corysanin/tubestation
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1966989 - add Result::ERROR_OCSP_RESPONSE_FOR_CERT_MISSING to the list of deferred OCSP stapling errors r=jschanck

Browse Source 
When checking stapled OCSP, if the server stapled an unsuitable response
(according to a small list of error codes), Firefox defers acting on that
information and may try to fetch OCSP in the hopes of getting a suitable
response. This patch adds Result::ERROR_OCSP_RESPONSE_FOR_CERT_MISSING (the
response didn't include a status for the certificate in question) to the list
of these errors.

Differential Revision: https://phabricator.services.mozilla.com/D249848
This commit is contained in:
Dana Keeler
2025-05-19 18:22:02 +00:00
committed by dkeeler@mozilla.com
parent a1fcf2855e
commit bd76eb8d80
2 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
security/certverifier/NSSCertDBTrustDomain.cpp
View File

@@ -910,7 +910,9 @@ Result NSSCertDBTrustDomain::CheckRevocationByOCSP(
} else if (stapledOCSPResponseResult == } else if (stapledOCSPResponseResult ==
Result::ERROR_OCSP_TRY_SERVER_LATER || Result::ERROR_OCSP_TRY_SERVER_LATER ||
stapledOCSPResponseResult == stapledOCSPResponseResult ==
Result::ERROR_OCSP_INVALID_SIGNING_CERT) { Result::ERROR_OCSP_INVALID_SIGNING_CERT ||
stapledOCSPResponseResult ==
Result::ERROR_OCSP_RESPONSE_FOR_CERT_MISSING) {
// Stapled OCSP response present but invalid for a small number of reasons // Stapled OCSP response present but invalid for a small number of reasons
// CAs/servers commonly get wrong. This will be treated similarly to an // CAs/servers commonly get wrong. This will be treated similarly to an
// expired stapled response. // expired stapled response.

14
security/manager/ssl/tests/unit/test_ocsp_stapling.js
View File

@@ -224,23 +224,23 @@ function add_tests() {
SEC_ERROR_OCSP_UNKNOWN_CERT, SEC_ERROR_OCSP_UNKNOWN_CERT,
true true
); );
// If the server staples an OCSP response that doesn't contain a status for
// the server certificate, we defer returning the error and attempt to fetch
// a more suitable response. If that fails, the deferred error is returned.
add_ocsp_test( add_ocsp_test(
"ocsp-stapling-good-other.example.com", "ocsp-stapling-good-other.example.com",
MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING, MOZILLA_PKIX_ERROR_OCSP_RESPONSE_FOR_CERT_MISSING,
true,
true true
); );
// If the server doesn't staple an OCSP response, we continue as normal // If the server doesn't staple an OCSP response, we continue as normal
// (this means that even though stapling is enabled, we expect an OCSP // (this means that even though stapling is enabled, we expect an OCSP
// request). // request).
add_connection_test( add_ocsp_test(
"ocsp-stapling-none.example.com", "ocsp-stapling-none.example.com",
PRErrorCodeSuccess, PRErrorCodeSuccess,
function () { true,
gExpectOCSPRequest = true; true
clearOCSPCache();
clearSessionCache();
Services.prefs.setBoolPref("security.ssl.enable_ocsp_stapling", true);
}
); );
add_ocsp_test( add_ocsp_test(
"ocsp-stapling-empty.example.com", "ocsp-stapling-empty.example.com",