Hi Ben,
This question might be better off in mozilla.dev.tech.crypto.
On 30/09/16 23:00, Ben Cottrell wrote:
> I'm working on an (unfortunately closed-source) project that needs
> to closely approximate the behavior of an actual web browser, in
> the limited scope of making HTTPS connections and accurately warning
> about certificate problems.
You know about:
https://www.ssllabs.com/ssltest/
right? It seems like they have already done all the work you are
planning to do, including handshake simulation.
> 1. In as much detail as possible, what steps does Firefox take to
> verify certificates? If there's a formal engineering spec that
> describes the whole process, I'd love a pointer to it.
No, I don't think so, sorry. Read the code :-|
> Specifically, I'm interested in questions like: Does Firefox even
> bother with "traditional" CRLs,
No, it doesn't.
> or does it rely entirely on OCSP
> and/or stapling from the server? What X.509 extensions does it pay
> attention to on the certificates? Does Firefox implement the
> entirety of RFC5280 section 6 or does it omit things like policy
> mapping and permitted subtrees? Does it use Authority Key
> Identifier / Subject Key Identifier, as the RFC suggests, *only* in
> cases where the issuer/subject DNs are ambiguous, or does it treat
> the key identifiers (if present) as the primary source of truth?
Many of these are questions about NSS, the security library we use,
hence my suggestion of asking elsewhere.
> 2. How bad is OpenSSL's certificate-verifying behavior, really? I know
> you folks felt like you had to write mozilla::pkix from scratch to
> get the quality you needed. And it's true that I haven't yet tried
> to make OpenSSL do OCSP, so I'm not sure yet how hard that will be.
I don't think just pinching OpenSSL's library was ever an option, but I
wasn't deep in those technical discussions. We don't use OpenSSL in
Firefox at all.
> I'd also be happy with pointers to best-practices type documents that
> you folks trust. What did the people who wrote mozilla::pkix read, as
> preparation for that project?
That project was mostly coded by Brian Smith, who no longer works for
Mozilla, but can be found quite easily:
https://github.com/briansmith
Gerv