info
Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
Want to learn TLS certificate verification best practices
74 views
Skip to first unread message
Ben Cottrell
Sep 30, 2016, 5:59:22 PM9/30/16
to dev-pl...@lists.mozilla.org
Hi all,
I'm working on an (unfortunately closed-source) project that needs
to closely approximate the behavior of an actual web browser, in
the limited scope of making HTTPS connections and accurately warning
about certificate problems. So I need to learn about "what real
browsers do" and it seems to me that the people on this list are
probably some pretty good giants to stand on the shoulders of!
Here's what I've read already:
* Joshua Davies, "Implementing SSL/TLS," chapter 5 ("creating
a network of trust using X.509 certificates")
* RFC5280 section 6 (path validation)
* RFC6960 (OCSP)
* RFC6066 section 8 (OCSP stapling)
* RFC6961 (multiple-response OCSP stapling)
So I have an idea of what kinds of protocols and standards are out
there, but what I'm missing is how (and to what extent) all these
protocols get used in practice by real browsers.
I think I have two main questions:
1. In as much detail as possible, what steps does Firefox take to
verify certificates? If there's a formal engineering spec that
describes the whole process, I'd love a pointer to it.
Specifically, I'm interested in questions like: Does Firefox even
bother with "traditional" CRLs, or does it rely entirely on OCSP
and/or stapling from the server? What X.509 extensions does it pay
attention to on the certificates? Does Firefox implement the
entirety of RFC5280 section 6 or does it omit things like policy
mapping and permitted subtrees? Does it use Authority Key
Identifier / Subject Key Identifier, as the RFC suggests, *only* in
cases where the issuer/subject DNs are ambiguous, or does it treat
the key identifiers (if present) as the primary source of truth?
2. How bad is OpenSSL's certificate-verifying behavior, really? I know
you folks felt like you had to write mozilla::pkix from scratch to
get the quality you needed. And it's true that I haven't yet tried
to make OpenSSL do OCSP, so I'm not sure yet how hard that will be.
But just talking about the basic bread and butter of RFC5280 section
6, if we populate the certificate store, turn on SSL_VERIFY_PEER,
and just let it do its thing, would we be getting behavior that is
95% the same as what a real browser would do? 80% the same? 40%?
I'd also be happy with pointers to best-practices type documents that
you folks trust. What did the people who wrote mozilla::pkix read, as
preparation for that project?
Thanks!!
~Ben
I'm working on an (unfortunately closed-source) project that needs
to closely approximate the behavior of an actual web browser, in
the limited scope of making HTTPS connections and accurately warning
about certificate problems. So I need to learn about "what real
browsers do" and it seems to me that the people on this list are
probably some pretty good giants to stand on the shoulders of!
Here's what I've read already:
* Joshua Davies, "Implementing SSL/TLS," chapter 5 ("creating
a network of trust using X.509 certificates")
* RFC5280 section 6 (path validation)
* RFC6960 (OCSP)
* RFC6066 section 8 (OCSP stapling)
* RFC6961 (multiple-response OCSP stapling)
So I have an idea of what kinds of protocols and standards are out
there, but what I'm missing is how (and to what extent) all these
protocols get used in practice by real browsers.
I think I have two main questions:
1. In as much detail as possible, what steps does Firefox take to
verify certificates? If there's a formal engineering spec that
describes the whole process, I'd love a pointer to it.
Specifically, I'm interested in questions like: Does Firefox even
bother with "traditional" CRLs, or does it rely entirely on OCSP
and/or stapling from the server? What X.509 extensions does it pay
attention to on the certificates? Does Firefox implement the
entirety of RFC5280 section 6 or does it omit things like policy
mapping and permitted subtrees? Does it use Authority Key
Identifier / Subject Key Identifier, as the RFC suggests, *only* in
cases where the issuer/subject DNs are ambiguous, or does it treat
the key identifiers (if present) as the primary source of truth?
2. How bad is OpenSSL's certificate-verifying behavior, really? I know
you folks felt like you had to write mozilla::pkix from scratch to
get the quality you needed. And it's true that I haven't yet tried
to make OpenSSL do OCSP, so I'm not sure yet how hard that will be.
But just talking about the basic bread and butter of RFC5280 section
6, if we populate the certificate store, turn on SSL_VERIFY_PEER,
and just let it do its thing, would we be getting behavior that is
95% the same as what a real browser would do? 80% the same? 40%?
I'd also be happy with pointers to best-practices type documents that
you folks trust. What did the people who wrote mozilla::pkix read, as
preparation for that project?
Thanks!!
~Ben
Gervase Markham
Oct 3, 2016, 4:49:26 AM10/3/16
to Ben Cottrell
Hi Ben,
This question might be better off in mozilla.dev.tech.crypto.
On 30/09/16 23:00, Ben Cottrell wrote:
> I'm working on an (unfortunately closed-source) project that needs
> to closely approximate the behavior of an actual web browser, in
> the limited scope of making HTTPS connections and accurately warning
> about certificate problems.
