On Tue, 6 Sep 2016, Kyle Hamilton wrote:
That seems unlikely to me (in that browsers don't really keep a server
cert database).
Has that changed? I talked with Dan Veditz (at Mozilla) around 5 years
ago regarding the fact that NSS had told me of duplicate serial numbers
being issued by a single issuer, and that as a result Firefox had
refused to permit me to connect to a site and also refused to allow me
to examine the certificate or identify it issuer for myself. I had to
use OpenSSL to get it. His action item at the time was to increase
reportability of those issues to Mozilla, because (paraphrased from his
words) "a CA issuing duplicate serial numbers is a violation of all of
the specifications and we need to know about it, to figure out what else
they're doing wrong".
I recently ran into this when NSS rejected an IPsec client certificate
after a libreswan ipsec software upgrade. The upgrade replaced openswan
which used custom X.509 code and did not use NSS and it did accept the
certificate with duplicate serial number.
For IPsec, a seperate non-system NSS store is used, so I don't know
how browsers handle this, but the NSS code is there to reject it _if_
it encounters this.
Paul
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
