mirror of
https://github.com/mozilla/gecko-dev.git
synced 2025-02-26 04:09:50 +00:00
ca85c42741
The current serverCertificateHashes implementation does not follow the WebTransport specification, that introduced serverCertificateHashes as a tool to replace certificate chain verification. Instead it introduced the hashes as an additional check. This patch moves the check to the Http3Session object and modifies the connection manager' hashes to prevent crossSite certificate poisoning. It is - as the WebTransport Implementation in Firefox - currently limited to http3 only. However, since the hashes live on the ConnectionEntries, it should be possible to extend this in the future. Differential Revision: https://phabricator.services.mozilla.com/D197857