfo?(dkeeler)
Assignee: nobody → dkeeler
Severity: normal → S2
Status: NEW → ASSIGNED
Type: defect → enhancement
Component: Security: PSM → Libraries
Priority: P3 → P1
Product: Core → NSS
Whiteboard: [psm-backlog]
Target Milestone: mozilla30 → ---
Version: Trunk → other

Hey folks -- we understand your frustration, but please do not use this bug to post "me too"s. We're aware of this problem and a fix is in development. Let's keep this bug as clean as possible so that the work on the fix can progress without interruptions. :)

https://hg.mozilla.org/projects/nss/rev/7d4f221b1fffcad72b18175b89e4d310307277ef

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
No longer blocks: 1743993
You need to log in before you can comment on or make changes to this bug.