mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-10-19 16:25:38 +00:00
6ea4fb08d4
OCSP requests cannot be performed on the main thread. If we were to wait for a response from the network, we would be blocking the main thread for an unnaceptably long time. If we were to spin the event loop while waiting (which is what we do currently), other parts of the code that assume this will never happen (which is essentially all of them) can break. As of bug 867473, no certificate verification happens on the main thread, so no OCSP requests happen on the main thread. Given this, we can go ahead and prohibit such requests. Incidentally, this gives us an opportunity to improve the current OCSP implementation, which has a few drawbacks (the largest of which is that it's unclear that its ownership model is implemented correctly). This also removes OCSP GET support. Due to recent OCSP server implementations (namely, the ability to cache OCSP POST request responses), OCSP GET is not a compelling technology to pursue. Furthermore, continued support presents a maintenance burden. MozReview-Commit-ID: 4ACDY09nCBA --HG-- extra : rebase_source : 072564adf1836720e147b8250afca7cebe4dbf62
43 lines
1.5 KiB
C++
43 lines
1.5 KiB
C++
/* This Source Code Form is subject to the terms of the Mozilla Public
|
|
* License, v. 2.0. If a copy of the MPL was not distributed with this
|
|
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
|
|
|
|
#ifndef SharedCertVerifier_h
|
|
#define SharedCertVerifier_h
|
|
|
|
#include "CertVerifier.h"
|
|
#include "mozilla/RefPtr.h"
|
|
#include "mozilla/TimeStamp.h"
|
|
|
|
namespace mozilla { namespace psm {
|
|
|
|
class SharedCertVerifier : public mozilla::psm::CertVerifier
|
|
{
|
|
protected:
|
|
~SharedCertVerifier();
|
|
|
|
public:
|
|
NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedCertVerifier)
|
|
|
|
SharedCertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
|
|
mozilla::TimeDuration ocspSoftTimeout,
|
|
mozilla::TimeDuration ocspHardTimeout,
|
|
uint32_t certShortLifetimeInDays,
|
|
PinningMode pinningMode, SHA1Mode sha1Mode,
|
|
BRNameMatchingPolicy::Mode nameMatchingMode,
|
|
NetscapeStepUpPolicy netscapeStepUpPolicy,
|
|
CertificateTransparencyMode ctMode,
|
|
DistrustedCAPolicy distrustedCAPolicy)
|
|
: mozilla::psm::CertVerifier(odc, osc, ocspSoftTimeout,
|
|
ocspHardTimeout, certShortLifetimeInDays,
|
|
pinningMode, sha1Mode, nameMatchingMode,
|
|
netscapeStepUpPolicy, ctMode,
|
|
distrustedCAPolicy)
|
|
{
|
|
}
|
|
};
|
|
|
|
} } // namespace mozilla::psm
|
|
|
|
#endif // SharedCertVerifier_h
|