You know about:
https://www.ssllabs.com/ssltest/
right? It seems like they have already done all the work you are
planning to do, including handshake simulation.
> 1. In as much detail as possible, what steps does Firefox take to
> verify certificates? If there's a formal engineering spec that
> describes the whole process, I'd love a pointer to it.
No, I don't think so, sorry. Read the code :-|
> Specifically, I'm interested in questions like: Does Firefox even
> bother with "traditional" CRLs,
No, it doesn't.
> or does it rely entirely on OCSP
> and/or stapling from the server? What X.509 extensions does it pay
> attention to on the certificates? Does Firefox implement the
> entirety of RFC5280 section 6 or does it omit things like policy
> mapping and permitted subtrees? Does it use Authority Key
> Identifier / Subject Key Identifier, as the RFC suggests, *only* in
> cases where the issuer/subject DNs are ambiguous, or does it treat
> the key identifiers (if present) as the primary source of truth?
Many of these are questions about NSS, the security library we use,
hence my suggestion of asking elsewhere.
> 2. How bad is OpenSSL's certificate-verifying behavior, really? I know
> you folks felt like you had to write mozilla::pkix from scratch to
> get the quality you needed. And it's true that I haven't yet tried
> to make OpenSSL do OCSP, so I'm not sure yet how hard that will be.
I don't think just pinching OpenSSL's library was ever an option, but I
wasn't deep in those technical discussions. We don't use OpenSSL in
Firefox at all.
> I'd also be happy with pointers to best-practices type documents that
> you folks trust. What did the people who wrote mozilla::pkix read, as
> preparation for that project?
That project was mostly coded by Brian Smith, who no longer works for
Mozilla, but can be found quite easily:
https://github.com/briansmith
Gerv
This question might be better off in mozilla.dev.tech.crypto.
On 30/09/16 23:00, Ben Cottrell wrote:
> I'm working on an (unfortunately closed-source) project that needs
> to closely approximate the behavior of an actual web browser, in
> the limited scope of making HTTPS connections and accurately warning
> about certificate problems.
https://www.ssllabs.com/ssltest/
right? It seems like they have already done all the work you are
planning to do, including handshake simulation.
> 1. In as much detail as possible, what steps does Firefox take to
> verify certificates? If there's a formal engineering spec that
> describes the whole process, I'd love a pointer to it.
> Specifically, I'm interested in questions like: Does Firefox even
> bother with "traditional" CRLs,
> or does it rely entirely on OCSP
> and/or stapling from the server? What X.509 extensions does it pay
> attention to on the certificates? Does Firefox implement the
> entirety of RFC5280 section 6 or does it omit things like policy
> mapping and permitted subtrees? Does it use Authority Key
> Identifier / Subject Key Identifier, as the RFC suggests, *only* in
> cases where the issuer/subject DNs are ambiguous, or does it treat
> the key identifiers (if present) as the primary source of truth?
hence my suggestion of asking elsewhere.
> 2. How bad is OpenSSL's certificate-verifying behavior, really? I know
> you folks felt like you had to write mozilla::pkix from scratch to
> get the quality you needed. And it's true that I haven't yet tried
> to make OpenSSL do OCSP, so I'm not sure yet how hard that will be.
wasn't deep in those technical discussions. We don't use OpenSSL in
Firefox at all.
> I'd also be happy with pointers to best-practices type documents that
> you folks trust. What did the people who wrote mozilla::pkix read, as
> preparation for that project?
Mozilla, but can be found quite easily:
https://github.com/briansmith
Gerv
Ben Cottrell
Oct 4, 2016, 7:11:40 PM10/4/16
to Gervase Markham, dev-pl...@lists.mozilla.org
Hi Gervase,
On Mon, Oct 03, 2016 at 09:49:20AM +0100, Gervase Markham wrote:
> This question might be better off in mozilla.dev.tech.crypto.
OK, understood. Thanks for the redirect.
Although, you've given me enough to chew on already that I'm not
likely to immediately go post over there, either. I think your
response was immensely helpful, specifically the pointer to Brian
Smith. His writeup at <https://briansmith.org/insanity-pkix> is
very much along the lines of the kind of best-practices document
I was hoping to find.
I'm going to go away and chew on RFC4158 (which I wasn't aware
of previously) for a while, and if I have more questions after
that I will post on mozilla.dev.tech.crypto.
You rock! Thanks!
~Ben
On Mon, Oct 03, 2016 at 09:49:20AM +0100, Gervase Markham wrote:
> This question might be better off in mozilla.dev.tech.crypto.
Although, you've given me enough to chew on already that I'm not
likely to immediately go post over there, either. I think your
response was immensely helpful, specifically the pointer to Brian
Smith. His writeup at <https://briansmith.org/insanity-pkix> is
very much along the lines of the kind of best-practices document
I was hoping to find.
I'm going to go away and chew on RFC4158 (which I wasn't aware
of previously) for a while, and if I have more questions after
that I will post on mozilla.dev.tech.crypto.
You rock! Thanks!
~Ben
0 new messages