Hi all, I'm working on an (unfortunately closed-source) project that needs to closely approximate the behavior of an actual web browser, in the limited scope of making HTTPS connections and accurately warning about certificate problems. So I need to learn about "what real browsers do" and it seems to me that the people on this list are probably some pretty good giants to stand on the shoulders of!
Here's what I've read already: * Joshua Davies, "Implementing SSL/TLS," chapter 5 ("creating a network of trust using X.509 certificates") * RFC5280 section 6 (path validation) * RFC6960 (OCSP) * RFC6066 section 8 (OCSP stapling) * RFC6961 (multiple-response OCSP stapling) So I have an idea of what kinds of protocols and standards are out there, but what I'm missing is how (and to what extent) all these protocols get used in practice by real browsers. I think I have two main questions: 1. In as much detail as possible, what steps does Firefox take to verify certificates? If there's a formal engineering spec that describes the whole process, I'd love a pointer to it. Specifically, I'm interested in questions like: Does Firefox even bother with "traditional" CRLs, or does it rely entirely on OCSP and/or stapling from the server? What X.509 extensions does it pay attention to on the certificates? Does Firefox implement the entirety of RFC5280 section 6 or does it omit things like policy mapping and permitted subtrees? Does it use Authority Key Identifier / Subject Key Identifier, as the RFC suggests, *only* in cases where the issuer/subject DNs are ambiguous, or does it treat the key identifiers (if present) as the primary source of truth? 2. How bad is OpenSSL's certificate-verifying behavior, really? I know you folks felt like you had to write mozilla::pkix from scratch to get the quality you needed. And it's true that I haven't yet tried to make OpenSSL do OCSP, so I'm not sure yet how hard that will be. But just talking about the basic bread and butter of RFC5280 section 6, if we populate the certificate store, turn on SSL_VERIFY_PEER, and just let it do its thing, would we be getting behavior that is 95% the same as what a real browser would do? 80% the same? 40%? I'd also be happy with pointers to best-practices type documents that you folks trust. What did the people who wrote mozilla::pkix read, as preparation for that project? Thanks!! ~Ben _______________________________________________ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform