mirror of
https://github.com/mozilla/gecko-dev.git
synced 2024-11-27 06:43:32 +00:00
2c12afd0df
In bug 1874054, we made it so Firefox won't import a third party certificate if it is already a known built-in root. This was to prevent roots that were mistakenly identified as intermediates (as in, "inherits trust") from overriding the trust settings of built-in roots and preventing chains being built to those roots. Additionally, we were concerned about cases where a built-in root had been set by the user to be distrusted, in which case importing that root from the OS would unexpectedly make it trusted again. Revisiting the first issue, this patch restricts this check to only certificates identified as non-trust-anchors, so roots will still be imported. As for the second issue, it turns out that we actually do want this feature to work this way. This will enable (with some additional work) situations where a built-in root has a distrust after date but the user wants that root to still work as before. As for any discrepancies between the user's trust settings in Firefox vs. their operating system, that's up to them to resolve. Differential Revision: https://phabricator.services.mozilla.com/D218889 |
||
|---|---|---|
| .. | ||
| certverifier | ||
| ct | ||
| mac/hardenedruntime/v2 | ||
| manager | ||
| nss | ||
| rlbox | ||
| sandbox | ||
| .eslintrc.js | ||
| generate_mapfile.py | ||
| moz.build | ||
| nss.symbols | ||