Open
Bug 989518
Opened 10 years ago
Updated 2 years ago
mozilla::pkix: do not accept improper encodings of basicConstraints:cA
Categories
(Core :: Security: PSM, defect, P3)
Core
Security: PSM
Tracking
()
NEW
People
(Reporter: keeler, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-backlog])
Basically, undo bug 989516.
Reporter | ||
Updated•10 years ago
|
Blocks: mozilla::pkix-CAs
Reporter | ||
Updated•10 years ago
|
No longer blocks: mozilla::pkix-beta
Comment 1•10 years ago
|
||
Apparently some CAs need to explicitly set the basic constraint for cA:false in end-entity certs for compatibility with other applications.
The only reference I could find is that this was implemented to protect buggy browsers (IE 6 being the newest!): http://www.thoughtcrime.org/ie-ssl-chain.txt Is there any current software relying on that behavior or software enforcing that behavior?
Comment 3•10 years ago
|
||
Good question, that I don't know the answer to. I think we'll have to do telemetry on this.
Comment 4•9 years ago
|
||
I think this was fixed in https://technet.microsoft.com/en-us/library/security/ms02-050.aspx
Reporter | ||
Comment 5•9 years ago
|
||
Doesn't look like it - that refers to an old bug that was fixed a long time ago (and doesn't involve the encoding of the basic constraints extension, but rather whether or not the code checked for its presence altogether).
Reporter | ||
Updated•8 years ago
|
Whiteboard: [psm-backlog]
Reporter | ||
Updated•7 years ago
|
Priority: -- → P3
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•