On Wed, July 2, 2014 6:09 am, Bernhard Thalmayr wrote: > Hi experts, is there a specification which NSS follows when performing > certificate check during the SSL handshake (especially with regards to > handling SubjectAltName extensions)? > > TIA, > Bernhard > > P.S. Unfortunately my search in the archive and using Mr. Google did not > help > --
Depends on which part of NSS you mean. Legacy does a somewhat arbitrary, single-path only path building, with the goal of enforcing RFC 2459-like requirements. LibPKIX was designed to do unrestricted path building (ala RFC 4158), with the goal of verifying certificates according to RFC 3280 mozilla::pkix was designed to do unrestricted path building (ala RFC 4158), but with the goal of verifying SSL/TLS certificates according to RFC 5280. 5280 replaces 3280 replaces 2459. For verifying names, I'm not sure if mozilla::pkix supports RFC 6125 yet. I suspect not (there's still issues with trailing periods, IIRC), but likely something "close to it". For name verification, though, RFC 6125 is "the" thing to read. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto