Adds simple handling of an experimental handshake extension to TLS. The client indicates it wishes to see a DNSSEC chain and the server responds with a blob of data.

David, please include a link to the specification of the format of the server extension and the format of the client extension. The spec. should be written in a similar way to the specs for other TLS extensions (e.g. http://tools.ietf.org/html/rfc4492#section-5.1.1).

Here's the link: https://wiki.mozilla.org/Security/DNSSEC-TLS-details#Format_of_TLS_Extension

updated patch

FYI, ... my $.02 NSS got burned pretty badly a number of years ago by implementing an Internet Draft that had not yet become an RFC, and shipping that in products. There were last minute changes before the RFC was published that necessitated changes that broke compatibility. The experience was awful enough that the NSS team adopted a policy of not committing changes to the NSS tree branches from which real releases come until the change has appeared in an RFC (for protocol changes) or in an official NIST publication (for alg changes). Note that being in an experimental RFC is OK. Please respect that policy in the tree at this time. If this is still an ID, do the work on a new branch in CVS, and then it can be merged when the RFC is published.

Latest version of patch.

Comment on attachment 555219 [details] [diff] [review] patch Clearing review request until we re-assess how this fits in with our certificate validation improvement plans.

I am not actively working on this.