A while back in the NSS teleconference we discussed whether the non-blocking mode of libpkix is reliable enough to be used by Firefox. The conclusion is that the code hasn't been tested well enough to be relied upon and that it is better for Firefox to do certificate validation in a background thread to get non-blocking-like behavior.
Also, I found these bug reports which seems to indicate that there are many code paths that aren't correctly written for the non-blocking mode: https://bugzilla.mozilla.org/buglist.cgi?quicksearch=whiteboard%3AnbioContext With this in mind, does anybody see any problem with removing the support for the non-blocking mode of libpkix? I imagine that we would do so by doing the following: Check in a patch for CERT_PKIXVerifyCert that fails immediately if the caller passed in the cert_pi_nbioAbort, cert_pi_nbioContext, or cert_po_nbioContext parameters. As we modify functions in libpkix, we would remove the nbioContext support from those functions if/when convenient. And/or, we would consider all the code dealing with nbioContext support (suspending the current state or resuming from a passed-in state) to be dead code when reviewing patches. This would make making modifications to libpkix much simpler. Thoughts? Cheers, Brian _______________________________________________ dev-tech-network mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-network
