Closed
Bug 733232
Opened 13 years ago
Closed 2 years ago
Stop caching intermediate certificates collected off the internet in cert8.db
Categories
(Core :: Security: PSM, defect, P3)
Core
Security: PSM
Tracking
()
RESOLVED
WONTFIX
People
(Reporter: briansmith, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-backlog])
In the review of the profile reset feature, we realized that it is unfortunate that we mix the intermediate SSL certificate cache with the user's explicitly-added certificates, especially their client certificates. It would be better to store cached intermediate certificates in another location, if we need to continue to store them at all. The caching of intermediate certificates has contributed to problems in the past, such as bug 634074. Ryan S. told me that Google Chrome no longer caches intermediate certificates it receives as part of SSL handshakes, due to similar problems. We rely on the cached intermediate certificates in order to correctly report errors and to report the certificate chain in the Larry UI. We would need bug 731485 to be fixed, and/or we will need to cache built certificate chains from CERT_PKIXVerifyCert, in order to avoid breaking this functionality. At a minimum, if we need to store the certs in the database, we should store some flag indicating that the certs were stored automatically as part of this cache, and were not added explicitly by the user.
Reporter | ||
Updated•12 years ago
|
Reporter | ||
Comment 1•12 years ago
|
||
Bug 629558 is about adding a pref to control this. This bug can be about resetting the pref.
Depends on: 629558
Reporter | ||
Updated•12 years ago
|
Reporter | ||
Updated•11 years ago
|
Comment 2•10 years ago
|
||
I asked Brian about this, and he sent me the following in email. It helped me understand this, so copying here: The net effect of Firefox saving these intermediates is to encourage website administrators to misconfigure their websites: 1. Website administrator goes to https://startssl.com/ to get a certificate 2. Firefox saves the StartSSL intermediate into the administrator's cache. 3. Website administrator installs the end-entity certificate on their server without the intermediate. 4. Website administrator tests website in Firefox and it works. 5. Other users visit the website without having visited some correctly-configured StartSSL-certificate-using website first, and the website doesn't load because the intermediate is missing.
Comment 3•10 years ago
|
||
What would happen with cached pages? do we want to cache the complete chain (currently we only cache the certificate in the cache, since the intermediates are in nss trustdb)
Reporter | ||
Comment 4•10 years ago
|
||
(In reply to Camilo Viecco (:cviecco) from comment #3) > What would happen with cached pages? do we want to cache the complete chain > (currently we only cache the certificate in the cache, since the > intermediates are in nss trustdb) Yes, we would need to cache the complete chain (and probably the revocation information too, though that is a separate issue). Also see bug 1038098 and other things (some probably not filed) that need to be changed for this to work.
Depends on: 1049110
Whiteboard: [psm-backlog]
Priority: -- → P3
mozilla::pkix makes this less of a problem. Also, intermediates aren't cached when they're already downloaded as part of intermediate preloading (which are stored elsewhere).
Status: NEW → RESOLVED
Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•