Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-19 16:25:38 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
312a9dd7f5
gecko-dev/security/manager/ssl/SharedCertVerifier.h
David Keeler 6ea4fb08d4 bug 1456489 - prevent making OCSP requests on the main thread r=fkiefer,jcj 
OCSP requests cannot be performed on the main thread. If we were to wait for a
response from the network, we would be blocking the main thread for an
unnaceptably long time. If we were to spin the event loop while waiting (which
is what we do currently), other parts of the code that assume this will never
happen (which is essentially all of them) can break.

As of bug 867473, no certificate verification happens on the main thread, so no
OCSP requests happen on the main thread. Given this, we can go ahead and
prohibit such requests.

Incidentally, this gives us an opportunity to improve the current OCSP
implementation, which has a few drawbacks (the largest of which is that it's
unclear that its ownership model is implemented correctly).

This also removes OCSP GET support. Due to recent OCSP server implementations
(namely, the ability to cache OCSP POST request responses), OCSP GET is not a
compelling technology to pursue. Furthermore, continued support presents a
maintenance burden.

MozReview-Commit-ID: 4ACDY09nCBA

--HG--
extra : rebase_source : 072564adf1836720e147b8250afca7cebe4dbf62
2018-04-23 18:09:35 +02:00

43 lines
1.5 KiB
C++
Raw Blame History

/* This Source Code Form is subject to the terms of the Mozilla Public
* License, v. 2.0. If a copy of the MPL was not distributed with this
* file, You can obtain one at http://mozilla.org/MPL/2.0/. */
#ifndef SharedCertVerifier_h
#define SharedCertVerifier_h
#include "CertVerifier.h"
#include "mozilla/RefPtr.h"
#include "mozilla/TimeStamp.h"
namespace mozilla { namespace psm {
class SharedCertVerifier : public mozilla::psm::CertVerifier
{
protected:
~SharedCertVerifier();
public:
NS_INLINE_DECL_THREADSAFE_REFCOUNTING(SharedCertVerifier)
SharedCertVerifier(OcspDownloadConfig odc, OcspStrictConfig osc,
mozilla::TimeDuration ocspSoftTimeout,
mozilla::TimeDuration ocspHardTimeout,
uint32_t certShortLifetimeInDays,
PinningMode pinningMode, SHA1Mode sha1Mode,
BRNameMatchingPolicy::Mode nameMatchingMode,
NetscapeStepUpPolicy netscapeStepUpPolicy,
CertificateTransparencyMode ctMode,
DistrustedCAPolicy distrustedCAPolicy)
: mozilla::psm::CertVerifier(odc, osc, ocspSoftTimeout,
ocspHardTimeout, certShortLifetimeInDays,
pinningMode, sha1Mode, nameMatchingMode,
netscapeStepUpPolicy, ctMode,
distrustedCAPolicy)
{
}
};
} } // namespace mozilla::psm
#endif // SharedCertVerifier_h
Reference in New Issue View Git Blame Copy Permalink