Hi Ben, This question might be better off in mozilla.dev.tech.crypto.
On 30/09/16 23:00, Ben Cottrell wrote: > I'm working on an (unfortunately closed-source) project that needs > to closely approximate the behavior of an actual web browser, in > the limited scope of making HTTPS connections and accurately warning > about certificate problems. You know about: https://www.ssllabs.com/ssltest/ right? It seems like they have already done all the work you are planning to do, including handshake simulation. > 1. In as much detail as possible, what steps does Firefox take to > verify certificates? If there's a formal engineering spec that > describes the whole process, I'd love a pointer to it. No, I don't think so, sorry. Read the code :-| > Specifically, I'm interested in questions like: Does Firefox even > bother with "traditional" CRLs, No, it doesn't. > or does it rely entirely on OCSP > and/or stapling from the server? What X.509 extensions does it pay > attention to on the certificates? Does Firefox implement the > entirety of RFC5280 section 6 or does it omit things like policy > mapping and permitted subtrees? Does it use Authority Key > Identifier / Subject Key Identifier, as the RFC suggests, *only* in > cases where the issuer/subject DNs are ambiguous, or does it treat > the key identifiers (if present) as the primary source of truth? Many of these are questions about NSS, the security library we use, hence my suggestion of asking elsewhere. > 2. How bad is OpenSSL's certificate-verifying behavior, really? I know > you folks felt like you had to write mozilla::pkix from scratch to > get the quality you needed. And it's true that I haven't yet tried > to make OpenSSL do OCSP, so I'm not sure yet how hard that will be. I don't think just pinching OpenSSL's library was ever an option, but I wasn't deep in those technical discussions. We don't use OpenSSL in Firefox at all. > I'd also be happy with pointers to best-practices type documents that > you folks trust. What did the people who wrote mozilla::pkix read, as > preparation for that project? That project was mostly coded by Brian Smith, who no longer works for Mozilla, but can be found quite easily: https://github.com/briansmith Gerv _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform