Magic-Mirror/gecko-dev
1
0
Fork 0
mirror of https://github.com/mozilla/gecko-dev.git synced 2024-10-17 23:35:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
faad139012
gecko-dev/security/certverifier
History
David Keeler 6ea4fb08d4 bug 1456489 - prevent making OCSP requests on the main thread r=fkiefer,jcj 
OCSP requests cannot be performed on the main thread. If we were to wait for a
response from the network, we would be blocking the main thread for an
unnaceptably long time. If we were to spin the event loop while waiting (which
is what we do currently), other parts of the code that assume this will never
happen (which is essentially all of them) can break.

As of bug 867473, no certificate verification happens on the main thread, so no
OCSP requests happen on the main thread. Given this, we can go ahead and
prohibit such requests.

Incidentally, this gives us an opportunity to improve the current OCSP
implementation, which has a few drawbacks (the largest of which is that it's
unclear that its ownership model is implemented correctly).

This also removes OCSP GET support. Due to recent OCSP server implementations
(namely, the ability to cache OCSP POST request responses), OCSP GET is not a
compelling technology to pursue. Furthermore, continued support presents a
maintenance burden.

MozReview-Commit-ID: 4ACDY09nCBA

--HG--
extra : rebase_source : 072564adf1836720e147b8250afca7cebe4dbf62
2018-04-23 18:09:35 +02:00
..
tests/gtest Bug 1440029 - Add a test for TrustOverrideUtils.h r=keeler 2018-02-21 16:54:52 -05:00
BRNameMatchingPolicy.cpp
BRNameMatchingPolicy.h
BTInclusionProof.h Bug 1343202 - Utility function for decoding an InclusionProof structure; r=ckerschb,keeler 2017-08-18 09:50:49 +02:00
BTVerifier.cpp Bug 1343202 - Utility function for decoding an InclusionProof structure; r=ckerschb,keeler 2017-08-18 09:50:49 +02:00
BTVerifier.h Bug 1343202 - Utility function for decoding an InclusionProof structure; r=ckerschb,keeler 2017-08-18 09:50:49 +02:00
Buffer.cpp Bug 1343202 - Move Buffer definition into its own file; r=keeler,rbarnes 2017-08-17 09:23:29 +02:00
Buffer.h Bug 1343202 - Move Buffer definition into its own file; r=keeler,rbarnes 2017-08-17 09:23:29 +02:00
CertVerifier.cpp bug 1456489 - prevent making OCSP requests on the main thread r=fkiefer,jcj 2018-04-23 18:09:35 +02:00
CertVerifier.h bug 1456489 - prevent making OCSP requests on the main thread r=fkiefer,jcj 2018-04-23 18:09:35 +02:00
CTDiversityPolicy.cpp
CTDiversityPolicy.h
CTKnownLogs.h
CTLog.h
CTLogVerifier.cpp
CTLogVerifier.h
CTObjectsExtractor.cpp
CTObjectsExtractor.h
CTPolicyEnforcer.cpp
CTPolicyEnforcer.h
CTSerialization.cpp Bug 1343202 - Utility function for decoding an InclusionProof structure; r=ckerschb,keeler 2017-08-18 09:50:49 +02:00
CTSerialization.h
CTUtils.h Bug 1343202 - Utility function for decoding an InclusionProof structure; r=ckerschb,keeler 2017-08-18 09:50:49 +02:00
CTVerifyResult.cpp
CTVerifyResult.h
ExtendedValidation.cpp bug 1410956 - enable SSL.com EV root certificates for EV in PSM r=fkiefer 2018-03-02 15:44:43 -08:00
ExtendedValidation.h bug 1421084 - part 4/4 - remove nsNSSShutDown.h and (hopefully) all references to it r=mt,ttaubert 2018-01-24 14:44:01 -08:00
moz.build bug 1456489 - prevent making OCSP requests on the main thread r=fkiefer,jcj 2018-04-23 18:09:35 +02:00
MultiLogCTVerifier.cpp
MultiLogCTVerifier.h
NSSCertDBTrustDomain.cpp bug 1456489 - prevent making OCSP requests on the main thread r=fkiefer,jcj 2018-04-23 18:09:35 +02:00
NSSCertDBTrustDomain.h bug 1456489 - prevent making OCSP requests on the main thread r=fkiefer,jcj 2018-04-23 18:09:35 +02:00
OCSPCache.cpp
OCSPCache.h
OCSPVerificationTrustDomain.cpp
OCSPVerificationTrustDomain.h
SignedCertificateTimestamp.cpp Bug 1343202 - Move Buffer definition into its own file; r=keeler,rbarnes 2017-08-17 09:23:29 +02:00
SignedCertificateTimestamp.h Bug 1343202 - Move Buffer definition into its own file; r=keeler,rbarnes 2017-08-17 09:23:29 +02:00
SignedTreeHead.h
TrustOverride-AppleGoogleDigiCertData.inc Bug 1434300 - Add the DigiCert whitelisted SPKIs r=keeler 2018-02-21 14:08:59 -05:00
TrustOverride-GlobalSignData.inc Bug 1409259 - Refactor "TrustOverrides" header for existing trust overrides r=keeler 2017-10-16 23:17:52 -07:00
TrustOverride-StartComAndWoSignData.inc Bug 1409259 - Refactor "TrustOverrides" header for existing trust overrides r=keeler 2017-10-16 23:17:52 -07:00
TrustOverride-SymantecData.inc Bug 1434300 - Add a utility to match certificates based on SPKI r=fkiefer,keeler 2018-02-21 14:08:44 -05:00
TrustOverride-TestImminentDistrustData.inc Bug 1439378 - Re-enable the imminent distrust browser-console test r=fkiefer,keeler 2018-02-26 15:55:35 -07:00
TrustOverrideUtils.h Bug 1434300 - Change Symantec Distrust Algorithm's whitelist to SPKI-matching r=fkiefer,keeler 2018-02-21 14:08:47 -05:00