Hi all,
I'm working on an (unfortunately closed-source) project that needs
to closely approximate the behavior of an actual web browser, in
the limited scope of making HTTPS connections and accurately warning
about certificate problems. So I need to learn about "what real
browsers do" and it seems to me that the people on this list are
probably some pretty good giants to stand on the shoulders of!
Here's what I've read already:
* Joshua Davies, "Implementing SSL/TLS," chapter 5 ("creating
a network of trust using X.509 certificates")
* RFC5280 section 6 (path validation)
* RFC6960 (OCSP)
* RFC6066 section 8 (OCSP stapling)
* RFC6961 (multiple-response OCSP stapling)
So I have an idea of what kinds of protocols and standards are out
there, but what I'm missing is how (and to what extent) all these
protocols get used in practice by real browsers.
I think I have two main questions:
1. In as much detail as possible, what steps does Firefox take to
verify certificates? If there's a formal engineering spec that
describes the whole process, I'd love a pointer to it.
Specifically, I'm interested in questions like: Does Firefox even
bother with "traditional" CRLs, or does it rely entirely on OCSP
and/or stapling from the server? What X.509 extensions does it pay
attention to on the certificates? Does Firefox implement the
entirety of RFC5280 section 6 or does it omit things like policy
mapping and permitted subtrees? Does it use Authority Key
Identifier / Subject Key Identifier, as the RFC suggests, *only* in
cases where the issuer/subject DNs are ambiguous, or does it treat
the key identifiers (if present) as the primary source of truth?
2. How bad is OpenSSL's certificate-verifying behavior, really? I know
you folks felt like you had to write mozilla::pkix from scratch to
get the quality you needed. And it's true that I haven't yet tried
to make OpenSSL do OCSP, so I'm not sure yet how hard that will be.
But just talking about the basic bread and butter of RFC5280 section
6, if we populate the certificate store, turn on SSL_VERIFY_PEER,
and just let it do its thing, would we be getting behavior that is
95% the same as what a real browser would do? 80% the same? 40%?
I'd also be happy with pointers to best-practices type documents that
you folks trust. What did the people who wrote mozilla::pkix read, as
preparation for that project?
Thanks!!
~Ben
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
